* [COMMITTED 2.26 2/4] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
2017-01-01 0:00 [COMMITTED 2.26 1/4] Update NEWS and ChangeLog for CVE-2017-15671 Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 4/4] Update NEWS to add CVE-2017-15804 entry Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 3/4] posix/tst-glob-tilde.c: Add test for bug 22332 Aurelien Jarno
@ 2017-01-01 0:00 ` Aurelien Jarno
2 siblings, 0 replies; 4+ messages in thread
From: Aurelien Jarno @ 2017-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Paul Eggert
From: Paul Eggert <eggert@cs.ucla.edu>
(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
---
ChangeLog | 6 ++++++
NEWS | 4 ++++
posix/glob.c | 4 ++--
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 1793816794..0ab08782b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #22332]
+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+ unescaping.
+
2017-10-23 Wilco Dijkstra <wdijkstr@arm.com>
* malloc/malloc.c (_int_malloc): Add SINGLE_THREAD_P path.
diff --git a/NEWS b/NEWS
index 037b28cb9b..7d3a326d88 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,10 @@ Security related changes:
processing, leading to a memory leak and, potentially, to a denial
of service.
+ The glob function, when invoked with GLOB_TILDE and without
+ GLOB_NOESCAPE, could write past the end of a buffer while
+ unescaping user names. Reported by Tim Rühsen.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
diff --git a/posix/glob.c b/posix/glob.c
index c761c0861d..b2273ea7bc 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
char *p = mempcpy (newp, dirname + 1,
unescape - dirname - 1);
char *q = unescape;
- while (*q != '\0')
+ while (q != end_name)
{
if (*q == '\\')
{
- if (q[1] == '\0')
+ if (q + 1 == end_name)
{
/* "~fo\\o\\" unescape to user_name "foo\\",
but "~fo\\o\\/" unescape to user_name
--
2.15.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [COMMITTED 2.26 3/4] posix/tst-glob-tilde.c: Add test for bug 22332
2017-01-01 0:00 [COMMITTED 2.26 1/4] Update NEWS and ChangeLog for CVE-2017-15671 Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 4/4] Update NEWS to add CVE-2017-15804 entry Aurelien Jarno
@ 2017-01-01 0:00 ` Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 2/4] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] Aurelien Jarno
2 siblings, 0 replies; 4+ messages in thread
From: Aurelien Jarno @ 2017-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Florian Weimer
From: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e)
---
ChangeLog | 7 +++++++
posix/tst-glob-tilde.c | 53 ++++++++++++++++++++++++++++----------------------
2 files changed, 37 insertions(+), 23 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 0ab08782b4..fab886ab01 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-11-02 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #22332]
+ * posix/tst-glob-tilde.c (do_noescape): New variable.
+ (one_test): Process it.
+ (do_test): Set do_noescape. Add unescaping test case.
+
2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
[BZ #22332]
diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
index 9518b4a6f8..6886f4371f 100644
--- a/posix/tst-glob-tilde.c
+++ b/posix/tst-glob-tilde.c
@@ -1,4 +1,4 @@
-/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
+/* Check for GLOB_TIDLE heap allocation issues (bugs 22320, 22325, 22332).
Copyright (C) 2017 Free Software Foundation, Inc.
This file is part of the GNU C Library.
