From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 107932 invoked by alias); 2 Dec 2017 09:52:17 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 107800 invoked by uid 89); 2 Dec 2017 09:52:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.7 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KB_WAM_FROM_NAME_SINGLEWORD,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=suffered X-Spam-Status: No, score=-25.7 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KB_WAM_FROM_NAME_SINGLEWORD,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: hall.aurel32.net Received: from hall.aurel32.net (HELO hall.aurel32.net) (163.172.24.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 02 Dec 2017 09:52:15 +0000 Received: from [2001:bc8:30d7:120:9bb5:8936:7e6a:9e36] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1eL4Sv-0002Ei-UR; Sat, 02 Dec 2017 10:52:10 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.89) (envelope-from ) id 1eL4Su-0002bZ-Tm; Sat, 02 Dec 2017 10:52:08 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Paul Eggert Subject: [COMMITTED 2.25 3/8] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] Date: Sun, 01 Jan 2017 00:00:00 -0000 Message-Id: <20171202095206.9955-3-aurelien@aurel32.net> X-Mailer: git-send-email 2.15.0 In-Reply-To: <20171202095206.9955-1-aurelien@aurel32.net> References: <20171202095206.9955-1-aurelien@aurel32.net> X-IsSubscribed: yes X-SW-Source: 2017-12/txt/msg00011.txt.bz2 From: Paul Eggert (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) --- ChangeLog | 6 ++++++ NEWS | 7 +++++++ posix/glob.c | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f9ea53f23e..44eb9d7d7c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-09-08 Adhemerval Zanella [BZ #1062] diff --git a/NEWS b/NEWS index 1879b735e6..98aa362444 100644 --- a/NEWS +++ b/NEWS @@ -29,6 +29,13 @@ The following bugs are resolved with this release: [21778] Robust mutex may deadlock [21972] assert macro requires operator== (int) for its argument type [22322] libc: [mips64] wrong bits/long-double.h installed + +Security related changes: + + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered + from a one-byte overflow during ~ operator processing (either on the stack + or the heap, depending on the length of the user name). + Version 2.25 diff --git a/posix/glob.c b/posix/glob.c index a7eccf9cb4..c761c0861d 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -870,7 +870,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } -- 2.15.0