[1763] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Beware of dangerous enviroment (Re: Overflows in minicom)

daemon@ATHENA.MIT.EDU (Ulrich Drepper)
Thu May 21 16:51:51 1998

Date: Tue, 19 May 1998 16:17:44 -0700
From: Ulrich Drepper <drepper@cygnus.com>
In-reply-to: Pavel Kankovsky's message of
 "Tue, 19 May 1998 16:26:50 +0200 (MET DST)"
To: peak@kerberos.troja.mff.cuni.cz
Cc: bug-glibc@gnu.org, hjl@gnu.org, linux-security@redhat.com
Reply-to: drepper@cygnus.com (Ulrich Drepper)
Resent-From: linux-security@redhat.com

--Multipart_Tue_May_19_16:17:44_1998-1
Content-Type: text/plain; charset=US-ASCII

Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> writes:

> Affected versions chart
> 
> Ver./Var.     NLSPATH   LANGUAGE, LANG, LC_*    TZ    LD_PROFILE_OUTPUT
> 
> libc 5.4.44	yes		yes(0)		yes		no
> glibc 2.0.7	no(1)		yes		no(2)		no
> glibc pre2.1	no(1)		yes		no(2)		yes(3)
> (snapshot 980301)

The bugs in glibc 2.1 can be fixed by the appended patch.  They apply
easily for glibc 2.0 as well (patch isn't helpful, though).  The
patches are not tested very well but they worked for my example setup.

Thanks,

--Multipart_Tue_May_19_16:17:44_1998-1
Content-Type: text/plain; charset=US-ASCII

-- Uli
---------------.      drepper at gnu.org  ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Cygnus Solutions `--' drepper at cygnus.com   `------------------------

--Multipart_Tue_May_19_16:17:44_1998-1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="PPP"
Content-Transfer-Encoding: 8bit

--- elf/rtld.c	1998/05/04 12:26:34	1.113
+++ elf/rtld.c	1998/05/19 23:01:41
@@ -1133,7 +1133,8 @@ process_envvars (enum mode *modep, int *
 
 	case 14:
 	  /* Where to place the profiling data file.  */
-	  if (memcmp (&envline[3], "PROFILE_OUTPUT", 14) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (&envline[3], "PROFILE_OUTPUT", 14) == 0)
 	    {
 	      _dl_profile_output = &envline[18];
 	      if (*_dl_profile_output == '\0')
--- intl/dcgettext.c	1998/04/27 14:14:09	1.20
+++ intl/dcgettext.c	1998/05/19 23:03:55
@@ -221,6 +221,24 @@ struct block_list
 # define DCGETTEXT dcgettext__
 #endif
 
+/* Checking whether the binaries runs SUID must be done and glibc provides
+   easier methods therefore we make a difference here.  */
+#ifdef _LIBC
+# define ENABLE_SECURE __libc_enable_secure
+# define DETERMINE_SECURE
+#else
+static int enable_secure;
+# define ENABLE_SECURE (enable_secure == 1)
+# define DETERMINE_SECURE \
+  if (enable_secure == 0)						      \
+    {									      \
+      if (getuid () != geteuid () || getgid () != getegid ())		      \
+	enable_secure = 1;						      \
+      else								      \
+	enable_secure = -1;						      \
+    }
+#endif
+
 /* Look up MSGID in the DOMAINNAME message catalog for the current CATEGORY
    locale.  */
 char *
@@ -245,9 +263,12 @@ DCGETTEXT (domainname, msgid, category)
   if (msgid == NULL)
     return NULL;
 
+  /* See whether this is a SUID binary or not.  */
+  DETERMINE_SECURE;
+
   /* If DOMAINNAME is NULL, we are interested in the default domain.  If
      CATEGORY is not LC_MESSAGES this might not make much sense but the
-     defintion left this undefined.  */
+     definition left this undefined.  */
   if (domainname == NULL)
     domainname = _nl_current_default_domain;
 
@@ -343,6 +364,15 @@ DCGETTEXT (domainname, msgid, category)
 	  while (categoryvalue[0] != '\0' && categoryvalue[0] != ':')
 	    *cp++ = *categoryvalue++;
 	  *cp = '\0';
+
+	  /* When this is a SUID binary we must not allow accessing files
+	     outside the dedicated directories.  */
+	  if (ENABLE_SECURE
+	      && (memchr (single_locale, '/',
+			  _nl_find_language (single_locale) - single_locale)
+		  != NULL))
+	    /* Ingore this entry.  */
+	    continue;
 	}
 
       /* If the current locale value is C (or POSIX) we don't load a
--- intl/explodename.c	1998/04/02 15:58:45	1.6
+++ intl/explodename.c	1998/05/19 23:05:59
@@ -47,6 +47,17 @@
 
 /* @@ end of prolog @@ */
 
+char *
+_nl_find_language (const char *name)
+{
+  while (name[0] != '\0' && name[0] != '_' && name[0] != '@'
+	 && name[0] != '+' && name[0] != ',')
+    ++name;
+
+  return (char *) name;
+}
+
+
 int
 _nl_explode_name (name, language, modifier, territory, codeset,
 		  normalized_codeset, special, sponsor, revision)
@@ -78,9 +89,7 @@ _nl_explode_name (name, language, modifi
   mask = 0;
   syntax = undecided;
   *language = cp = name;
-  while (cp[0] != '\0' && cp[0] != '_' && cp[0] != '@'
-	 && cp[0] != '+' && cp[0] != ',')
-    ++cp;
+  cp = _nl_find_language (*language);
 
   if (*language == cp)
     /* This does not make sense: language has to be specified.  Use
--- intl/loadinfo.h	1998/04/29 09:41:50	1.4
+++ intl/loadinfo.h	1998/05/19 23:07:49
@@ -75,3 +75,5 @@ extern int _nl_explode_name PARAMS ((cha
 				     const char **special,
 				     const char **sponsor,
 				     const char **revision));
+
+extern char *_nl_find_language PARAMS ((const char *name));
--- locale/findlocale.c	1997/09/30 16:38:07	1.7
+++ locale/findlocale.c	1998/05/19 23:08:53
@@ -1,4 +1,4 @@
-/* Copyright (C) 1996, 1997 Free Software Foundation, Inc.
+/* Copyright (C) 1996, 1997, 1998 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@gnu.ai.mit.edu>, 1996.
 
@@ -20,6 +20,7 @@
 #include <locale.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include <sys/mman.h>
 
 #include "localeinfo.h"
@@ -51,7 +52,11 @@ _nl_find_locale (const char *locale_path
   const char *revision;
   struct loaded_l10nfile *locale_file;
 
-  if ((*name)[0] == '\0')
+  if ((*name)[0] == '\0'
+      /* In SUID binaries we must not allow people to access files
+	 outside the dedicated locale directories.  */
+      || (__libc_enable_secure
+	  && memchr (*name, '/', _nl_find_language (*name) - *name) != NULL))
     {
       /* The user decides which locale to use by setting environment
 	 variables.  */

--Multipart_Tue_May_19_16:17:44_1998-1--

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post