Bug 17625 (CVE-2014-7817) - wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
Summary: wordexp fails to honour WRDE_NOCMD (CVE-2014-7817)
Alias: CVE-2014-7817
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.21
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2014-11-19 15:59 UTC by Carlos O'Donell
Modified: 2014-12-15 18:44 UTC (History)
2 users (show)

See Also:
Last reconfirmed:
fweimer: security+


Note You need to log in before you can comment on or make changes to this bug.
Description Carlos O'Donell 2014-11-19 15:59:31 UTC
Placeholder bug for CVE-2014-7817.
Comment 1 Carlos O'Donell 2014-11-19 20:03:43 UTC
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
  under certain input conditions resulting in the execution of a shell for
  command substitution when the applicaiton did not request it. The
  implementation now checks WRDE_NOCMD immediately before executing the
  shell and returns the error WRDE_CMDSUB as expected.
Comment 2 Carlos O'Donell 2014-11-19 20:04:13 UTC
Fixed on trunk.
Comment 3 Carlos O'Donell 2014-11-20 15:56:11 UTC
commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Wed Nov 19 11:44:12 2014 -0500

    CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
    The function wordexp() fails to properly handle the WRDE_NOCMD
    flag when processing arithmetic inputs in the form of "$((... ``))"
    where "..." can be anything valid. The backticks in the arithmetic
    epxression are evaluated by in a shell even if WRDE_NOCMD forbade
    command substitution. This allows an attacker to attempt to pass
    dangerous commands via constructs of the above form, and bypass
    the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
    in exec_comm(), the only place that can execute a shell. All other
    checks for WRDE_NOCMD are superfluous and removed.
    We expand the testsuite and add 3 new regression tests of roughly
    the same form but with a couple of nested levels.
    On top of the 3 new tests we add fork validation to the WRDE_NOCMD
    testing. If any forks are detected during the execution of a wordexp()
    call with WRDE_NOCMD, the test is marked as failed. This is slightly
    heuristic since vfork might be used in the future, but it provides a
    higher level of assurance that no shells were executed as part of
    command substitution with WRDE_NOCMD in effect. In addition it doesn't
    require libpthread or libdl, instead we use the public implementation
    namespace function __register_atfork (already part of the public ABI
    for libpthread).
    Tested on x86_64 with no regressions.