Summary: | getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001) | ||
---|---|---|---|
Product: | glibc | Reporter: | Dmitry V. Levin <ldv> |
Component: | libc | Assignee: | Dmitry V. Levin <ldv> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | drepper.fsp, fweimer, jeremip11 |
Priority: | P2 | Flags: | ldv:
security+
|
Version: | unspecified | ||
Target Milestone: | 2.27 | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Bug Depends on: | |||
Bug Blocks: | 18203 |
Description
Dmitry V. Levin
2018-01-05 22:34:11 UTC
This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 (commit) from 249a5895f120b13290a372a49bb4b499e749806f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Author: Dmitry V. Levin <ldv@altlinux.org> Date: Sun Jan 7 02:03:41 2018 +0000 linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Currently getcwd(3) can succeed without returning an absolute path because the underlying getcwd syscall, starting with linux commit v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. This is a conformance issue because "The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf". This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). Fix this by checking the path returned by getcwd syscall and falling back to generic_getcwd if the path is not absolute, effectively making getcwd(3) fail with ENOENT. The error code is chosen for consistency with the case when the current directory is unlinked. [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 9 +++ NEWS | 4 ++ io/Makefile | 2 +- .../tst-getcwd-abspath.c | 54 +++++++++++-------- sysdeps/unix/sysv/linux/getcwd.c | 8 ++-- 5 files changed, 49 insertions(+), 28 deletions(-) copy iconv/tst-gconv-init-failure.c => io/tst-getcwd-abspath.c (50%) Fixed in 2.27. This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.26/master has been updated via fabef2edbc29424a8048bdd60eba1a201f95682b (commit) from 7d2672a47b24c6991ddbcc7b65a5086caed4596a (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fabef2edbc29424a8048bdd60eba1a201f95682b commit fabef2edbc29424a8048bdd60eba1a201f95682b Author: Dmitry V. Levin <ldv@altlinux.org> Date: Sun Jan 7 02:03:41 2018 +0000 linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Currently getcwd(3) can succeed without returning an absolute path because the underlying getcwd syscall, starting with linux commit v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. This is a conformance issue because "The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf". This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). Fix this by checking the path returned by getcwd syscall and falling back to generic_getcwd if the path is not absolute, effectively making getcwd(3) fail with ENOENT. The error code is chosen for consistency with the case when the current directory is unlinked. [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 9 +++++ NEWS | 6 +++ io/Makefile | 2 +- io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++ sysdeps/unix/sysv/linux/getcwd.c | 8 ++-- 5 files changed, 86 insertions(+), 5 deletions(-) create mode 100644 io/tst-getcwd-abspath.c This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.25/master has been updated via 771c846a71d9ee14aa3b91fd184026482da585d9 (commit) from 2ee370613ce1c72fbaad08dcda323a3b122c82df (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=771c846a71d9ee14aa3b91fd184026482da585d9 commit 771c846a71d9ee14aa3b91fd184026482da585d9 Author: Dmitry V. Levin <ldv@altlinux.org> Date: Sun Jan 7 02:03:41 2018 +0000 linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Currently getcwd(3) can succeed without returning an absolute path because the underlying getcwd syscall, starting with linux commit v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. This is a conformance issue because "The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf". This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). Fix this by checking the path returned by getcwd syscall and falling back to generic_getcwd if the path is not absolute, effectively making getcwd(3) fail with ENOENT. The error code is chosen for consistency with the case when the current directory is unlinked. [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 9 +++++ NEWS | 6 +++ io/Makefile | 2 +- io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++ sysdeps/unix/sysv/linux/getcwd.c | 8 ++-- 5 files changed, 86 insertions(+), 5 deletions(-) create mode 100644 io/tst-getcwd-abspath.c There is a reported of a regression which has apparently been caused by this change: https://lists.gluster.org/pipermail/gluster-users/2018-January/033293.html |