| Summary: | getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001) | ||
|---|---|---|---|
| Product: | glibc | Reporter: | Dmitry V. Levin <ldv> |
| Component: | libc | Assignee: | Dmitry V. Levin <ldv> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | drepper.fsp, fweimer, jeremip11 |
| Priority: | P2 | Flags: | ldv:
security+
|
| Version: | unspecified | ||
| Target Milestone: | 2.27 | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
| Bug Depends on: | |||
| Bug Blocks: | 18203 | ||
|
Description
Dmitry V. Levin
2018-01-05 22:34:11 UTC
This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 (commit)
from 249a5895f120b13290a372a49bb4b499e749806f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
Author: Dmitry V. Levin <ldv@altlinux.org>
Date: Sun Jan 7 02:03:41 2018 +0000
linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".
This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).
Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT. The error code is chosen for consistency
with the case when the current directory is unlinked.
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 9 +++
NEWS | 4 ++
io/Makefile | 2 +-
.../tst-getcwd-abspath.c | 54 +++++++++++--------
sysdeps/unix/sysv/linux/getcwd.c | 8 ++--
5 files changed, 49 insertions(+), 28 deletions(-)
copy iconv/tst-gconv-init-failure.c => io/tst-getcwd-abspath.c (50%)
Fixed in 2.27. This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.26/master has been updated
via fabef2edbc29424a8048bdd60eba1a201f95682b (commit)
from 7d2672a47b24c6991ddbcc7b65a5086caed4596a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fabef2edbc29424a8048bdd60eba1a201f95682b
commit fabef2edbc29424a8048bdd60eba1a201f95682b
Author: Dmitry V. Levin <ldv@altlinux.org>
Date: Sun Jan 7 02:03:41 2018 +0000
linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".
This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).
Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT. The error code is chosen for consistency
with the case when the current directory is unlinked.
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.
(cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 9 +++++
NEWS | 6 +++
io/Makefile | 2 +-
io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++
sysdeps/unix/sysv/linux/getcwd.c | 8 ++--
5 files changed, 86 insertions(+), 5 deletions(-)
create mode 100644 io/tst-getcwd-abspath.c
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.25/master has been updated
via 771c846a71d9ee14aa3b91fd184026482da585d9 (commit)
from 2ee370613ce1c72fbaad08dcda323a3b122c82df (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=771c846a71d9ee14aa3b91fd184026482da585d9
commit 771c846a71d9ee14aa3b91fd184026482da585d9
Author: Dmitry V. Levin <ldv@altlinux.org>
Date: Sun Jan 7 02:03:41 2018 +0000
linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".
This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).
Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT. The error code is chosen for consistency
with the case when the current directory is unlinked.
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.
(cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 9 +++++
NEWS | 6 +++
io/Makefile | 2 +-
io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++
sysdeps/unix/sysv/linux/getcwd.c | 8 ++--
5 files changed, 86 insertions(+), 5 deletions(-)
create mode 100644 io/tst-getcwd-abspath.c
There is a reported of a regression which has apparently been caused by this change: https://lists.gluster.org/pipermail/gluster-users/2018-January/033293.html |