From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 93029 invoked by alias); 7 Oct 2017 12:01:26 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 93016 invoked by uid 89); 7 Oct 2017 12:01:25 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 07 Oct 2017 12:01:24 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 51D58356C8 for ; Sat, 7 Oct 2017 12:01:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 51D58356C8 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer@redhat.com Received: from oldenburg.str.redhat.com (ovpn-116-33.ams2.redhat.com [10.36.116.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E07517B15 for ; Sat, 7 Oct 2017 12:01:23 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id 6602B401A7ED7; Sat, 7 Oct 2017 14:01:22 +0200 (CEST) Date: Sun, 01 Jan 2017 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.24 COMMITTED] Fix cast-after-dereference User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20171007120122.6602B401A7ED7@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Sat, 07 Oct 2017 12:01:23 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2017-10/txt/msg00007.txt.bz2 From: DJ Delorie Original code was dereferencing a char*, then casting the value to size_t. Should cast the pointer to size_t* then deference. (cherry picked from commit f8cef4d07d9641e27629bd3ce2d13f5d702fb251) 2017-07-19 DJ Delorie [BZ #21654] * grp/grp-merge.c (libc_hidden_def): Fix cast-after-dereference. diff --git a/NEWS b/NEWS index f60077bee5..f03910105a 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,7 @@ The following bugs are resolved with this release: [21386] Assertion in fork for distinct parent PID is incorrect [21609] x86-64: Align the stack in __tls_get_addr [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366) + [21654] nss: Fix invalid cast in group merging Version 2.24 diff --git a/grp/grp-merge.c b/grp/grp-merge.c index 50573b8986..5f79755798 100644 --- a/grp/grp-merge.c +++ b/grp/grp-merge.c @@ -137,7 +137,7 @@ __merge_grp (struct group *savedgrp, char *savedbuf, char *savedend, /* Get the count of group members from the last sizeof (size_t) bytes in the mergegrp buffer. */ - savedmemcount = (size_t) *(savedend - sizeof (size_t)); + savedmemcount = *(size_t *) (savedend - sizeof (size_t)); /* Get the count of new members to add. */ for (memcount = 0; mergegrp->gr_mem[memcount]; memcount++)