public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/17625] New: CVE-2014-7817
@ 2014-11-19 15:59 carlos at redhat dot com
2014-11-19 20:03 ` [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817) carlos at redhat dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: carlos at redhat dot com @ 2014-11-19 15:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
Bug ID: 17625
Summary: CVE-2014-7817
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: carlos at redhat dot com
CC: drepper.fsp at gmail dot com
Placeholder bug for CVE-2014-7817.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
2014-11-19 15:59 [Bug libc/17625] New: CVE-2014-7817 carlos at redhat dot com
@ 2014-11-19 20:03 ` carlos at redhat dot com
2014-11-19 20:04 ` carlos at redhat dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: carlos at redhat dot com @ 2014-11-19 20:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CVE-2014-7817 |wordexp fails to honour
| |WRDE_NOCMD (CVE-2014-7817)
Alias| |CVE-2014-7817
--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
command substitution when the applicaiton did not request it. The
implementation now checks WRDE_NOCMD immediately before executing the
shell and returns the error WRDE_CMDSUB as expected.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
2014-11-19 15:59 [Bug libc/17625] New: CVE-2014-7817 carlos at redhat dot com
2014-11-19 20:03 ` [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817) carlos at redhat dot com
2014-11-19 20:04 ` carlos at redhat dot com
@ 2014-11-19 20:04 ` carlos at redhat dot com
2014-11-20 15:56 ` carlos at redhat dot com
2014-12-15 18:44 ` fweimer at redhat dot com
4 siblings, 0 replies; 6+ messages in thread
From: carlos at redhat dot com @ 2014-11-19 20:04 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Carlos O'Donell <carlos at redhat dot com> ---
Fixed on trunk.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
2014-11-19 15:59 [Bug libc/17625] New: CVE-2014-7817 carlos at redhat dot com
2014-11-19 20:03 ` [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817) carlos at redhat dot com
@ 2014-11-19 20:04 ` carlos at redhat dot com
2014-11-19 20:04 ` carlos at redhat dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: carlos at redhat dot com @ 2014-11-19 20:04 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.20 |2.21
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
2014-11-19 15:59 [Bug libc/17625] New: CVE-2014-7817 carlos at redhat dot com
` (2 preceding siblings ...)
2014-11-19 20:04 ` carlos at redhat dot com
@ 2014-11-20 15:56 ` carlos at redhat dot com
2014-12-15 18:44 ` fweimer at redhat dot com
4 siblings, 0 replies; 6+ messages in thread
From: carlos at redhat dot com @ 2014-11-20 15:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
--- Comment #3 from Carlos O'Donell <carlos at redhat dot com> ---
commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
Author: Carlos O'Donell <carlos@redhat.com>
Date: Wed Nov 19 11:44:12 2014 -0500
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
2014-11-19 15:59 [Bug libc/17625] New: CVE-2014-7817 carlos at redhat dot com
` (3 preceding siblings ...)
2014-11-20 15:56 ` carlos at redhat dot com
@ 2014-12-15 18:44 ` fweimer at redhat dot com
4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2014-12-15 18:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-12-15 18:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-11-19 15:59 [Bug libc/17625] New: CVE-2014-7817 carlos at redhat dot com
2014-11-19 20:03 ` [Bug libc/17625] wordexp fails to honour WRDE_NOCMD (CVE-2014-7817) carlos at redhat dot com
2014-11-19 20:04 ` carlos at redhat dot com
2014-11-19 20:04 ` carlos at redhat dot com
2014-11-20 15:56 ` carlos at redhat dot com
2014-12-15 18:44 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).