From 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 12 May 2014 15:24:12 +0200 Subject: _nl_find_locale: Improve handling of crafted locale names [BZ #17137] Prevent directory traversal in locale-related environment variables (CVE-2014-0475). --- NEWS | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 3ef9162fbb..a6617a145e 100644 --- a/NEWS +++ b/NEWS @@ -21,7 +21,8 @@ Version 2.20 16882, 16885, 16888, 16890, 16912, 16915, 16916, 16917, 16918, 16922, 16927, 16928, 16932, 16943, 16958, 16965, 16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031, 17042, 17048, 17050, 17058, - 17061, 17062, 17069, 17075, 17079, 17084, 17086, 17092, 17097, 17125. + 17061, 17062, 17069, 17075, 17079, 17084, 17086, 17092, 17097, 17125, + 17137. * Optimized strchr implementation for AArch64. Contributed by ARM Ltd. @@ -70,6 +71,15 @@ Version 2.20 On configurations that support it (all Linux configurations), it's now used regardless of the --enable-add-ons switch to configure. It is no longer possible to build such configurations without pthreads support. + +* Locale names, including those obtained from environment variables (LANG + and the LC_* variables), are more tightly checked for proper syntax. + setlocale will now fail (with EINVAL) for locale names that are overly + long, contain slashes without starting with a slash, or contain ".." path + components. (CVE-2014-0475) Previously, some valid locale names were + silently replaced with the "C" locale when running in AT_SECURE mode + (e.g., in a SUID program). This is no longer necessary because of the + additional checks. Version 2.19 -- cgit v1.2.3