[prev in list] [next in list] [prev in thread] [next in thread] 

List:     linux-security-audit
Subject:  Re: i18n issues with format bugs
From:     Solar Designer <solar@false.com>
Date:     2000-07-27 20:41:49
[Download message RAW]


[ Changed the cc: to Linux security-audit list. ]

> After discussion with David Wheeler (and I noticed some
> on BUGTRAQ had also mentioned this) it seems that there is
> the possibility of format problems for programs naively trusting
> localised strings.
> 
> 1) The GNU gettext source doesn't seem to be a problem, with the exception
> of cat-compat.c, where bindtextdomain() checks the environment variable
> $NLSPATH. The question is whether any software out there actually uses
> this code any more

util-linux uses bindtextdomain() in many SUID/SGID applications:
chfn, chsh, passwd, newgrp, login, write, and wall.  Of those, the
last four "forgot" to call sanitize_env() first.

Also, sanitize_env() itself allows everything but the known-bad set
of env vars and their values; a small change to gettext or libc can
"introduce" a vulnerability into util-linux applications that do use
sanitize_env().

Signed,
Solar Designer

[prev in list] [next in list] [prev in thread] [next in thread]