Debian Bug report logs - #28850
gettext: security problem when used in setuid programs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marek Michalkiewicz <marekm@piast.t19.ml.org>

To: submit@bugs.debian.org

Subject: gettext: security problem when used in setuid programs

Date: Mon, 2 Nov 1998 21:17:41 +0100 (CET)

Package: gettext, libc6
Version: 0.10.35-3, 2.0.7t-1

gettext is insecure when used in setuid programs - it can be used to open
any file on the system for reading.

I've just tried this (with GNU su, using gettext from libc6):
                                                                                
mkdir /tmp/LC_MESSAGES
ln -s /dev/rft0 /tmp/LC_MESSAGES/SYS_LC_MESSAGES
LANG=../../../tmp su

and (before it got a segmentation fault) it happily opened /dev/rft0            
(this is an example where even a read-only open() can potentially cause         
data loss by rewinding the tape).

gettext (both in libc6 and in the separate gettext package) should
check for slashes and ..'s in environment variables it uses.  This
probably should be forwarded upstream.  The problem is not specific
to GNU su - any setuid program with i18n support can be exploited.

Marek

-- System Information
Debian Release: 2.0
Kernel Version: Linux marekm 2.0.34 #2 Thu Jul 9 10:57:48 EST 1998 i486 unknown

Versions of the packages gettext depends on:
ii  libc6           2.0.7t-1       The GNU C library version 2 (run-time files)

Message #8 received at 28850-forwarded@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Ulrich Drepper <drepper@gnu.org>

Cc: 28850-forwarded@bugs.debian.org, Marek Michalkiewicz <marekm@piast.t19.ml.org>

Subject: Bug#28850: gettext: security problem when used in setuid programs (fwd)

Date: Tue, 3 Nov 1998 13:00:05 +0100 (CET)

Hello.

I have received this from the Debian Bug tracking system.

[ Please, keep the Cc: lines when replying ].

Thanks.

---------- Forwarded message ----------
Date: Mon, 2 Nov 1998 21:17:41 +0100 (CET)
From: Marek Michalkiewicz <marekm@piast.t19.ml.org>
To: submit@bugs.debian.org
Subject: #28850: gettext: security problem when used in setuid programs

Package: gettext, libc6
Version: 0.10.35-3, 2.0.7t-1

gettext is insecure when used in setuid programs - it can be used to open
any file on the system for reading.

I've just tried this (with GNU su, using gettext from libc6):
                                                                                
mkdir /tmp/LC_MESSAGES
ln -s /dev/rft0 /tmp/LC_MESSAGES/SYS_LC_MESSAGES
LANG=../../../tmp su

and (before it got a segmentation fault) it happily opened /dev/rft0            
(this is an example where even a read-only open() can potentially cause         
data loss by rewinding the tape).

gettext (both in libc6 and in the separate gettext package) should
check for slashes and ..'s in environment variables it uses.  This
probably should be forwarded upstream.  The problem is not specific
to GNU su - any setuid program with i18n support can be exploited.

Marek

-- System Information
Debian Release: 2.0
Kernel Version: Linux marekm 2.0.34 #2 Thu Jul 9 10:57:48 EST 1998 i486 unknown

Versions of the packages gettext depends on:
ii  libc6           2.0.7t-1       The GNU C library version 2 (run-time files)

-- 
 "f456135146012ee4984cf01ab6076c39" (a truly random sig)

Message #15 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Joel Klecker <jk@espy.org>

To: Santiago Vila <sanvila@unex.es>

Cc: 28850@bugs.debian.org

Subject: Re: Severity increase for Bug #28850

Date: Tue, 12 Jan 1999 21:43:06 -0800

At 18:16 +0100 1999-01-12, Santiago Vila wrote:
>severity 28850 important
>thanks
>
>This bug is about gettext library (both from libc and from the
>gettext package) being insecure when used in setuid programs.

