Bug 22320 (CVE-2017-15670)

Summary: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670)
Product: glibc Reporter: Tim Rühsen <tim.ruehsen>
Component: globAssignee: Florian Weimer <fweimer>
Status: RESOLVED FIXED    
Severity: critical CC: castro8583bennett, eggert, fweimer
Priority: P2 Flags: fweimer: security+
Version: unspecified   
Target Milestone: 2.27   
Host: Target:
Build: Last reconfirmed: 2017-10-20 00:00:00
Attachments: glob reproducer for WRITE heap buffer overflow

Description Tim Rühsen 2017-10-19 14:36:57 UTC
Sorry, couldn't find any glibc security policy...

Gnulib's glob(), which is a copy of glibc's glob() seems to have a buffer overflow. Clangs' address sanitizer reports a WRITE overflow, gcc's reports a READ overflow when using the same sanitizer options.

Here is a patch and some comments from Bruno Haible (gnulib maintainer), who tracked it down:

This patch fixes both problems.

diff --git a/lib/glob.c b/lib/glob.c
index 33030ec..6753043 100644
--- a/lib/glob.c
+++ b/lib/glob.c
@@ -764,7 +764,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                   *p = '\0';
                 }
               else
-                *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+                *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                   = '\0';
               user_name = newp;
             }

The bug also exists in glibc, at least since 2005-12-14. Interestingly, this mempcpy call was originally

# ifdef HAVE_MEMPCPY
	      *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
		= '\0';
# else
	      memcpy (newp, dirname + 1, end_name - dirname);
	      newp[end_name - dirname - 1] = '\0';
# endif

and the code in the #else branch was correct.


I have a reproducer C code plus a data file, let me know if you are interested (the 'Add an Attachment' just allows one file).
Comment 2 Paul Eggert 2017-10-19 19:46:13 UTC
Following a suggestion by Bruno Haible, I patched the gnulib copy of glob.c as described here:

http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f

Presumably a similar patch should be applied to the glibc copy.
Comment 3 Florian Weimer 2017-10-20 02:44:25 UTC
For future reference, the process is documented here:

  https://sourceware.org/glibc/wiki/Security Process

(However, reporting bugs with this severity publicly in Bugzilla is fine.)
Comment 4 Florian Weimer 2017-10-20 07:28:41 UTC
Tim, would you please attach the reproducer?
Comment 5 Tim Rühsen 2017-10-20 07:59:52 UTC
Created attachment 10546 [details]
glob reproducer for WRITE heap buffer overflow
Comment 6 Florian Weimer 2017-10-20 08:13:45 UTC
"~xxx…xxx/a/b" triggers this.  Some versions of glob will use an on-stack buffer for shorter xxx…xxx sequences.
Comment 7 Sourceware Commits 2017-10-20 16:47:38 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  c369d66e5426a30e4725b100d5cd28e372754f90 (commit)
      from  6d43de4b85b11d26a19bebe4f55f31be16e3d419 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c369d66e5426a30e4725b100d5cd28e372754f90

commit c369d66e5426a30e4725b100d5cd28e372754f90
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Fri Oct 20 18:41:14 2017 +0200

    CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog    |    6 ++++++
 NEWS         |    4 ++++
 posix/glob.c |    2 +-
 3 files changed, 11 insertions(+), 1 deletions(-)
Comment 8 Florian Weimer 2017-10-20 16:48:57 UTC
Fixed in 2.27.
Comment 9 Sourceware Commits 2017-10-20 18:27:39 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  a76376df7c07e577a9515c3faa5dbd50bda5da07 (commit)
      from  305f4f057dace256e99e4321e21a23267187d77f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a76376df7c07e577a9515c3faa5dbd50bda5da07

commit a76376df7c07e577a9515c3faa5dbd50bda5da07
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Fri Oct 20 18:41:14 2017 +0200

    CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
    
    (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog    |    6 ++++++
 NEWS         |    5 +++++
 posix/glob.c |    2 +-
 3 files changed, 12 insertions(+), 1 deletions(-)
Comment 10 Sourceware Commits 2017-10-21 16:31:10 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  e80fc1fc98bf614eb01cf8325503df3a1451a99c (commit)
      from  797ba44ba27521261f94cc521f1c2ca74f650147 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e80fc1fc98bf614eb01cf8325503df3a1451a99c

commit e80fc1fc98bf614eb01cf8325503df3a1451a99c
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Oct 21 18:03:30 2017 +0200

    glob: Add new test tst-glob-tilde
    
    The new test checks for memory leaks (see bug 22325) and attempts
    to trigger the buffer overflow in bug 22320.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog              |    8 +++
 posix/Makefile         |   12 ++++-
 posix/tst-glob-tilde.c |  136 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 154 insertions(+), 2 deletions(-)
 create mode 100644 posix/tst-glob-tilde.c
Comment 11 Sourceware Commits 2017-10-21 17:13:12 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  6182b3708b7af316454c81467538a8c20c1b046d (commit)
      from  a76376df7c07e577a9515c3faa5dbd50bda5da07 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6182b3708b7af316454c81467538a8c20c1b046d

commit 6182b3708b7af316454c81467538a8c20c1b046d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Oct 21 18:03:30 2017 +0200

    glob: Add new test tst-glob-tilde
    
    The new test checks for memory leaks (see bug 22325) and attempts
    to trigger the buffer overflow in bug 22320.
    
    (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog              |    8 +++
 posix/Makefile         |   11 +++-
 posix/tst-glob-tilde.c |  136 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 153 insertions(+), 2 deletions(-)
 create mode 100644 posix/tst-glob-tilde.c
Comment 12 Andreas Schwab 2017-10-21 18:32:22 UTC
*** Bug 22332 has been marked as a duplicate of this bug. ***
Comment 13 Sourceware Commits 2017-12-02 09:56:05 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.25/master has been updated
       via  4444f6a92b83f7e044705b43b11dcdb0dbe97fe1 (commit)
       via  b2b39e667143a921eeec01517c9c99ea25eaafae (commit)
       via  ee68a4419a7c4473e48b16a55c50689a11f9b725 (commit)
       via  3b587362bd54a81528b36ff8e13ba9f7c233e995 (commit)
       via  a06cc8caa7f4c0fcfdc7580cbc5c21be63637353 (commit)
       via  717743bb07471f95bef6ea63d9b12848ad91aaf6 (commit)
       via  ea54198514e1a4f4abd8727acac0890bc95b4bdc (commit)
       via  2b54f16a8a237a1f3e6f8b974cafda09ed75d292 (commit)
      from  7bd7ddfab138f67a1d8c10d4d70f16240a1c6796 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4444f6a92b83f7e044705b43b11dcdb0dbe97fe1

commit 4444f6a92b83f7e044705b43b11dcdb0dbe97fe1
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Fri Dec 1 21:53:51 2017 +0100

    Update NEWS to add CVE-2017-15804 entry
    
    (cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b2b39e667143a921eeec01517c9c99ea25eaafae

commit b2b39e667143a921eeec01517c9c99ea25eaafae
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Nov 2 11:06:45 2017 +0100

    posix/tst-glob-tilde.c: Add test for bug 22332
    
    (cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee68a4419a7c4473e48b16a55c50689a11f9b725

commit ee68a4419a7c4473e48b16a55c50689a11f9b725
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Sun Oct 22 10:00:57 2017 +0200

    glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
    
    (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b587362bd54a81528b36ff8e13ba9f7c233e995

commit 3b587362bd54a81528b36ff8e13ba9f7c233e995
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sun Oct 22 09:29:52 2017 +0200

    Update NEWS and ChangeLog for CVE-2017-15671
    
    (cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a06cc8caa7f4c0fcfdc7580cbc5c21be63637353

commit a06cc8caa7f4c0fcfdc7580cbc5c21be63637353
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Oct 21 18:03:30 2017 +0200

    glob: Add new test tst-glob-tilde
    
    The new test checks for memory leaks (see bug 22325) and attempts
    to trigger the buffer overflow in bug 22320.
    
    (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=717743bb07471f95bef6ea63d9b12848ad91aaf6

commit 717743bb07471f95bef6ea63d9b12848ad91aaf6
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Fri Oct 20 18:41:14 2017 +0200

    CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
    
    (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ea54198514e1a4f4abd8727acac0890bc95b4bdc

commit ea54198514e1a4f4abd8727acac0890bc95b4bdc
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Mon Sep 4 14:53:38 2017 -0300

    posix: Sync glob with gnulib [BZ #1062]
    
    This patch syncs posix/glob.c implementation with gnulib version
    b5ec983 (glob: simplify symlink detection).  The only difference
    to gnulib code is
    
      * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there
        were not already defined.  Gnulib code which uses
        HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because
        GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE.  Instead
        the patch check for each definition instead.
    
