Vigil@nce: glibc locale, unfiltered output
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
The result of the glibc locale command is not filtered, so an
attacker can inject data in a program using this result.
– Severity: 1/4
– Creation date: 09/03/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The "locale" command, which is provided by the glibc suite,
displays localization variables:
LC_CTYPE="fr_FR@euro"
LC_NUMERIC="fr_FR@euro"
etc.
This command reads the content of the LANG environment variable in
order to determine information to display. However, if the content
of the LANG variable is not a known language, locale directly
displays its content. This behavior is contradictory with the
documentation which indicates that the result is filtered.
If a program uses `locale` to initialize variables, an attacker
can thus inject shell commands in this program.
The result of the glibc locale command is therefore not filtered,
so an attacker can inject data in a program using this result.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-locale-unfiltered-output-10439