Debian Bug report logs - #28850
gettext: security problem when used in setuid programs

Package: gettext; Maintainer for gettext is Santiago Vila <sanvila@debian.org>; Source for gettext is src:gettext.

Reported by: Marek Michalkiewicz <marekm@piast.t19.ml.org>

Date: Mon, 2 Nov 1998 20:33:02 UTC

Severity: normal

Done: Santiago Vila <sanvila@unex.es>

Bug is archived. No further changes may be made.

Forwarded to Ulrich Drepper <drepper@gnu.org>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>, Dale Scheetz <dwarf@polaris.net>:
Bug#28850; Package gettext, libc6. Full text and rfc822 format available.

Acknowledgement sent to Marek Michalkiewicz <marekm@piast.t19.ml.org>:
New bug report received and forwarded. Copy sent to Santiago Vila <sanvila@ctv.es>, Dale Scheetz <dwarf@polaris.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marek Michalkiewicz <marekm@piast.t19.ml.org>
To: submit@bugs.debian.org
Subject: gettext: security problem when used in setuid programs
Date: Mon, 2 Nov 1998 21:17:41 +0100 (CET)
Package: gettext, libc6
Version: 0.10.35-3, 2.0.7t-1

gettext is insecure when used in setuid programs - it can be used to open
any file on the system for reading.

I've just tried this (with GNU su, using gettext from libc6):
                                                                                
mkdir /tmp/LC_MESSAGES
ln -s /dev/rft0 /tmp/LC_MESSAGES/SYS_LC_MESSAGES
LANG=../../../tmp su

and (before it got a segmentation fault) it happily opened /dev/rft0            
(this is an example where even a read-only open() can potentially cause         
data loss by rewinding the tape).

gettext (both in libc6 and in the separate gettext package) should
check for slashes and ..'s in environment variables it uses.  This
probably should be forwarded upstream.  The problem is not specific
to GNU su - any setuid program with i18n support can be exploited.

Marek

-- System Information
Debian Release: 2.0
Kernel Version: Linux marekm 2.0.34 #2 Thu Jul 9 10:57:48 EST 1998 i486 unknown

Versions of the packages gettext depends on:
ii  libc6           2.0.7t-1       The GNU C library version 2 (run-time files)


Reply sent to Santiago Vila <sanvila@unex.es>:
You have marked bug as forwarded. Full text and rfc822 format available.

Message #8 received at 28850-forwarded@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Ulrich Drepper <drepper@gnu.org>
Cc: 28850-forwarded@bugs.debian.org, Marek Michalkiewicz <marekm@piast.t19.ml.org>
Subject: Bug#28850: gettext: security problem when used in setuid programs (fwd)
Date: Tue, 3 Nov 1998 13:00:05 +0100 (CET)
Hello.

I have received this from the Debian Bug tracking system.

[ Please, keep the Cc: lines when replying ].

Thanks.

---------- Forwarded message ----------
Date: Mon, 2 Nov 1998 21:17:41 +0100 (CET)
From: Marek Michalkiewicz <marekm@piast.t19.ml.org>
To: submit@bugs.debian.org
Subject: #28850: gettext: security problem when used in setuid programs

Package: gettext, libc6
Version: 0.10.35-3, 2.0.7t-1

gettext is insecure when used in setuid programs - it can be used to open
any file on the system for reading.

I've just tried this (with GNU su, using gettext from libc6):
                                                                                
mkdir /tmp/LC_MESSAGES
ln -s /dev/rft0 /tmp/LC_MESSAGES/SYS_LC_MESSAGES
LANG=../../../tmp su

and (before it got a segmentation fault) it happily opened /dev/rft0            
(this is an example where even a read-only open() can potentially cause         
data loss by rewinding the tape).

gettext (both in libc6 and in the separate gettext package) should
check for slashes and ..'s in environment variables it uses.  This
probably should be forwarded upstream.  The problem is not specific
to GNU su - any setuid program with i18n support can be exploited.

Marek

-- System Information
Debian Release: 2.0
Kernel Version: Linux marekm 2.0.34 #2 Thu Jul 9 10:57:48 EST 1998 i486 unknown

Versions of the packages gettext depends on:
ii  libc6           2.0.7t-1       The GNU C library version 2 (run-time files)

-- 
 "f456135146012ee4984cf01ab6076c39" (a truly random sig)



Severity set to `important'. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>, Joel Klecker <glibc-maint@debian.org>:
Bug#28850; Package gettext, libc6. Full text and rfc822 format available.

Acknowledgement sent to Joel Klecker <jk@espy.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>, Joel Klecker <glibc-maint@debian.org>. Full text and rfc822 format available.

Message #15 received at 28850@bugs.debian.org (full text, mbox):

From: Joel Klecker <jk@espy.org>
To: Santiago Vila <sanvila@unex.es>
Cc: 28850@bugs.debian.org
Subject: Re: Severity increase for Bug #28850
Date: Tue, 12 Jan 1999 21:43:06 -0800
At 18:16 +0100 1999-01-12, Santiago Vila wrote:
>severity 28850 important
>thanks
>
>This bug is about gettext library (both from libc and from the
>gettext package) being insecure when used in setuid programs.