    Also, the patch requires additional globfree and globfree64 files
    for compatibility version on some architectures.  Also the code
    simplification leads to not macro simplification (not need for
    NO_GLOB_PATTERN_P anymore).
    
    Checked on x86_64-linux-gnu and on a build using build-many-glibcs.py
    for all major architectures.
    
    	[BZ #1062]
    	* posix/Makefile (routines): Add globfree, globfree64, and
    	glob_pattern_p.
    	* posix/flexmember.h: New file.
    	* posix/glob_internal.h: Likewise.
    	* posix/glob_pattern_p.c: Likewise.
    	* posix/globfree.c: Likewise.
    	* posix/globfree64.c: Likewise.
    	* sysdeps/gnu/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise.
    	* sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/oldglob.c: Likewise.
    	* sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise.
    	* sysdeps/wordsize-64/globfree.c: Likewise.
    	* sysdeps/wordsize-64/globfree64.c: Likewise.
    	* posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead.
    	[NDEBUG): Remove comments.
    	(GLOB_ONLY_P, _AMIGA, VMS): Remove define.
    	(dirent_type): New type.  Use uint_fast8_t not
    	uint8_t, as C99 does not require uint8_t.
    	(DT_UNKNOWN, DT_DIR, DT_LNK): New macros.
    	(struct readdir_result): Use dirent_type.  Do not define skip_entry
    	unless it is needed; this saves a byte on platforms lacking d_ino.
    	(readdir_result_type, readdir_result_skip_entry):
    	New functions, replacing ...
    	(readdir_result_might_be_symlink, readdir_result_might_be_dir):
    	 these functions, which were removed.  This makes the callers
    	easier to read.  All callers changed.
    	(D_INO_TO_RESULT): Now empty if there is no d_ino.
    	(size_add_wrapv, glob_use_alloca): New static functions.
    	(glob, glob_in_dir): Check for size_t overflow in several places,
    	and fix some size_t checks that were not quite right.
    	Remove old code using SHELL since Bash no longer
    	uses this.
    	(glob, prefix_array): Separate MS code better.
    	(glob_in_dir): Remove old Amiga and VMS code.
    	(globfree, __glob_pattern_type, __glob_pattern_p): Move to
    	separate files.
    	(glob_in_dir): Do not rely on undefined behavior in accessing
    	struct members beyond their bounds.  Use a flexible array member
    	instead
    	(link_stat): Rename from link_exists2_p and return -1/0 instead of
    	0/1.  Caller changed.
    	(glob): Fix memory leaks.
    	* posix/glob64 (globfree64): Move to separate file.
    	* sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define.
    	(globfree64): Remove hidden alias.
    	* sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add
    	oldglob.
    	* sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to
    	separate file.
    	* sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove
    	define.
    	Move compat code to separate file.
    	* sysdeps/wordsize-64/glob.c (globfree): Move definitions to
    	separate file.
    
    (cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2b54f16a8a237a1f3e6f8b974cafda09ed75d292

commit 2b54f16a8a237a1f3e6f8b974cafda09ed75d292
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Sun Aug 20 10:46:47 2017 -0700

    i386: Hide __old_glob64 [BZ #18822]
    
    Hide internal __old_glob64 function to allow direct access within
    libc.so and libc.a without using GOT nor PLT.
    
    	[BZ #18822]
    	* sysdeps/unix/sysv/linux/i386/glob64.c (__old_glob64): Add
    	libc_hidden_proto and libc_hidden_def.
    
