tech-userlevel: Re: LC_xx vulnerability

Subject: Re: LC_xx vulnerability
To: None <itojun@iijlab.net>
From: T.SHIOZAKI <tshiozak@netbsd.org>
List: tech-userlevel
Date: 09/08/2000 22:06:34
Hi,

From: itojun@iijlab.net
Subject: LC_xx vulnerability
Date: Fri, 08 Sep 2000 21:25:15 +0900
Message-ID: <4142.968415915@coconut.itojun.org>

> 	there has been some security issue reported about gettext() and
> 	LC_xx environment variable, with setuid binary.  do we want to
> 	put some workaround for it?  if so, how?
> 	FYI: freebsd did the following.

We should.

And, setlocale and catopen on NetBSD have other problem
We should firstly disallow these functions to look up to PATH_LOCALE
and NLSPATH environment variable on setugid binary by using issetugid(2)
syscall.
I guess setlocale problem is not fatal, but catopen one may possibly
cause fatal security hole on stupid setuid/setgid programs.


Here is the patch to fix it hopefully (not tested):

Index: setlocale.c
===================================================================
RCS file: /cvsroot/basesrc/lib/libc/locale/setlocale.c,v
retrieving revision 1.19
diff -u -r1.19 setlocale.c
--- setlocale.c 2000/08/10 10:03:43     1.19
+++ setlocale.c 2000/09/08 13:03:52
@@ -107,11 +107,8 @@
        size_t len;
        char *env, *r;
 
-       /*
-        * XXX potential security problem here with set-id programs
-        * being able to read files the user can not normally read.
-        */
-       if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
+       if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))
+           && issetugid())
                PathLocale = _PATH_LOCALE;
 
        if (category < 0 || category >= _LC_LAST)
@@ -140,7 +137,7 @@
                if (!env || !*env)
                        env = getenv("LANG");
 
-               if (!env || !*env)
+               if (!env || !*env || strchr(env, '/'))
                        env = "C";
 
                (void)strncpy(new_categories[category], env, 31);

Index: catopen.c
===================================================================
RCS file: /cvsroot/basesrc/lib/libc/nls/catopen.c,v
retrieving revision 1.16
diff -u -r1.16 catopen.c
--- catopen.c   1999/09/16 11:45:19     1.16
+++ catopen.c   2000/09/08 12:51:57
@@ -85,9 +85,9 @@
         * set-id program, and NLSPATH or LANG are set to read files
         * the user normally does not have access to.
         */
-       if ((nlspath = getenv("NLSPATH")) == NULL)
+       if (issetugid() || (nlspath = getenv("NLSPATH")) == NULL)
                nlspath = NLS_DEFAULT_PATH;
-       if ((lang = getenv("LANG")) == NULL)
+       if ((lang = getenv("LANG")) == NULL || strchr(lang, '/'))
                lang = NLS_DEFAULT_LANG;
 
        s = nlspath;


--
Takuya SHIOZAKI / ASTEC Products, Inc.