| From a76376df7c07e577a9515c3faa5dbd50bda5da07 Mon Sep 17 00:00:00 2001 |
| From: Paul Eggert <eggert@cs.ucla.edu> |
| Date: Fri, 20 Oct 2017 18:41:14 +0200 |
| Subject: [PATCH] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] |
| |
| (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-15670 |
| Affects: glibc < 2.27 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| ChangeLog | 6 ++++++ |
| NEWS | 5 +++++ |
| posix/glob.c | 2 +- |
| 3 files changed, 12 insertions(+), 1 deletion(-) |
| |
| Index: git/NEWS |
| =================================================================== |
| --- git.orig/NEWS |
| +++ git/NEWS |
| @@ -206,6 +206,11 @@ Security related changes: |
| * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been |
| fixed (CVE-2017-12133). |
| |
| + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, |
| + suffered from a one-byte overflow during ~ operator processing (either |
| + on the stack or the heap, depending on the length of the user name). |
| + Reported by Tim RΓΌhsen. |
| + |
| The following bugs are resolved with this release: |
| |
| [984] network: Respond to changed resolv.conf in gethostbyname |
| Index: git/posix/glob.c |
| =================================================================== |
| --- git.orig/posix/glob.c |
| +++ git/posix/glob.c |
| @@ -843,7 +843,7 @@ glob (const char *pattern, int flags, in |
| *p = '\0'; |
| } |
| else |
| - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) |
| + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) |
| = '\0'; |
| user_name = newp; |
| } |
| Index: git/ChangeLog |
| =================================================================== |
| --- git.orig/ChangeLog |
| +++ git/ChangeLog |
| @@ -1,3 +1,9 @@ |
| +2017-10-20 Paul Eggert <eggert@cs.ucla.edu> |
| + |
| + [BZ #22320] |
| + CVE-2017-15670 |
| + * posix/glob.c (__glob): Fix one-byte overflow. |
| + |
| 2017-08-02 Siddhesh Poyarekar <siddhesh@sourceware.org> |
| |
| * version.h (RELEASE): Set to "stable" |