    (cherry picked from commit 2585d7b839559e665d5723734862fbe62264b25d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   94 +++
 NEWS                                               |   16 +
 posix/Makefile                                     |   14 +-
 posix/flexmember.h                                 |   45 ++
 posix/glob.c                                       |  780 ++++++++++----------
 posix/glob64.c                                     |    6 -
 posix/glob_internal.h                              |   57 ++
 posix/glob_pattern_p.c                             |   33 +
 posix/globfree.c                                   |   41 +
 posix/globfree64.c                                 |   31 +
 posix/tst-glob-tilde.c                             |  143 ++++
 sysdeps/gnu/glob64.c                               |    3 -
 sysdeps/gnu/globfree64.c                           |   10 +
 sysdeps/unix/sysv/linux/Makefile                   |    2 +-
 sysdeps/unix/sysv/linux/alpha/glob.c               |    4 -
 sysdeps/unix/sysv/linux/alpha/globfree.c           |   37 +
 sysdeps/unix/sysv/linux/i386/glob64.c              |   36 +-
 .../unix/sysv/linux/mips/mips64/n64/globfree64.c   |    1 +
 sysdeps/unix/sysv/linux/oldglob.c                  |   42 ++
 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c   |    2 +
 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c      |    1 +
 sysdeps/wordsize-64/glob.c                         |    2 -
 sysdeps/wordsize-64/globfree.c                     |    5 +
 sysdeps/wordsize-64/globfree64.c                   |    1 +
 24 files changed, 945 insertions(+), 461 deletions(-)
 create mode 100644 posix/flexmember.h
 create mode 100644 posix/glob_internal.h
 create mode 100644 posix/glob_pattern_p.c
 create mode 100644 posix/globfree.c
 create mode 100644 posix/globfree64.c
 create mode 100644 posix/tst-glob-tilde.c
 create mode 100644 sysdeps/gnu/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/alpha/globfree.c
 create mode 100644 sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/oldglob.c
 create mode 100644 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c
 create mode 100644 sysdeps/wordsize-64/globfree.c
 create mode 100644 sysdeps/wordsize-64/globfree64.c
Comment 14 Sourceware Commits 2017-12-03 21:45:13 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.24/master has been updated
       via  d81254d2efcb839fd11df2960df5bba579193808 (commit)
       via  bddc5728810859952a2acaec6302308361e828cc (commit)
       via  94825c8924b80518214ad9e3ca1f6589f209592c (commit)
       via  1e53b88296dc95d325d6073910a33dca851b6bc4 (commit)
       via  5ff2eb52b236ca3d77f92272e8711b3c2b98140b (commit)
       via  1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 (commit)
       via  832e2ec56701f85b892b782b8b749bc5a33899fb (commit)
       via  89bf8ef2dba93e19385bf922fdcee87a97db768f (commit)
      from  bea3f92405f705684275bffee954cafe84ffb09d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d81254d2efcb839fd11df2960df5bba579193808

commit d81254d2efcb839fd11df2960df5bba579193808
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Fri Dec 1 21:53:51 2017 +0100

    Update NEWS to add CVE-2017-15804 entry
    
    (cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bddc5728810859952a2acaec6302308361e828cc

commit bddc5728810859952a2acaec6302308361e828cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Nov 2 11:06:45 2017 +0100

    posix/tst-glob-tilde.c: Add test for bug 22332
    
    (cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94825c8924b80518214ad9e3ca1f6589f209592c

commit 94825c8924b80518214ad9e3ca1f6589f209592c
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Sun Oct 22 10:00:57 2017 +0200

    glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
    
    (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1e53b88296dc95d325d6073910a33dca851b6bc4

commit 1e53b88296dc95d325d6073910a33dca851b6bc4
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sun Oct 22 09:29:52 2017 +0200

    Update NEWS and ChangeLog for CVE-2017-15671
    
    (cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ff2eb52b236ca3d77f92272e8711b3c2b98140b

commit 5ff2eb52b236ca3d77f92272e8711b3c2b98140b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Oct 21 18:03:30 2017 +0200

    glob: Add new test tst-glob-tilde
    
    The new test checks for memory leaks (see bug 22325) and attempts
    to trigger the buffer overflow in bug 22320.
    
    (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1f523e3c6efd673bdd05cbec85ff6ba178ba6e08

commit 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Fri Oct 20 18:41:14 2017 +0200

    CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
    
    (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=832e2ec56701f85b892b782b8b749bc5a33899fb

commit 832e2ec56701f85b892b782b8b749bc5a33899fb
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Mon Sep 4 14:53:38 2017 -0300

    posix: Sync glob with gnulib [BZ #1062]
    
    This patch syncs posix/glob.c implementation with gnulib version
    b5ec983 (glob: simplify symlink detection).  The only difference
    to gnulib code is
    
      * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there
        were not already defined.  Gnulib code which uses
        HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because
        GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE.  Instead
        the patch check for each definition instead.
    
