This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/22679] getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001)


https://sourceware.org/bugzilla/show_bug.cgi?id=22679

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.25/master has been updated
       via  771c846a71d9ee14aa3b91fd184026482da585d9 (commit)
      from  2ee370613ce1c72fbaad08dcda323a3b122c82df (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=771c846a71d9ee14aa3b91fd184026482da585d9

commit 771c846a71d9ee14aa3b91fd184026482da585d9
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Jan 7 02:03:41 2018 +0000

    linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]

    Currently getcwd(3) can succeed without returning an absolute path
    because the underlying getcwd syscall, starting with linux commit
    v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.

    This is a conformance issue because "The getcwd() function shall
    place an absolute pathname of the current working directory
    in the array pointed to by buf, and return buf".

    This is also a security issue because a non-absolute path returned
    by getcwd(3) causes a buffer underflow in realpath(3).

    Fix this by checking the path returned by getcwd syscall and falling
    back to generic_getcwd if the path is not absolute, effectively making
    getcwd(3) fail with ENOENT.  The error code is chosen for consistency
    with the case when the current directory is unlinked.

    [BZ #22679]
    CVE-2018-1000001
    * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
    generic_getcwd if the path returned by getcwd syscall is not absolute.
    * io/tst-getcwd-abspath.c: New test.
    * io/Makefile (tests): Add tst-getcwd-abspath.

    (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                        |    9 +++++
 NEWS                             |    6 +++
 io/Makefile                      |    2 +-
 io/tst-getcwd-abspath.c          |   66 ++++++++++++++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/getcwd.c |    8 ++--
 5 files changed, 86 insertions(+), 5 deletions(-)
 create mode 100644 io/tst-getcwd-abspath.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]