public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
@ 2020-03-07 19:36 ` carnil at debian dot org
2020-03-13 6:46 ` fw at deneb dot enyo.de
` (9 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: carnil at debian dot org @ 2020-03-07 19:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
Salvatore Bonaccorso <carnil at debian dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carnil at debian dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
2020-03-07 19:36 ` [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752) carnil at debian dot org
@ 2020-03-13 6:46 ` fw at deneb dot enyo.de
2020-03-13 7:32 ` fw at deneb dot enyo.de
` (8 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: fw at deneb dot enyo.de @ 2020-03-13 6:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
Florian Weimer <fw at deneb dot enyo.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at deneb dot enyo.de
--- Comment #7 from Florian Weimer <fw at deneb dot enyo.de> ---
How exploitable is this bug in glibc, given its tendency to use alloca for
these allocations? Even with a huge user home directory (which needs malloc),
the previous string seems to be allocated on the stack.
I've confirmed that the bug goes back to glibc 2.19 as at least.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
2020-03-07 19:36 ` [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752) carnil at debian dot org
2020-03-13 6:46 ` fw at deneb dot enyo.de
@ 2020-03-13 7:32 ` fw at deneb dot enyo.de
2020-03-18 0:23 ` cvs-commit at gcc dot gnu.org
` (7 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: fw at deneb dot enyo.de @ 2020-03-13 7:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #8 from Florian Weimer <fw at deneb dot enyo.de> ---
I bisected this bug down to:
commit f2962a71959fd254a7a223437ca4b63b9e81130c
Author: Ulrich Drepper <drepper@gmail.com>
Date: Sun May 22 23:04:16 2011 -0400
Add a few more alloca size checks
It went into glibc 2.14.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2020-03-13 7:32 ` fw at deneb dot enyo.de
@ 2020-03-18 0:23 ` cvs-commit at gcc dot gnu.org
2020-03-18 1:40 ` cvs-commit at gcc dot gnu.org
` (6 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-18 0:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Patricia Franklin
<patsy@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ab029a2801d4ddfeade8f64a6e46ee7e47fde710
commit ab029a2801d4ddfeade8f64a6e46ee7e47fde710
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Feb 19 17:21:46 2020 +0100
Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2020-03-18 0:23 ` cvs-commit at gcc dot gnu.org
@ 2020-03-18 1:40 ` cvs-commit at gcc dot gnu.org
2020-03-18 2:33 ` cvs-commit at gcc dot gnu.org
` (5 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-18 1:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Patricia Franklin
<patsy@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63
commit da97c6b88eb03fb834e92964b0895c2ac8d61f63
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Feb 19 17:21:46 2020 +0100
Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2020-03-18 1:40 ` cvs-commit at gcc dot gnu.org
@ 2020-03-18 2:33 ` cvs-commit at gcc dot gnu.org
2020-03-19 21:53 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-18 2:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #11 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by Patricia Franklin
<patsy@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9aaebaf805f24ae10e0bfad332d6d5eabd58c451
commit 9aaebaf805f24ae10e0bfad332d6d5eabd58c451
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Feb 19 17:21:46 2020 +0100
Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (5 preceding siblings ...)
2020-03-18 2:33 ` cvs-commit at gcc dot gnu.org
@ 2020-03-19 21:53 ` cvs-commit at gcc dot gnu.org
2020-03-19 22:07 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-19 21:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=39a05214fe14ff722d4d92e697fb71ff15e84e70
commit 39a05214fe14ff722d4d92e697fb71ff15e84e70
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Thu Mar 19 22:53:00 2020 +0100
Add NEWS entry for CVE-2020-1752 (bug 25414)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (6 preceding siblings ...)
2020-03-19 21:53 ` cvs-commit at gcc dot gnu.org
@ 2020-03-19 22:07 ` cvs-commit at gcc dot gnu.org
2020-03-19 22:13 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-19 22:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Aurelien Jarno
<aurel32@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3937f6806d9de4bbd25ff6e6dc4df8f47ad47573
commit 3937f6806d9de4bbd25ff6e6dc4df8f47ad47573
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Thu Mar 19 22:53:00 2020 +0100
Add NEWS entry for CVE-2020-1752 (bug 25414)
(cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (7 preceding siblings ...)
2020-03-19 22:07 ` cvs-commit at gcc dot gnu.org
@ 2020-03-19 22:13 ` cvs-commit at gcc dot gnu.org
2020-03-20 21:02 ` cvs-commit at gcc dot gnu.org
2020-03-20 21:23 ` cvs-commit at gcc dot gnu.org
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-19 22:13 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Aurelien Jarno
<aurel32@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6b11f60c700c9b50aba1a7f123411add5ade733c
commit 6b11f60c700c9b50aba1a7f123411add5ade733c
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Thu Mar 19 22:53:00 2020 +0100
Add NEWS entry for CVE-2020-1752 (bug 25414)
(cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (8 preceding siblings ...)
2020-03-19 22:13 ` cvs-commit at gcc dot gnu.org
@ 2020-03-20 21:02 ` cvs-commit at gcc dot gnu.org
2020-03-20 21:23 ` cvs-commit at gcc dot gnu.org
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-20 21:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #15 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.28/master branch has been updated by Tulio Magno Quites Machado
Filho <tuliom@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=21344a3d62a29406fddeec069ee4eb3c341369f9
commit 21344a3d62a29406fddeec069ee4eb3c341369f9
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Feb 19 17:21:46 2020 +0100
Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
` (9 preceding siblings ...)
2020-03-20 21:02 ` cvs-commit at gcc dot gnu.org
@ 2020-03-20 21:23 ` cvs-commit at gcc dot gnu.org
10 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-20 21:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25414
--- Comment #16 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.26/master branch has been updated by Tulio Magno Quites Machado
Filho <tuliom@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a
commit 263e6175999bc7f5adb8b32fd12fcfae3f0bb05a
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Feb 19 17:21:46 2020 +0100
Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c with
changes from commit d711a00f93fa964f41a53839228598fbf1a6b482)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-03-20 21:23 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-25414-131@http.sourceware.org/bugzilla/>
2020-03-07 19:36 ` [Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752) carnil at debian dot org
2020-03-13 6:46 ` fw at deneb dot enyo.de
2020-03-13 7:32 ` fw at deneb dot enyo.de
2020-03-18 0:23 ` cvs-commit at gcc dot gnu.org
2020-03-18 1:40 ` cvs-commit at gcc dot gnu.org
2020-03-18 2:33 ` cvs-commit at gcc dot gnu.org
2020-03-19 21:53 ` cvs-commit at gcc dot gnu.org
2020-03-19 22:07 ` cvs-commit at gcc dot gnu.org
2020-03-19 22:13 ` cvs-commit at gcc dot gnu.org
2020-03-20 21:02 ` cvs-commit at gcc dot gnu.org
2020-03-20 21:23 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).