OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Format strings & i18n
From: Jarno Huuskonen (jhuuskonmessi.uku.fi)
Date: Tue Oct 03 2000 - 07:08:19 CDT


Hi,

Lot of programs blindly feed the result of catget to various printf
type functions. While usually this has no security problems
(no suid/sgid programs) it still allows users to define their own
path for the messages (LANGUAGE=../../../tmp etc.) and these messages can
have all the nice formatstrings.

The security risk comes if some (l)user is allowed to run some program
with root privs (for example with sudo) and all the environment is not
cleaned (LANGUAGE etc.) --> luser can use his/her own messages.

I think it would be a good idea to have somekind of support in (glibc?) to
catch crazy i18n format strings. Perhaps it could count the formatters in
the original message and if there're more in i18n version then use the
original.

So instead of fprintf(stderr, catget("You made a %s mistake"), progname);
Programmers would use:
fprintf(stderr, verify_catget("You made a %s mistake"), progname);

Does this rambling make any sense at all ?

-Jarno

PS. While writing this I noticed that sudo doesn't seem to clear LANGUAGE
    etc. environment ...

-- 
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonenuku.fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169