This is fixed in glibc:

1998-05-19 15:58  Ulrich Drepper  <drepper@cygnus.com>

       * elf/rtld.c (process_envvars): Fix typo.  Don't handle
       LD_PROFILE_OUTPUT in SUID binaries.
       * intl/dcgettext.c: In SUID binaries don't let language part of
       locale value contain path elements.
       * intl/explodename.h: Define new function _nl_find_language.
       * intl/loadinfo.h: Declare _nl_find_language.
       * locale/findlocale.c (_nl_find_locale): Use _nl_find_locale to get
       language part it drop the value is path element is contained.
--
Joel Klecker (aka Espy)                     <URL:http://web.espy.org/>
<URL:mailto:jk@espy.org>                  <URL:mailto:espy@debian.org>
Debian GNU/Linux PowerPC -- <URL:http://www.debian.org/ports/powerpc/>

Message #20 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Joel Klecker <jk@espy.org>

Cc: 28850@bugs.debian.org

Subject: Re: Severity increase for Bug #28850

Date: Wed, 13 Jan 1999 12:08:51 +0100 (CET)

On Tue, 12 Jan 1999, Joel Klecker wrote:

> At 18:16 +0100 1999-01-12, Santiago Vila wrote:
> >severity 28850 important
> >thanks
> >
> >This bug is about gettext library (both from libc and from the
> >gettext package) being insecure when used in setuid programs.
> 
> This is fixed in glibc:
> 
> 1998-05-19 15:58  Ulrich Drepper  <drepper@cygnus.com>

Fine. How do I apply this to the gettext library?

-- 
 "5ad8b636a39119a40537eafceeab42a9" (a truly random sig)

Message #25 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Marek Michalkiewicz <marekm@piast.t19.ml.org>, 28850@bugs.debian.org

Subject: Re: Bug#28850: gettext: security problem when used in setuid programs

Date: Tue, 26 Jan 1999 17:16:11 +0100 (CET)

On Mon, 2 Nov 1998, Marek Michalkiewicz wrote:

> Package: gettext, libc6
> Version: 0.10.35-3, 2.0.7t-1
> 
> gettext is insecure when used in setuid programs - it can be used to open
> any file on the system for reading.

Fixed in gettext_0.10.35-7, now in slink.

However, I can't just fix this bug, since it may affect lots of other
programs, so I'm going to reassign it to "general".

Thanks.

-- 
 "0d1a6841b7f708e723b0c5fb615aa562" (a truly random sig)

Message #30 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: 28850@bugs.debian.org

Cc: control@bugs.debian.org, Debian Developers <debian-devel@lists.debian.org>

Subject: Need a check for suid applications

Date: Tue, 26 Jan 1999 17:21:45 +0100 (CET)

reassign 28850 general
thanks

This bug is now fixed in gettext_0.10.35-7.

However, somebody should check that every suid application in slink which
is statically linked against gettext is recompiled with the new gettext.
(Maybe doing "gettextize -f -c").

Thanks.

-- 
 "6525d3e1b6548dd210c536bf09bde00b" (a truly random sig)

Message #37 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Richard Braakman <dark@xs4all.nl>

To: 28850@bugs.debian.org

Subject: List of packages that link gettext statically

Date: Mon, 15 Feb 1999 03:32:57 +0100 (CET)

Joel Klecker told me that programs that link statically with gettext
will have "bindtextdomain" defined.  I grepped for that in the Lintian
lab and got this list:

clisp
dpkg
enscript
gcal
gettext
grep
id-utils
info
libc6
olwm
pspp
sharutils
textutils
xview
xviewg

gettext and libc6 are obvious, and are already fixed.  I don't
know about the rest, or whether they contain suid binaries.
(I can't grep for that in the lab, because suid bits often get
set in the postinst.)

Richard Braakman

Message #42 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

To: Richard Braakman <dark@xs4all.nl>, 28850@bugs.debian.org

Subject: Re: Bug#28850: List of packages that link gettext statically

Date: Mon, 15 Feb 1999 19:15:36 +0100

Richard Braakman wrote:
> Joel Klecker told me that programs that link statically with gettext
> will have "bindtextdomain" defined.  I grepped for that in the Lintian
> lab and got this list:

Wonderful!  Thanks dark!  I was thinking about this for some days but
haven't found time to work on it.

Now that we have the list of packages we need to find out which of them
need to be recompiled.  Alternatively since these are only <20 packages
we could simply recompile them and we're on the secure side.  Are there
objections against this?

