This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug glob/19779] glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 May 2016 10:15:08 +0000
- Subject: [Bug glob/19779] glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- Auto-submitted: auto-generated
- References: <bug-19779-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=19779
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.23/master has been updated
via c87db3fcbdf890990b44d956621763538c878cd3 (commit)
via 68302147ee061c69eb447e243ad9a18ef4cfbc4c (commit)
from 90c0f166e9fd6b2c7685437558cf7e8f8bc6876a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c87db3fcbdf890990b44d956621763538c878cd3
commit c87db3fcbdf890990b44d956621763538c878cd3
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed May 4 12:09:35 2016 +0200
CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]
Instead, we store the data we need from the return value of
readdir in an object of the new type struct readdir_result.
This type is independent of the layout of struct dirent.
(cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=68302147ee061c69eb447e243ad9a18ef4cfbc4c
commit 68302147ee061c69eb447e243ad9a18ef4cfbc4c
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Apr 29 09:33:07 2016 +0200
glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir
Previously, application code had to set up the d_namlen member if
the target supported it, involving conditional compilation. After
this change, glob will use the length of the string in d_name instead
of d_namlen to determine the file name length. All glibc targets
provide the d_type and d_ino members, and setting them as needed for
gl_readdir is straightforward.
Changing the behavior with regards to d_ino is left to a future
cleanup.
(cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 36 +++++
NEWS | 4 +
manual/examples/mkdirent.c | 42 ++++++
manual/pattern.texi | 39 +++++-
posix/bug-glob2.c | 16 ++-
posix/glob.c | 243 +++++++++++++++++----------------
posix/tst-gnuglob.c | 2 +-
sysdeps/unix/sysv/linux/i386/glob64.c | 22 +++
8 files changed, 282 insertions(+), 122 deletions(-)
create mode 100644 manual/examples/mkdirent.c
--
You are receiving this mail because:
You are on the CC list for the bug.