This is fixed in glibc:

1998-05-19 15:58  Ulrich Drepper  <drepper@cygnus.com>

       * elf/rtld.c (process_envvars): Fix typo.  Don't handle
       LD_PROFILE_OUTPUT in SUID binaries.
       * intl/dcgettext.c: In SUID binaries don't let language part of
       locale value contain path elements.
       * intl/explodename.h: Define new function _nl_find_language.
       * intl/loadinfo.h: Declare _nl_find_language.
       * locale/findlocale.c (_nl_find_locale): Use _nl_find_locale to get
       language part it drop the value is path element is contained.
--
Joel Klecker (aka Espy)                     <URL:http://web.espy.org/>
<URL:mailto:jk@espy.org>                  <URL:mailto:espy@debian.org>
Debian GNU/Linux PowerPC -- <URL:http://www.debian.org/ports/powerpc/>


Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>, Joel Klecker <glibc-maint@debian.org>:
Bug#28850; Package gettext, libc6. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>, Joel Klecker <glibc-maint@debian.org>. Full text and rfc822 format available.

Message #20 received at 28850@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Joel Klecker <jk@espy.org>
Cc: 28850@bugs.debian.org
Subject: Re: Severity increase for Bug #28850
Date: Wed, 13 Jan 1999 12:08:51 +0100 (CET)
On Tue, 12 Jan 1999, Joel Klecker wrote:

> At 18:16 +0100 1999-01-12, Santiago Vila wrote:
> >severity 28850 important
> >thanks
> >
> >This bug is about gettext library (both from libc and from the
> >gettext package) being insecure when used in setuid programs.
> 
> This is fixed in glibc:
> 
> 1998-05-19 15:58  Ulrich Drepper  <drepper@cygnus.com>

Fine. How do I apply this to the gettext library?

-- 
 "5ad8b636a39119a40537eafceeab42a9" (a truly random sig)



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>, Dale Scheetz <glibc-maint@debian.org>:
Bug#28850; Package gettext, libc6. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>, Dale Scheetz <glibc-maint@debian.org>. Full text and rfc822 format available.

Message #25 received at 28850@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Marek Michalkiewicz <marekm@piast.t19.ml.org>, 28850@bugs.debian.org
Subject: Re: Bug#28850: gettext: security problem when used in setuid programs
Date: Tue, 26 Jan 1999 17:16:11 +0100 (CET)
On Mon, 2 Nov 1998, Marek Michalkiewicz wrote:

> Package: gettext, libc6
> Version: 0.10.35-3, 2.0.7t-1
> 
> gettext is insecure when used in setuid programs - it can be used to open
> any file on the system for reading.

Fixed in gettext_0.10.35-7, now in slink.

However, I can't just fix this bug, since it may affect lots of other
programs, so I'm going to reassign it to "general".

Thanks.

-- 
 "0d1a6841b7f708e723b0c5fb615aa562" (a truly random sig)



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@ctv.es>, Dale Scheetz <glibc-maint@debian.org>:
Bug#28850; Package gettext, libc6. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@ctv.es>, Dale Scheetz <glibc-maint@debian.org>. Full text and rfc822 format available.

Message #30 received at 28850@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: 28850@bugs.debian.org
Cc: control@bugs.debian.org, Debian Developers <debian-devel@lists.debian.org>
Subject: Need a check for suid applications
Date: Tue, 26 Jan 1999 17:21:45 +0100 (CET)
reassign 28850 general
thanks

This bug is now fixed in gettext_0.10.35-7.

However, somebody should check that every suid application in slink which
is statically linked against gettext is recompiled with the new gettext.
(Maybe doing "gettextize -f -c").

Thanks.

-- 
 "6525d3e1b6548dd210c536bf09bde00b" (a truly random sig)



Bug reassigned from package `gettext, libc6' to `general'. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Richard Braakman <dark@xs4all.nl>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #37 received at 28850@bugs.debian.org (full text, mbox):

From: Richard Braakman <dark@xs4all.nl>
To: 28850@bugs.debian.org
Subject: List of packages that link gettext statically
Date: Mon, 15 Feb 1999 03:32:57 +0100 (CET)
Joel Klecker told me that programs that link statically with gettext
will have "bindtextdomain" defined.  I grepped for that in the Lintian
lab and got this list:

clisp
dpkg
enscript
gcal
gettext
grep
id-utils
info
libc6
olwm
pspp
sharutils
textutils
xview
xviewg

gettext and libc6 are obvious, and are already fixed.  I don't
know about the rest, or whether they contain suid binaries.
(I can't grep for that in the lab, because suid bits often get
set in the postinst.)

Richard Braakman


Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.north.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #42 received at 28850@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
To: Richard Braakman <dark@xs4all.nl>, 28850@bugs.debian.org
Subject: Re: Bug#28850: List of packages that link gettext statically
Date: Mon, 15 Feb 1999 19:15:36 +0100
Richard Braakman wrote:
> Joel Klecker told me that programs that link statically with gettext
> will have "bindtextdomain" defined.  I grepped for that in the Lintian
> lab and got this list:

Wonderful!  Thanks dark!  I was thinking about this for some days but
haven't found time to work on it.