> clisp
> dpkg       <-- no suid
> enscript
> gcal
> gettext    <-- fixed
> grep
> id-utils
> info
> libc6      <-- fixed
> olwm
> pspp
> sharutils
> textutils
> xview
> xviewg
> 
> gettext and libc6 are obvious, and are already fixed.  I don't
> know about the rest, or whether they contain suid binaries.
> (I can't grep for that in the lab, because suid bits often get
> set in the postinst.)

If nobody provides that list I'll check it tonight.

Regards,

	Joey

-- 
GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.

Message #47 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

To: Richard Braakman <dark@xs4all.nl>, 28850@bugs.debian.org

Subject: Re: Bug#28850: List of packages that link gettext statically

Date: Tue, 16 Feb 1999 00:37:45 +0100

Richard Braakman wrote:
> Joel Klecker told me that programs that link statically with gettext
> will have "bindtextdomain" defined.  I grepped for that in the Lintian
> lab and got this list:
> 
> clisp
> dpkg
> enscript
> gcal
> gettext
> grep
> id-utils
> info
> libc6
> olwm
> pspp
> sharutils
> textutils
> xview
> xviewg

Ok, like I expected I have found NOT a single package that contains
a setuid or setgid binary.  Somebody please confirm this.

If nobody objects I'm going to close or at least downgrade this
bug report.

Here is the script I have used to investigate the files:

for pkg in clisp dpkg enscript gcal gettext grep id-utils info libc6 olwm pspp sharutils textutils xview xviewg
do
    dpkg -L $pkg |\
    while read file
    do
        if [ -d $file ]
        then
            continue
        else
            echo $file
        fi
    done | xargs ls -l |grep '^-..s'

Since some packages only add +s in their postinst scripts I have
installed the packages first.

Regards,

	Joey

-- 
GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.

Message #52 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wakkerma@cs.leidenuniv.nl>

To: Martin Schulze <joey@infodrom.north.de>, 28850@bugs.debian.org

Subject: Re: Bug#28850: List of packages that link gettext statically

Date: Tue, 16 Feb 1999 02:40:47 +0100

[Message part 1 (text/plain, inline)]

Previously Martin Schulze wrote:
> Alternatively since these are only <20 packages we could simply
> recompile them and we're on the secure side.  Are there objections
> against this?

None, except that we have to make sure that porters will also have the new
gettext installed.

Wichert.

-- 
==============================================================================
This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: wakkerma@cs.leidenuniv.nl
WWW: http://www.wi.leidenuniv.nl/~wichert/

[Message part 2 (application/pgp-signature, inline)]

Message #69 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Martin Schulze <joey@infodrom.north.de>, 28850@bugs.debian.org

Subject: Re: Bug#28850: List of packages that link gettext statically

Date: Wed, 17 Feb 1999 11:47:29 +0100 (CET)

On Tue, 16 Feb 1999, Martin Schulze wrote:

> Ok, like I expected I have found NOT a single package that contains
> a setuid or setgid binary.  Somebody please confirm this.

What about /bin/su from shellutils?

(This example was in the original report against gettext).

-- 
 "f50cb4b0479c287c05cbfe1afe61dc54" (a truly random sig)

Message #74 received at 28850@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

To: Santiago Vila <sanvila@unex.es>

Cc: 28850@bugs.debian.org

Subject: Re: Bug#28850: List of packages that link gettext statically

Date: Wed, 17 Feb 1999 12:22:08 +0100

Santiago Vila wrote:
> On Tue, 16 Feb 1999, Martin Schulze wrote:
> 
> > Ok, like I expected I have found NOT a single package that contains
> > a setuid or setgid binary.  Somebody please confirm this.
> 
> What about /bin/su from shellutils?
> 
> (This example was in the original report against gettext).

shellutils was not part of the list Richard provided.

Regards,

	Joey

-- 
All language designers are arrogant.  Goes with the territory...
	-- Larry Wall

Please always Cc to me when replying to me on the lists.

Message #81 received at 28850-done@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: 28850-done@bugs.debian.org

Subject: Fixed some time ago.

Date: Tue, 19 Oct 1999 12:31:50 +0200 (CET)

Hi.

This bug was fixed a long time ago.

Thanks.

-- 
 "c0caff43b23f3453b594167f81e29a46" (a truly random sig)

Send a report that this bug log contains spam.