* Committed CVE-2014-7817 to 2.20.
@ 2014-01-01 0:00 Carlos O'Donell
0 siblings, 0 replies; only message in thread
From: Carlos O'Donell @ 2014-01-01 0:00 UTC (permalink / raw)
To: libc-stable
I've committed the fix for CVE-2014-7817 to
2.20. If anyone wants to backport this
to older branches, then please be my guest. It's
very self-contained and should apply cleanly
across lots of older branches.
commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
Author: Carlos O'Donell <carlos@redhat.com>
Date: Wed Nov 19 11:44:12 2014 -0500
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
Cheers,
Carlos.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-11-24 20:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-01 0:00 Committed CVE-2014-7817 to 2.20 Carlos O'Donell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).