This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22679] getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 16 Jan 2018 08:17:55 +0000
- Subject: [Bug libc/22679] getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001)
- Auto-submitted: auto-generated
- References: <bug-22679-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22679
--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.25/master has been updated
via 771c846a71d9ee14aa3b91fd184026482da585d9 (commit)
from 2ee370613ce1c72fbaad08dcda323a3b122c82df (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=771c846a71d9ee14aa3b91fd184026482da585d9
commit 771c846a71d9ee14aa3b91fd184026482da585d9
Author: Dmitry V. Levin <ldv@altlinux.org>
Date: Sun Jan 7 02:03:41 2018 +0000
linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".
This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).
Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT. The error code is chosen for consistency
with the case when the current directory is unlinked.
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.
(cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 9 +++++
NEWS | 6 +++
io/Makefile | 2 +-
io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++
sysdeps/unix/sysv/linux/getcwd.c | 8 ++--
5 files changed, 86 insertions(+), 5 deletions(-)
create mode 100644 io/tst-getcwd-abspath.c
--
You are receiving this mail because:
You are on the CC list for the bug.