[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-security-audit
Subject: Re: i18n issues with format bugs
From: Solar Designer <solar@false.com>
Date: 2000-07-27 20:41:49
[Download message RAW]
[ Changed the cc: to Linux security-audit list. ]
> After discussion with David Wheeler (and I noticed some
> on BUGTRAQ had also mentioned this) it seems that there is
> the possibility of format problems for programs naively trusting
> localised strings.
>
> 1) The GNU gettext source doesn't seem to be a problem, with the exception
> of cat-compat.c, where bindtextdomain() checks the environment variable
> $NLSPATH. The question is whether any software out there actually uses
> this code any more
util-linux uses bindtextdomain() in many SUID/SGID applications:
chfn, chsh, passwd, newgrp, login, write, and wall. Of those, the
last four "forgot" to call sanitize_env() first.
Also, sanitize_env() itself allows everything but the known-bad set
of env vars and their values; a small change to gettext or libc can
"introduce" a vulnerability into util-linux applications that do use
sanitize_env().
Signed,
Solar Designer
[prev in list] [next in list] [prev in thread] [next in thread]
Log in / Log out
About MARC
We're Hiring!
Want to add a list? Tell us about it.
The AIMS Group