From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 89809 invoked by alias); 28 Mar 2018 20:43:53 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 89590 invoked by uid 89); 28 Mar 2018 20:43:52 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy=NEWS, Never X-Spam-Status: No, score=-26.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx0a-001b2d01.pphosted.com Received: from mx0b-001b2d01.pphosted.com (HELO mx0a-001b2d01.pphosted.com) (148.163.158.5) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 28 Mar 2018 20:43:50 +0000 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2SKdhD3093067 for ; Wed, 28 Mar 2018 16:43:49 -0400 Received: from e11.ny.us.ibm.com (e11.ny.us.ibm.com [129.33.205.201]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h0exw87xt-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Wed, 28 Mar 2018 16:43:49 -0400 Received: from localhost by e11.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 28 Mar 2018 16:43:48 -0400 Received: from b01cxnp23033.gho.pok.ibm.com (9.57.198.28) by e11.ny.us.ibm.com (146.89.104.198) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 28 Mar 2018 16:43:47 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2SKhkZX000476 for ; Wed, 28 Mar 2018 20:43:46 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9B0CB112047 for ; Wed, 28 Mar 2018 16:42:43 -0400 (EDT) Received: from localhost (unknown [9.85.149.193]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id D244F112040 for ; Wed, 28 Mar 2018 16:42:42 -0400 (EDT) From: Raphael Moreira Zinsly To: libc-stable@sourceware.org Subject: [PATCH 2.22 02/14] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] Date: Mon, 01 Jan 2018 00:00:00 -0000 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com> References: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18032820-2213-0000-0000-0000028685F1 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008760; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000255; SDB=6.01009783; UDB=6.00514430; IPR=6.00789065; MB=3.00020296; MTD=3.00000008; XFM=3.00000015; UTC=2018-03-28 20:43:48 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18032820-2214-0000-0000-000059905E25 Message-Id: <1522269821-15007-2-git-send-email-rzinsly@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-28_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=15 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803280211 X-SW-Source: 2018-03/txt/msg00046.txt.bz2 From: Paul Eggert (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) --- ChangeLog | 6 ++++++ NEWS | 5 +++++ posix/glob.c | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 643aeb9..4c96691 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-08-16 Andreas Schwab * elf/ldd.bash.in: Never run file directly. diff --git a/NEWS b/NEWS index a19f656..069b3ea 100644 --- a/NEWS +++ b/NEWS @@ -63,6 +63,11 @@ Version 2.22.1 * The Sun RPC UDP client could exhaust all available stack space when flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez' alloca plugin for GCC. (CVE-2016-4429) + +* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered + from a one-byte overflow during ~ operator processing (either on the stack + or the heap, depending on the length of the user name). + Version 2.22 diff --git a/posix/glob.c b/posix/glob.c index 60fa6c5..40496a0 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -859,7 +859,7 @@ glob (pattern, flags, errfunc, pglob) *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } -- 1.8.3.1