From: Raphael Moreira Zinsly <rzinsly@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Subject: [PATCH 2.22 05/14] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <1522269821-15007-5-git-send-email-rzinsly@linux.vnet.ibm.com> (raw)
In-Reply-To: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com>
From: Paul Eggert <eggert@cs.ucla.edu>
(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
---
ChangeLog | 6 ++++++
NEWS | 4 ++++
posix/glob.c | 4 ++--
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 7af97cd..4b87910 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #22332]
+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+ unescaping.
+
2017-02-27 Florian Weimer <fweimer@redhat.com>
[BZ #21115]
diff --git a/NEWS b/NEWS
index ef34252..314a443 100644
--- a/NEWS
+++ b/NEWS
@@ -71,6 +71,10 @@ Version 2.22.1
* A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
fixed (CVE-2017-12133).
+* CVE-2017-15804: The glob function, when invoked with GLOB_TILDE and without
+ GLOB_NOESCAPE, could write past the end of a buffer while
+ unescaping user names. Reported by Tim Rühsen.
+
\f
Version 2.22
diff --git a/posix/glob.c b/posix/glob.c
index 40496a0..c4c0532 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -839,11 +839,11 @@ glob (pattern, flags, errfunc, pglob)
char *p = mempcpy (newp, dirname + 1,
unescape - dirname - 1);
char *q = unescape;
- while (*q != '\0')
+ while (q != end_name)
{
if (*q == '\\')
{
- if (q[1] == '\0')
+ if (q + 1 == end_name)
{
/* "~fo\\o\\" unescape to user_name "foo\\",
but "~fo\\o\\/" unescape to user_name
--
1.8.3.1
next prev parent reply other threads:[~2018-03-28 20:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 [PATCH 2.22 01/14] ldd: never run file directly Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 14/14] Record CVE-2018-6551 in NEWS and ChangeLog [BZ #22774] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 01/14] ldd: never run file directly Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 09/14] elf: Compute correct array size in _dl_init_paths [BZ #22606] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 03/14] glob: Add new test tst-glob-tilde Raphael Moreira Zinsly
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] Synchronize support/ infrastructure with master Raphael Moreira Zinsly
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] posix: Sync glob with gnulib [BZ #1062] Raphael Moreira Zinsly
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] Synchronize support/ infrastructure with master Carlos O'Donell
2018-01-01 0:00 ` Raphael Moreira Zinsly [this message]
2018-01-01 0:00 ` [PATCH 2.22 10/14] Fix integer overflows in internal memalign and malloc functions [BZ #22343] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 v2] " Raphael Moreira Zinsly
2018-01-01 0:00 ` Carlos O'Donell
[not found] ` <20180405194944.GA44061@aloka.lostca.se>
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 08/14] <array_length.h>: New array_length and array_end macros Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 06/14] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 11/14] linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 04/14] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 02/14] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 07/14] elf: Count components of the expanded path in _dl_init_path [BZ #22607] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 12/14] Add ChangeLog reference to bug 16750/CVE-2009-5064 Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 13/14] Record CVE-2018-6485 in ChangeLog and NEWS [BZ #22343] Raphael Moreira Zinsly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1522269821-15007-5-git-send-email-rzinsly@linux.vnet.ibm.com \
--to=rzinsly@linux.vnet.ibm.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).