This is the mail archive of the
mailing list for the glibc project.
Re: [COMMITTED] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>, Andreas Schwab <schwab at suse dot de>, "Joseph S. Myers" <joseph at codesourcery dot com>, Adam Conrad <adconrad at 0c3 dot net>, Florian Weimer <fweimer at redhat dot com>, Brooks Moses <bmoses at google dot com>
- Date: Wed, 19 Nov 2014 15:54:54 -0500
- Subject: Re: [COMMITTED] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
- Authentication-results: sourceware.org; auth=none
- References: <546CF742 dot 3040805 at redhat dot com>
On 11/19/2014 03:02 PM, Carlos O'Donell wrote:
> Committed to trunk.
Committed to 2.20.
Author: Carlos O'Donell <firstname.lastname@example.org>
Date: Wed Nov 19 11:44:12 2014 -0500
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
Tested on x86_64 with no regressions.
(cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)