This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Thu, Dec 14, 2017 at 02:31:25PM +0100, Florian Weimer wrote: > 2017-12-14 Florian Weimer <fweimer@redhat.com> > > [BZ #22607] > CVE-2017-1000409 > * elf/dl-load.c (_dl_init_paths): Compute number of components in > the expanded path string. > > diff --git a/NEWS b/NEWS > index eef51b65a6..c5607c855f 100644 > --- a/NEWS > +++ b/NEWS > @@ -130,6 +130,12 @@ Security related changes: > it is mentioned here only because of the CVE assignment.) Reported by > Qualys. > > + CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation > + of the number of search path components. (This is not a security > + vulnerability per se because no trust boundary is crossed if the fix for > + CVE-2017-1000366 has been applied, but it is mentioned here only because > + of the CVE assignment.) Reported by Qualys. > + > The following bugs are resolved with this release: > > [The release manager will add the list generated by > diff --git a/elf/dl-load.c b/elf/dl-load.c > index 82c9f46050..540f91f9d6 100644 > --- a/elf/dl-load.c > +++ b/elf/dl-load.c > @@ -773,8 +773,6 @@ _dl_init_paths (const char *llp) > > if (llp != NULL && *llp != '\0') > { > - size_t nllp; > - const char *cp = llp; > char *llp_tmp; > > #ifdef SHARED > @@ -797,13 +795,16 @@ _dl_init_paths (const char *llp) > > /* Decompose the LD_LIBRARY_PATH contents. First determine how many > elements it has. */ > - nllp = 1; > - while (*cp) > - { > - if (*cp == ':' || *cp == ';') > - ++nllp; > - ++cp; > - } > + size_t nllp = 1; > + { > + const char *cp = llp_tmp; > + while (*cp) > + { > + if (*cp == ':' || *cp == ';') > + ++nllp; > + ++cp; > + } > + } I'd really prefer to see a "for" statement here, e.g. + size_t nllp = 1; + { + const char *cp; + for (cp = llp_tmp; *cp; ++cp) + { + if (*cp == ':' || *cp == ';') + ++nllp; + } + } -- ldv
Attachment:
signature.asc
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |