| From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001 |
| From: Paul Eggert <eggert@cs.ucla.edu> |
| Date: Sun, 22 Oct 2017 10:00:57 +0200 |
| Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ |
| #22332] |
| |
| (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-15671 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| ChangeLog | 6 ++++++ |
| NEWS | 4 ++++ |
| posix/glob.c | 4 ++-- |
| 3 files changed, 12 insertions(+), 2 deletions(-) |
| |
| Index: git/NEWS |
| =================================================================== |
| --- git.orig/NEWS |
| +++ git/NEWS |
| @@ -211,6 +211,10 @@ Security related changes: |
| on the stack or the heap, depending on the length of the user name). |
| Reported by Tim Rühsen. |
| |
| + The glob function, when invoked with GLOB_TILDE and without |
| + GLOB_NOESCAPE, could write past the end of a buffer while |
| + unescaping user names. Reported by Tim Rühsen. |
| + |
| The following bugs are resolved with this release: |
| |
| [984] network: Respond to changed resolv.conf in gethostbyname |
| Index: git/posix/glob.c |
| =================================================================== |
| --- git.orig/posix/glob.c |
| +++ git/posix/glob.c |
| @@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in |
| char *p = mempcpy (newp, dirname + 1, |
| unescape - dirname - 1); |
| char *q = unescape; |
| - while (*q != '\0') |
| + while (q != end_name) |
| { |
| if (*q == '\\') |
| { |
| - if (q[1] == '\0') |
| + if (q + 1 == end_name) |
| { |
| /* "~fo\\o\\" unescape to user_name "foo\\", |
| but "~fo\\o\\/" unescape to user_name |
| Index: git/ChangeLog |
| =================================================================== |
| --- git.orig/ChangeLog |
| +++ git/ChangeLog |
| @@ -1,5 +1,10 @@ |
| + |
| 2017-10-20 Paul Eggert <eggert@cs.ucla.edu> |
| |
| + [BZ #22332] |
| + * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE |
| + unescaping. |
| + |
| [BZ #22320] |
| CVE-2017-15670 |
| * posix/glob.c (__glob): Fix one-byte overflow. |