[COMMITTED 2.25 3/8] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
Aurelien Jarno
aurelien@aurel32.net
Sun Jan 1 00:00:00 GMT 2017
From: Paul Eggert <eggert@cs.ucla.edu>
(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
---
ChangeLog | 6 ++++++
NEWS | 7 +++++++
posix/glob.c | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index f9ea53f23e..44eb9d7d7c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #22320]
+ CVE-2017-15670
+ * posix/glob.c (__glob): Fix one-byte overflow.
+
2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org>
[BZ #1062]
diff --git a/NEWS b/NEWS
index 1879b735e6..98aa362444 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,13 @@ The following bugs are resolved with this release:
[21778] Robust mutex may deadlock
[21972] assert macro requires operator== (int) for its argument type
[22322] libc: [mips64] wrong bits/long-double.h installed
+
+Security related changes:
+
+ CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+ from a one-byte overflow during ~ operator processing (either on the stack
+ or the heap, depending on the length of the user name).
+
Version 2.25
diff --git a/posix/glob.c b/posix/glob.c
index a7eccf9cb4..c761c0861d 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -870,7 +870,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
*p = '\0';
}
else
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
= '\0';
user_name = newp;
}
--
2.15.0
More information about the Libc-stable
mailing list