@@ -34,6 +34,9 @@ static int do_nocheck;
/* Flag which indicates whether to pass the GLOB_MARK flag. */
static int do_mark;
+/* Flag which indicates whether to pass the GLOB_NOESCAPE flag. */
+static int do_noescape;
+
static void
one_test (const char *prefix, const char *middle, const char *suffix)
{
@@ -45,6 +48,8 @@ one_test (const char *prefix, const char *middle, const char *suffix)
flags |= GLOB_NOCHECK;
if (do_mark)
flags |= GLOB_MARK;
+ if (do_noescape)
+ flags |= GLOB_NOESCAPE;
glob_t gl;
/* This glob call might result in crashes or memory leaks. */
if (glob (pattern, flags, NULL, &gl) == 0)
@@ -105,28 +110,30 @@ do_test (void)
for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
for (do_mark = 0; do_mark < 2; ++do_mark)
- for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
- {
- for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
- ++size_skew)
- {
- int size = base_sizes[base_idx] + size_skew;
- if (size < 0)
- continue;
-
- const char *user_name = repeating_string (size);
- one_test ("~", user_name, "/a/b");
- }
-
- const char *user_name = repeating_string (base_sizes[base_idx]);
- one_test ("~", user_name, "");
- one_test ("~", user_name, "/");
- one_test ("~", user_name, "/a");
- one_test ("~", user_name, "/*/*");
- one_test ("~", user_name, "\\/");
- one_test ("/~", user_name, "");
- one_test ("*/~", user_name, "/a/b");
- }
+ for (do_noescape = 0; do_noescape < 2; ++do_noescape)
+ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+ {
+ for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+ ++size_skew)
+ {
+ int size = base_sizes[base_idx] + size_skew;
+ if (size < 0)
+ continue;
+
+ const char *user_name = repeating_string (size);
+ one_test ("~", user_name, "/a/b");
+ one_test ("~", user_name, "x\\x\\x////x\\a");
+ }
+
+ const char *user_name = repeating_string (base_sizes[base_idx]);
+ one_test ("~", user_name, "");
+ one_test ("~", user_name, "/");
+ one_test ("~", user_name, "/a");
+ one_test ("~", user_name, "/*/*");
+ one_test ("~", user_name, "\\/");
+ one_test ("/~", user_name, "");
+ one_test ("*/~", user_name, "/a/b");
+ }
free (repeat);
--
2.15.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [COMMITTED 2.26 4/4] Update NEWS to add CVE-2017-15804 entry
2017-01-01 0:00 [COMMITTED 2.26 1/4] Update NEWS and ChangeLog for CVE-2017-15671 Aurelien Jarno
@ 2017-01-01 0:00 ` Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 3/4] posix/tst-glob-tilde.c: Add test for bug 22332 Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 2/4] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] Aurelien Jarno
2 siblings, 0 replies; 4+ messages in thread
From: Aurelien Jarno @ 2017-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Aurelien Jarno
(cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b)
---
NEWS | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index 7d3a326d88..61bffe0451 100644
--- a/NEWS
+++ b/NEWS
@@ -35,8 +35,8 @@ Security related changes:
processing, leading to a memory leak and, potentially, to a denial
of service.
- The glob function, when invoked with GLOB_TILDE and without
- GLOB_NOESCAPE, could write past the end of a buffer while
+ CVE-2017-15804: The glob function, when invoked with GLOB_TILDE and
+ without GLOB_NOESCAPE, could write past the end of a buffer while
unescaping user names. Reported by Tim Rühsen.
The following bugs are resolved with this release:
--
2.15.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [COMMITTED 2.26 1/4] Update NEWS and ChangeLog for CVE-2017-15671
@ 2017-01-01 0:00 Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 4/4] Update NEWS to add CVE-2017-15804 entry Aurelien Jarno
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Aurelien Jarno @ 2017-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Florian Weimer
From: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6)
---
NEWS | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index 359465ff3e..037b28cb9b 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,11 @@ Security related changes:
on the stack or the heap, depending on the length of the user name).
Reported by Tim Rühsen.
+ CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
+ would sometimes fail to free memory allocated during ~ operator
+ processing, leading to a memory leak and, potentially, to a denial
+ of service.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
--
2.15.0
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-01 22:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-01 0:00 [COMMITTED 2.26 1/4] Update NEWS and ChangeLog for CVE-2017-15671 Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 4/4] Update NEWS to add CVE-2017-15804 entry Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 3/4] posix/tst-glob-tilde.c: Add test for bug 22332 Aurelien Jarno
2017-01-01 0:00 ` [COMMITTED 2.26 2/4] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] Aurelien Jarno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).