From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 76817 invoked by alias); 15 Dec 2017 11:30:30 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 76682 invoked by uid 89); 15 Dec 2017 11:30:18 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: hall.aurel32.net Received: from hall.aurel32.net (HELO hall.aurel32.net) (163.172.24.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 15 Dec 2017 11:30:06 +0000 Received: from ohm.aurel32.net ([2001:bc8:30d7:111::1000]) by hall.aurel32.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ePoBo-0008DT-1r; Fri, 15 Dec 2017 12:30:04 +0100 Received: from aurel32 by ohm.aurel32.net with local (Exim 4.90_RC3) (envelope-from ) id 1ePoBl-0002dV-OX; Fri, 15 Dec 2017 12:30:01 +0100 Date: Sun, 01 Jan 2017 00:00:00 -0000 From: Aurelien Jarno To: "Dmitry V. Levin" Cc: libc-stable@sourceware.org Subject: Re: [COMMITTED 2.25 3/8] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] Message-ID: <20171215113001.GA9955@aurel32.net> References: <20171202095206.9955-1-aurelien@aurel32.net> <20171202095206.9955-3-aurelien@aurel32.net> <20171215004112.GB28726@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171215004112.GB28726@altlinux.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-IsSubscribed: yes X-SW-Source: 2017-12/txt/msg00026.txt.bz2 On 2017-12-15 03:41, Dmitry V. Levin wrote: > On Sat, Dec 02, 2017 at 10:52:01AM +0100, Aurelien Jarno wrote: > > From: Paul Eggert > > > > (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) > > --- > > ChangeLog | 6 ++++++ > > NEWS | 7 +++++++ > > posix/glob.c | 2 +- > > 3 files changed, 14 insertions(+), 1 deletion(-) > > > > diff --git a/ChangeLog b/ChangeLog > > index f9ea53f23e..44eb9d7d7c 100644 > > --- a/ChangeLog > > +++ b/ChangeLog > > @@ -1,3 +1,9 @@ > > +2017-10-20 Paul Eggert > > + > > + [BZ #22320] > > + CVE-2017-15670 > > + * posix/glob.c (__glob): Fix one-byte overflow. > > + > > 2017-09-08 Adhemerval Zanella > > > > [BZ #1062] > > diff --git a/NEWS b/NEWS > > index 1879b735e6..98aa362444 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -29,6 +29,13 @@ The following bugs are resolved with this release: > > [21778] Robust mutex may deadlock > > [21972] assert macro requires operator== (int) for its argument type > > [22322] libc: [mips64] wrong bits/long-double.h installed > > + > > +Security related changes: > > + > > + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered > > + from a one-byte overflow during ~ operator processing (either on the stack > > + or the heap, depending on the length of the user name). > > + > > > > Version 2.25 > > > > I'd like to apply the following fix on top of it: > > Subject: [PATCH] NEWS: merge two sections about security related changes in 2.25.1 > > Commit glibc-2.25-70-g717743bb07471f95bef6ea63d9b12848ad91aaf6 > introduced a second "Security related changes" section for 2.25.1. > Merge them back into a single section. > --- > NEWS | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) > > diff --git a/NEWS b/NEWS > index 0a8f20e..d047d96 100644 > --- a/NEWS > +++ b/NEWS > @@ -12,6 +12,10 @@ Security related changes: > * The DNS stub resolver limits the advertised UDP buffer size to 1200 bytes, > to avoid fragmentation-based spoofing attacks. > > + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered > + from a one-byte overflow during ~ operator processing (either on the stack > + or the heap, depending on the length of the user name). > + > CVE-2017-15671: The glob function, when invoked with GLOB_TILDE, > would sometimes fail to free memory allocated during ~ operator > processing, leading to a memory leak and, potentially, to a denial > @@ -38,13 +42,6 @@ The following bugs are resolved with this release: > [21778] Robust mutex may deadlock > [21972] assert macro requires operator== (int) for its argument type > [22322] libc: [mips64] wrong bits/long-double.h installed > - > -Security related changes: > - > - CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered > - from a one-byte overflow during ~ operator processing (either on the stack > - or the heap, depending on the length of the user name). > - > > Version 2.25 Oops, I clearly failed to merge NEWS correctly, sorry about the mess. The patch looks all good to me, thanks for noticing and fixing that. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net