This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [bug-gettext] intl: Proof against invalid offset/length
- From: Bruno Haible <bruno at clisp dot org>
- To: bug-gettext at gnu dot org
- Cc: Carlos O'Donell <carlos at redhat dot com>, Daiki Ueno <ueno at gnu dot org>, Jakub Wilk <jwilk at debian dot org>, libc-alpha at sourceware dot org
- Date: Thu, 12 Mar 2015 02:04:25 +0100
- Subject: Re: [bug-gettext] intl: Proof against invalid offset/length
- Authentication-results: sourceware.org; auth=none
- References: <m3oao06pj3 dot fsf-ueno at gnu dot org> <54FFE323 dot 4000704 at redhat dot com>
Carlos O'Donell wrote:
> The MO files are writable only by root, so it's not a security issue
> because if you could write to them you'd be root, and you'd have
> full access to the system anyway.
Your argument is similar to Ulrich Drepper's argument: MO files are part
of the distribution of a package, like executables and shared libraries.
glibc does not check against invalid offsets in shared libraries either,
and the kernel does not check against illegal instructions that happen
to exist in executables and shared libraries.
But these arguments don't consider the LANGUAGE variable. The original
intent of LANGUAGE was that it contains colon-separated language or locale
identifiers. But in fact, you can specify relative files names that start
with "../", and thus you can make the _nl_load_domain function in glibc
access files anywhere in the file system. For example:
$ LANGUAGE=../../../../../../../../../../../../../../tmp/hack/crashing-mos strace cp . .
...
open("/usr/share/locale/../../../../../../../../../../../../../../tmp/hack/crashing-mos/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/../../../../../../../../../../../../../../tmp/hack/crashing-mos/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
...
If I had put a hacked .mo file at /tmp/hack/crashing-mos/LC_MESSAGES/coreutils.mo
I would have crashed the 'cp' program from coreutils. Likewise with
any program from any package.
Bruno