From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 97734 invoked by alias); 28 Mar 2018 20:44:01 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 97047 invoked by uid 89); 28 Mar 2018 20:44:00 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.6 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.6 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx0a-001b2d01.pphosted.com Received: from mx0b-001b2d01.pphosted.com (HELO mx0a-001b2d01.pphosted.com) (148.163.158.5) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 28 Mar 2018 20:43:59 +0000 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2SKdicg093113 for ; Wed, 28 Mar 2018 16:43:58 -0400 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h0exw883r-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Wed, 28 Mar 2018 16:43:57 -0400 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 28 Mar 2018 14:43:57 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 28 Mar 2018 14:43:54 -0600 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2SKhspS11207046 for ; Wed, 28 Mar 2018 13:43:54 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1AB8DC6037 for ; Wed, 28 Mar 2018 14:43:54 -0600 (MDT) Received: from localhost (unknown [9.85.149.193]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 94788C603C for ; Wed, 28 Mar 2018 14:43:53 -0600 (MDT) From: Raphael Moreira Zinsly To: libc-stable@sourceware.org Subject: [PATCH 2.22 05/14] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] Date: Mon, 01 Jan 2018 00:00:00 -0000 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com> References: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18032820-0020-0000-0000-00000DA75A95 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008760; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000255; SDB=6.01009783; UDB=6.00514430; IPR=6.00789065; MB=3.00020296; MTD=3.00000008; XFM=3.00000015; UTC=2018-03-28 20:43:56 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18032820-0021-0000-0000-000060ADB9FB Message-Id: <1522269821-15007-5-git-send-email-rzinsly@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-28_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803280211 X-SW-Source: 2018-03/txt/msg00042.txt.bz2 From: Paul Eggert (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) --- ChangeLog | 6 ++++++ NEWS | 4 ++++ posix/glob.c | 4 ++-- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7af97cd..4b87910 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-22 Paul Eggert + + [BZ #22332] + * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE + unescaping. + 2017-02-27 Florian Weimer [BZ #21115] diff --git a/NEWS b/NEWS index ef34252..314a443 100644 --- a/NEWS +++ b/NEWS @@ -71,6 +71,10 @@ Version 2.22.1 * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been fixed (CVE-2017-12133). +* CVE-2017-15804: The glob function, when invoked with GLOB_TILDE and without + GLOB_NOESCAPE, could write past the end of a buffer while + unescaping user names. Reported by Tim Rühsen. + Version 2.22 diff --git a/posix/glob.c b/posix/glob.c index 40496a0..c4c0532 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -839,11 +839,11 @@ glob (pattern, flags, errfunc, pglob) char *p = mempcpy (newp, dirname + 1, unescape - dirname - 1); char *q = unescape; - while (*q != '\0') + while (q != end_name) { if (*q == '\\') { - if (q[1] == '\0') + if (q + 1 == end_name) { /* "~fo\\o\\" unescape to user_name "foo\\", but "~fo\\o\\/" unescape to user_name -- 1.8.3.1