    Also, the patch requires additional globfree and globfree64 files
    for compatibility version on some architectures.  Also the code
    simplification leads to not macro simplification (not need for
    NO_GLOB_PATTERN_P anymore).
    
    Checked on x86_64-linux-gnu and on a build using build-many-glibcs.py
    for all major architectures.
    
    	[BZ #1062]
    	* posix/Makefile (routines): Add globfree, globfree64, and
    	glob_pattern_p.
    	* posix/flexmember.h: New file.
    	* posix/glob_internal.h: Likewise.
    	* posix/glob_pattern_p.c: Likewise.
    	* posix/globfree.c: Likewise.
    	* posix/globfree64.c: Likewise.
    	* sysdeps/gnu/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise.
    	* sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/oldglob.c: Likewise.
    	* sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise.
    	* sysdeps/wordsize-64/globfree.c: Likewise.
    	* sysdeps/wordsize-64/globfree64.c: Likewise.
    	* posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead.
    	[NDEBUG): Remove comments.
    	(GLOB_ONLY_P, _AMIGA, VMS): Remove define.
    	(dirent_type): New type.  Use uint_fast8_t not
    	uint8_t, as C99 does not require uint8_t.
    	(DT_UNKNOWN, DT_DIR, DT_LNK): New macros.
    	(struct readdir_result): Use dirent_type.  Do not define skip_entry
    	unless it is needed; this saves a byte on platforms lacking d_ino.
    	(readdir_result_type, readdir_result_skip_entry):
    	New functions, replacing ...
    	(readdir_result_might_be_symlink, readdir_result_might_be_dir):
    	 these functions, which were removed.  This makes the callers
    	easier to read.  All callers changed.
    	(D_INO_TO_RESULT): Now empty if there is no d_ino.
    	(size_add_wrapv, glob_use_alloca): New static functions.
    	(glob, glob_in_dir): Check for size_t overflow in several places,
    	and fix some size_t checks that were not quite right.
    	Remove old code using SHELL since Bash no longer
    	uses this.
    	(glob, prefix_array): Separate MS code better.
    	(glob_in_dir): Remove old Amiga and VMS code.
    	(globfree, __glob_pattern_type, __glob_pattern_p): Move to
    	separate files.
    	(glob_in_dir): Do not rely on undefined behavior in accessing
    	struct members beyond their bounds.  Use a flexible array member
    	instead
    	(link_stat): Rename from link_exists2_p and return -1/0 instead of
    	0/1.  Caller changed.
    	(glob): Fix memory leaks.
    	* posix/glob64 (globfree64): Move to separate file.
    	* sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define.
    	(globfree64): Remove hidden alias.
    	* sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add
    	oldglob.
    	* sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to
    	separate file.
    	* sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove
    	define.
    	Move compat code to separate file.
    	* sysdeps/wordsize-64/glob.c (globfree): Move definitions to
    	separate file.
    
    (cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89bf8ef2dba93e19385bf922fdcee87a97db768f

commit 89bf8ef2dba93e19385bf922fdcee87a97db768f
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Sun Aug 20 10:46:47 2017 -0700

    i386: Hide __old_glob64 [BZ #18822]
    
    Hide internal __old_glob64 function to allow direct access within
    libc.so and libc.a without using GOT nor PLT.
    
    	[BZ #18822]
    	* sysdeps/unix/sysv/linux/i386/glob64.c (__old_glob64): Add
    	libc_hidden_proto and libc_hidden_def.
    
