[COMMITTED 2.26 2/4] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]

[COMMITTED 2.26 2/4] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]

[Aurelien Jarno]

From: Paul Eggert <eggert@cs.ucla.edu>

(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
---
 ChangeLog    | 6 ++++++
 NEWS         | 4 ++++
 posix/glob.c | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1793816794..0ab08782b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
+
+	[BZ #22332]
+	* posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+	unescaping.
+
 2017-10-23  Wilco Dijkstra  <wdijkstr@arm.com>
 
 	* malloc/malloc.c (_int_malloc): Add SINGLE_THREAD_P path.
diff --git a/NEWS b/NEWS
index 037b28cb9b..7d3a326d88 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,10 @@ Security related changes:
   processing, leading to a memory leak and, potentially, to a denial
   of service.
 
+  The glob function, when invoked with GLOB_TILDE and without
+  GLOB_NOESCAPE, could write past the end of a buffer while
+  unescaping user names.  Reported by Tim Rühsen.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.
diff --git a/posix/glob.c b/posix/glob.c
index c761c0861d..b2273ea7bc 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		  char *p = mempcpy (newp, dirname + 1,
 				     unescape - dirname - 1);
 		  char *q = unescape;
-		  while (*q != '\0')
+		  while (q != end_name)
 		    {
 		      if (*q == '\\')
 			{
-			  if (q[1] == '\0')
+			  if (q + 1 == end_name)
 			    {
 			      /* "~fo\\o\\" unescape to user_name "foo\\",
 				 but "~fo\\o\\/" unescape to user_name
-- 
2.15.0

[COMMITTED 2.26 3/4] posix/tst-glob-tilde.c: Add test for bug 22332

[Aurelien Jarno]

From: Florian Weimer <fweimer@redhat.com>

(cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e)
---
 ChangeLog              |  7 +++++++
 posix/tst-glob-tilde.c | 53 ++++++++++++++++++++++++++++----------------------
 2 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0ab08782b4..fab886ab01 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-11-02  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22332]
+	* posix/tst-glob-tilde.c (do_noescape): New variable.
+	(one_test): Process it.
+	(do_test): Set do_noescape.  Add unescaping test case.
+
 2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
 
 	[BZ #22332]
diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
index 9518b4a6f8..6886f4371f 100644
--- a/posix/tst-glob-tilde.c
+++ b/posix/tst-glob-tilde.c
@@ -1,4 +1,4 @@
-/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
+/* Check for GLOB_TIDLE heap allocation issues (bugs 22320, 22325, 22332).
    Copyright (C) 2017 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -34,6 +34,9 @@ static int do_nocheck;
 /* Flag which indicates whether to pass the GLOB_MARK flag.  */
 static int do_mark;
 
+/* Flag which indicates whether to pass the GLOB_NOESCAPE flag.  */
+static int do_noescape;
+
 static void
 one_test (const char *prefix, const char *middle, const char *suffix)
 {
@@ -45,6 +48,8 @@ one_test (const char *prefix, const char *middle, const char *suffix)
     flags |= GLOB_NOCHECK;
   if (do_mark)
     flags |= GLOB_MARK;
+  if (do_noescape)
+    flags |= GLOB_NOESCAPE;
   glob_t gl;
   /* This glob call might result in crashes or memory leaks.  */
   if (glob (pattern, flags, NULL, &gl) == 0)
@@ -105,28 +110,30 @@ do_test (void)
   for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
     for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
       for (do_mark = 0; do_mark < 2; ++do_mark)
-        for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
-          {
-            for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
-                 ++size_skew)
-              {
-                int size = base_sizes[base_idx] + size_skew;
-                if (size < 0)
-                  continue;
-
-                const char *user_name = repeating_string (size);
-                one_test ("~", user_name, "/a/b");
-              }
-
-            const char *user_name = repeating_string (base_sizes[base_idx]);
-            one_test ("~", user_name, "");
-            one_test ("~", user_name, "/");
-            one_test ("~", user_name, "/a");
-            one_test ("~", user_name, "/*/*");
-            one_test ("~", user_name, "\\/");
-            one_test ("/~", user_name, "");
-            one_test ("*/~", user_name, "/a/b");
-          }
+	for (do_noescape = 0; do_noescape < 2; ++do_noescape)
+	  for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+	    {
+	      for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+		   ++size_skew)
+		{
+		  int size = base_sizes[base_idx] + size_skew;
+		  if (size < 0)
+		    continue;
+
+		  const char *user_name = repeating_string (size);
+		  one_test ("~", user_name, "/a/b");
+		  one_test ("~", user_name, "x\\x\\x////x\\a");
+		}
+
+	      const char *user_name = repeating_string (base_sizes[base_idx]);
+	      one_test ("~", user_name, "");
+	      one_test ("~", user_name, "/");
+	      one_test ("~", user_name, "/a");
+	      one_test ("~", user_name, "/*/*");
+	      one_test ("~", user_name, "\\/");
+	      one_test ("/~", user_name, "");
+	      one_test ("*/~", user_name, "/a/b");
+	    }
 
   free (repeat);
 
-- 
2.15.0

[COMMITTED 2.26 4/4] Update NEWS to add CVE-2017-15804 entry

[Aurelien Jarno]

(cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b)
---
 NEWS | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 7d3a326d88..61bffe0451 100644
--- a/NEWS
+++ b/NEWS
@@ -35,8 +35,8 @@ Security related changes:
   processing, leading to a memory leak and, potentially, to a denial
   of service.
 
-  The glob function, when invoked with GLOB_TILDE and without
-  GLOB_NOESCAPE, could write past the end of a buffer while
+  CVE-2017-15804: The glob function, when invoked with GLOB_TILDE and
+  without GLOB_NOESCAPE, could write past the end of a buffer while
   unescaping user names.  Reported by Tim Rühsen.
 
 The following bugs are resolved with this release:
-- 
2.15.0

[COMMITTED 2.26 1/4] Update NEWS and ChangeLog for CVE-2017-15671

[Aurelien Jarno]

From: Florian Weimer <fweimer@redhat.com>

(cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6)
---
 NEWS | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 359465ff3e..037b28cb9b 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,11 @@ Security related changes:
   on the stack or the heap, depending on the length of the user name).
   Reported by Tim Rühsen.
 
+  CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
+  would sometimes fail to free memory allocated during ~ operator
+  processing, leading to a memory leak and, potentially, to a denial
+  of service.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.
-- 
2.15.0