On 01 May 2015 01:13, Pádraig Brady wrote: > On 30/04/15 23:08, Trammell Hudson wrote: > > Description: > > The gettext translated messages for "Done", "Done(%d)" and "Exit %d" > > in jobs.c are copied to a static allocated buffer. A user could set the > > LANGUAGE variable to point to a malicious translation file that has > > translations that are longer than 64-bytes for these strings to create > > a buffer overflow. > > > > Since LANGUAGE is passed unchanged by sudo this might be usable for > > privilege escalation. > > > > > > Repeat-By: > > Create a .po file with a bogus translation: > > > > #: jobs.c:1464 jobs.c:1489 > > msgid "Done" > > msgstr "Klaar > > 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890" > > > > And start an interactive shell that puts a command into the background: > > > > LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile -norc > > $ sleep 1 & > > [1] 14464 > > $ sleep 2 > > [1]+ Klaar > > 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 > > > > sleep 1 > > How does one override the system translation? > I thought gettext only looks in the dir passed to bindtextdomain() ?
but it uses $LANGUAGE in there
$ LANGUAGE=/../../../../../foo/ strace -e file bash --noprofile -norc -c 'echo
$"hi"' |& grep foo
open("/usr/share/locale///../../../../../foo//LC_MESSAGES/im-config.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale///.foo/LC_MESSAGES/im-config.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale-langpack//../../../../../foo//LC_MESSAGES/im-config.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack//.foo/LC_MESSAGES/im-config.mo", O_RDONLY) =
-1 ENOENT (No such file or directory)
-mike
signature.asc
Description: Digital signature
