This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

GNU C Library master sources branch master updated. glibc-2.26.9000-613-gc369d66

From: fw at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 20 Oct 2017 16:47:06 -0000
Subject: GNU C Library master sources branch master updated. glibc-2.26.9000-613-gc369d66

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  c369d66e5426a30e4725b100d5cd28e372754f90 (commit)
      from  6d43de4b85b11d26a19bebe4f55f31be16e3d419 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c369d66e5426a30e4725b100d5cd28e372754f90

commit c369d66e5426a30e4725b100d5cd28e372754f90
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Fri Oct 20 18:41:14 2017 +0200

    CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

diff --git a/ChangeLog b/ChangeLog
index f0512c5..43f5bfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+
+	[BZ #22320]
+	CVE-2017-15670
+	* posix/glob.c (__glob): Fix one-byte overflow.
+
 2017-10-20  Wilco Dijkstra  <wdijkstr@arm.com>
 
 	* malloc/malloc.c (sysdep-cancel.h): Add include.
diff --git a/NEWS b/NEWS
index ad680db..e0e5056 100644
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,10 @@ Security related changes:
   vulnerability; only trusted binaries must be examined using the ldd
   script.)
 
+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+  from a one-byte overflow during ~ operator processing (either on the stack
+  or the heap, depending on the length of the user name).
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/posix/glob.c b/posix/glob.c
index 076ab2b..15a6c0c 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		  *p = '\0';
 		}
 	      else
-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
 		  = '\0';
 	      user_name = newp;
 	    }

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog    |    6 ++++++
 NEWS         |    4 ++++
 posix/glob.c |    2 +-
 3 files changed, 11 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]