    (cherry picked from commit 2585d7b839559e665d5723734862fbe62264b25d)
    (cherry picked from commit 2b54f16a8a237a1f3e6f8b974cafda09ed75d292)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   94 +++
 NEWS                                               |   13 +
 posix/Makefile                                     |   13 +-
 posix/flexmember.h                                 |   45 ++
 posix/glob.c                                       |  780 ++++++++++----------
 posix/glob64.c                                     |    6 -
 posix/glob_internal.h                              |   57 ++
 posix/glob_pattern_p.c                             |   33 +
 posix/globfree.c                                   |   41 +
 posix/globfree64.c                                 |   31 +
 posix/tst-glob-tilde.c                             |  143 ++++
 sysdeps/gnu/glob64.c                               |    3 -
 sysdeps/gnu/globfree64.c                           |   10 +
 sysdeps/unix/sysv/linux/Makefile                   |    2 +-
 sysdeps/unix/sysv/linux/alpha/glob.c               |    4 -
 sysdeps/unix/sysv/linux/alpha/globfree.c           |   37 +
 sysdeps/unix/sysv/linux/i386/glob64.c              |   36 +-
 .../unix/sysv/linux/mips/mips64/n64/globfree64.c   |    1 +
 sysdeps/unix/sysv/linux/oldglob.c                  |   42 ++
 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c   |    2 +
 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c      |    1 +
 sysdeps/wordsize-64/glob.c                         |    2 -
 sysdeps/wordsize-64/globfree.c                     |    5 +
 sysdeps/wordsize-64/globfree64.c                   |    1 +
 24 files changed, 941 insertions(+), 461 deletions(-)
 create mode 100644 posix/flexmember.h
 create mode 100644 posix/glob_internal.h
 create mode 100644 posix/glob_pattern_p.c
 create mode 100644 posix/globfree.c
 create mode 100644 posix/globfree64.c
 create mode 100644 posix/tst-glob-tilde.c
 create mode 100644 sysdeps/gnu/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/alpha/globfree.c
 create mode 100644 sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/oldglob.c
 create mode 100644 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c
 create mode 100644 sysdeps/wordsize-64/globfree.c
 create mode 100644 sysdeps/wordsize-64/globfree64.c
Comment 15 Sourceware Commits 2018-04-17 13:10:04 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.22/master has been updated
       via  49a0c33ead1b1eea5b414e9e2574a4fd96291203 (commit)
       via  d8b6b33f1d08642961aff14825c1fa6a0276ad49 (commit)
       via  42a2c81226c4fd4037aa90cbebf26bafc07b7072 (commit)
       via  3790ec0ca5b8cf5d317cd8d43f132ef88c52e824 (commit)
      from  017d97cd2ec0f626f8afb8c73ea3d612d8e844c3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=49a0c33ead1b1eea5b414e9e2574a4fd96291203

commit 49a0c33ead1b1eea5b414e9e2574a4fd96291203
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Sun Oct 22 10:00:57 2017 +0200

    glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
    
    (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d8b6b33f1d08642961aff14825c1fa6a0276ad49

commit d8b6b33f1d08642961aff14825c1fa6a0276ad49
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Oct 21 18:03:30 2017 +0200

    glob: Add new test tst-glob-tilde
    
    The new test checks for memory leaks (see bug 22325) and attempts
    to trigger the buffer overflow in bug 22320.
    
    (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42a2c81226c4fd4037aa90cbebf26bafc07b7072

commit 42a2c81226c4fd4037aa90cbebf26bafc07b7072
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Fri Oct 20 18:41:14 2017 +0200

    CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
    
    (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3790ec0ca5b8cf5d317cd8d43f132ef88c52e824

commit 3790ec0ca5b8cf5d317cd8d43f132ef88c52e824
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Mon Sep 4 14:53:38 2017 -0300

    posix: Sync glob with gnulib [BZ #1062]
    
    This patch syncs posix/glob.c implementation with gnulib version
    b5ec983 (glob: simplify symlink detection).  The only difference
    to gnulib code is
    
      * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there
        were not already defined.  Gnulib code which uses
        HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because
        GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE.  Instead
        the patch check for each definition instead.
    
    Also, the patch requires additional globfree and globfree64 files
    for compatibility version on some architectures.  Also the code
    simplification leads to not macro simplification (not need for
    NO_GLOB_PATTERN_P anymore).
    
    Checked on x86_64-linux-gnu and on a build using build-many-glibcs.py
    for all major architectures.
    
    	[BZ #1062]
    	* posix/Makefile (routines): Add globfree, globfree64, and
    	glob_pattern_p.
    	* posix/flexmember.h: New file.
    	* posix/glob_internal.h: Likewise.
    	* posix/glob_pattern_p.c: Likewise.
    	* posix/globfree.c: Likewise.
    	* posix/globfree64.c: Likewise.
    	* sysdeps/gnu/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise.
    	* sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/oldglob.c: Likewise.
    	* sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise.
    	* sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise.
    	* sysdeps/wordsize-64/globfree.c: Likewise.
    	* sysdeps/wordsize-64/globfree64.c: Likewise.
    	* posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead.
    	[NDEBUG): Remove comments.
    	(GLOB_ONLY_P, _AMIGA, VMS): Remove define.
    	(dirent_type): New type.  Use uint_fast8_t not
    	uint8_t, as C99 does not require uint8_t.
    	(DT_UNKNOWN, DT_DIR, DT_LNK): New macros.
    	(struct readdir_result): Use dirent_type.  Do not define skip_entry
    	unless it is needed; this saves a byte on platforms lacking d_ino.
    	(readdir_result_type, readdir_result_skip_entry):
    	New functions, replacing ...
    	(readdir_result_might_be_symlink, readdir_result_might_be_dir):
    	 these functions, which were removed.  This makes the callers
    	easier to read.  All callers changed.
    	(D_INO_TO_RESULT): Now empty if there is no d_ino.
    	(size_add_wrapv, glob_use_alloca): New static functions.
    	(glob, glob_in_dir): Check for size_t overflow in several places,
    	and fix some size_t checks that were not quite right.
    	Remove old code using SHELL since Bash no longer
    	uses this.
    	(glob, prefix_array): Separate MS code better.
    	(glob_in_dir): Remove old Amiga and VMS code.
    	(globfree, __glob_pattern_type, __glob_pattern_p): Move to
    	separate files.
    	(glob_in_dir): Do not rely on undefined behavior in accessing
    	struct members beyond their bounds.  Use a flexible array member
    	instead
    	(link_stat): Rename from link_exists2_p and return -1/0 instead of
    	0/1.  Caller changed.
    	(glob): Fix memory leaks.
    	* posix/glob64 (globfree64): Move to separate file.
    	* sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define.
    	(globfree64): Remove hidden alias.
    	* sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add
    	oldglob.
    	* sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to
    	separate file.
    	* sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove
    	define.
    	Move compat code to separate file.
    	* sysdeps/wordsize-64/glob.c (globfree): Move definitions to
    	separate file.
    
    (cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   80 ++
 NEWS                                               |    9 +
 posix/Makefile                                     |   14 +-
 posix/flexmember.h                                 |   45 ++
 posix/glob.c                                       |  785 ++++++++++----------
 posix/glob64.c                                     |    6 -
 posix/glob_internal.h                              |   57 ++
 posix/glob_pattern_p.c                             |   33 +
 posix/globfree.c                                   |   41 +
 posix/globfree64.c                                 |   31 +
 posix/tst-glob-tilde.c                             |  136 ++++
 sysdeps/gnu/glob64.c                               |    3 -
 sysdeps/gnu/globfree64.c                           |   10 +
 sysdeps/unix/sysv/linux/Makefile                   |    2 +-
 sysdeps/unix/sysv/linux/alpha/glob.c               |    4 -
 sysdeps/unix/sysv/linux/alpha/globfree.c           |   37 +
 sysdeps/unix/sysv/linux/i386/glob64.c              |   36 +-
 .../unix/sysv/linux/mips/mips64/n64/globfree64.c   |    1 +
 sysdeps/unix/sysv/linux/oldglob.c                  |   42 +
 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c   |    2 +
 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c      |    1 +
 sysdeps/wordsize-64/glob.c                         |    2 -
 sysdeps/wordsize-64/globfree.c                     |    5 +
 sysdeps/wordsize-64/globfree64.c                   |    1 +
 24 files changed, 917 insertions(+), 466 deletions(-)
 create mode 100644 posix/flexmember.h
 create mode 100644 posix/glob_internal.h
 create mode 100644 posix/glob_pattern_p.c
 create mode 100644 posix/globfree.c
 create mode 100644 posix/globfree64.c
 create mode 100644 posix/tst-glob-tilde.c
 create mode 100644 sysdeps/gnu/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/alpha/globfree.c
 create mode 100644 sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/oldglob.c
 create mode 100644 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c
 create mode 100644 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c
 create mode 100644 sysdeps/wordsize-64/globfree.c
 create mode 100644 sysdeps/wordsize-64/globfree64.c
Comment 16 Carlo B 2018-06-21 14:11:45 UTC Comment hidden (spam)
Comment 17 Tim Rühsen 2018-06-21 14:34:17 UTC
(In reply to Carlo B from comment #16)
> Hi Tim, does this issue already fixed? have you tested it already if there's
> a problem again? Thanks

Just tested on 2.27-3 (Debian unstable) - the issue is fixed for me.

Regards, Tim