Now that we have the list of packages we need to find out which of them
need to be recompiled.  Alternatively since these are only <20 packages
we could simply recompile them and we're on the secure side.  Are there
objections against this?

> clisp
> dpkg       <-- no suid
> enscript
> gcal
> gettext    <-- fixed
> grep
> id-utils
> info
> libc6      <-- fixed
> olwm
> pspp
> sharutils
> textutils
> xview
> xviewg
> 
> gettext and libc6 are obvious, and are already fixed.  I don't
> know about the rest, or whether they contain suid binaries.
> (I can't grep for that in the lab, because suid bits often get
> set in the postinst.)

If nobody provides that list I'll check it tonight.

Regards,

	Joey

-- 
GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.


Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.north.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #47 received at 28850@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
To: Richard Braakman <dark@xs4all.nl>, 28850@bugs.debian.org
Subject: Re: Bug#28850: List of packages that link gettext statically
Date: Tue, 16 Feb 1999 00:37:45 +0100
Richard Braakman wrote:
> Joel Klecker told me that programs that link statically with gettext
> will have "bindtextdomain" defined.  I grepped for that in the Lintian
> lab and got this list:
> 
> clisp
> dpkg
> enscript
> gcal
> gettext
> grep
> id-utils
> info
> libc6
> olwm
> pspp
> sharutils
> textutils
> xview
> xviewg

Ok, like I expected I have found NOT a single package that contains
a setuid or setgid binary.  Somebody please confirm this.

If nobody objects I'm going to close or at least downgrade this
bug report.

Here is the script I have used to investigate the files:

for pkg in clisp dpkg enscript gcal gettext grep id-utils info libc6 olwm pspp sharutils textutils xview xviewg
do
    dpkg -L $pkg |\
    while read file
    do
        if [ -d $file ]
        then
            continue
        else
            echo $file
        fi
    done | xargs ls -l |grep '^-..s'

Since some packages only add +s in their postinst scripts I have
installed the packages first.

Regards,

	Joey

-- 
GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.


Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wakkerma@cs.leidenuniv.nl>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #52 received at 28850@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wakkerma@cs.leidenuniv.nl>
To: Martin Schulze <joey@infodrom.north.de>, 28850@bugs.debian.org
Subject: Re: Bug#28850: List of packages that link gettext statically
Date: Tue, 16 Feb 1999 02:40:47 +0100
[Message part 1 (text/plain, inline)]
Previously Martin Schulze wrote:
> Alternatively since these are only <20 packages we could simply
> recompile them and we're on the secure side.  Are there objections
> against this?

None, except that we have to make sure that porters will also have the new
gettext installed.

Wichert.

-- 
==============================================================================
This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: wakkerma@cs.leidenuniv.nl
WWW: http://www.wi.leidenuniv.nl/~wichert/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.north.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.north.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Severity set to `fixed'. Request was from Martin Schulze <joey@finlandia.Infodrom.North.DE> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #69 received at 28850@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Martin Schulze <joey@infodrom.north.de>, 28850@bugs.debian.org
Subject: Re: Bug#28850: List of packages that link gettext statically
Date: Wed, 17 Feb 1999 11:47:29 +0100 (CET)
On Tue, 16 Feb 1999, Martin Schulze wrote:

> Ok, like I expected I have found NOT a single package that contains
> a setuid or setgid binary.  Somebody please confirm this.

What about /bin/su from shellutils?

(This example was in the original report against gettext).

-- 
 "f50cb4b0479c287c05cbfe1afe61dc54" (a truly random sig)



Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#28850; Package general. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.north.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. Full text and rfc822 format available.

Message #74 received at 28850@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
To: Santiago Vila <sanvila@unex.es>
Cc: 28850@bugs.debian.org
Subject: Re: Bug#28850: List of packages that link gettext statically
Date: Wed, 17 Feb 1999 12:22:08 +0100
Santiago Vila wrote:
> On Tue, 16 Feb 1999, Martin Schulze wrote:
> 
> > Ok, like I expected I have found NOT a single package that contains
> > a setuid or setgid binary.  Somebody please confirm this.
> 
> What about /bin/su from shellutils?
> 
> (This example was in the original report against gettext).

shellutils was not part of the list Richard provided.

Regards,

	Joey

-- 
All language designers are arrogant.  Goes with the territory...
	-- Larry Wall

Please always Cc to me when replying to me on the lists.


Bug reassigned from package `general' to `gettext'. Request was from "J.H.M. Dassen (Ray)" <jdassen@wi.LeidenUniv.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Santiago Vila <sanvila@unex.es>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Marek Michalkiewicz <marekm@piast.t19.ml.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #81 received at 28850-done@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: 28850-done@bugs.debian.org
Subject: Fixed some time ago.
Date: Tue, 19 Oct 1999 12:31:50 +0200 (CET)
Hi.

This bug was fixed a long time ago.

Thanks.

-- 
 "c0caff43b23f3453b594167f81e29a46" (a truly random sig)



Severity set to `normal'. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:39:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.