This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.26/master updated. glibc-2.26-105-g0890d53
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 1 Dec 2017 22:13:13 -0000
- Subject: GNU C Library master sources branch release/2.26/master updated. glibc-2.26-105-g0890d53
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.26/master has been updated
via 0890d5379cac9b7e2a5f09c3647ebad235c1442d (commit)
via a9f35ac127e2244185d0a80ed91fa629f9d19dcf (commit)
via f1cf98b583787cfb6278baea46e286a0ee7567fd (commit)
via 6f9f307b5db6b2eeb7b92f2a75e5ab3e749c3d56 (commit)
from f312f235d535fac5c3ff2b0aa7cacb1958aa4529 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0890d5379cac9b7e2a5f09c3647ebad235c1442d
commit 0890d5379cac9b7e2a5f09c3647ebad235c1442d
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri Dec 1 21:53:51 2017 +0100
Update NEWS to add CVE-2017-15804 entry
(cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b)
diff --git a/NEWS b/NEWS
index 7d3a326..61bffe0 100644
--- a/NEWS
+++ b/NEWS
@@ -35,8 +35,8 @@ Security related changes:
processing, leading to a memory leak and, potentially, to a denial
of service.
- The glob function, when invoked with GLOB_TILDE and without
- GLOB_NOESCAPE, could write past the end of a buffer while
+ CVE-2017-15804: The glob function, when invoked with GLOB_TILDE and
+ without GLOB_NOESCAPE, could write past the end of a buffer while
unescaping user names. Reported by Tim Rühsen.
The following bugs are resolved with this release:
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a9f35ac127e2244185d0a80ed91fa629f9d19dcf
commit a9f35ac127e2244185d0a80ed91fa629f9d19dcf
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Nov 2 11:06:45 2017 +0100
posix/tst-glob-tilde.c: Add test for bug 22332
(cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e)
diff --git a/ChangeLog b/ChangeLog
index 0ab0878..fab886a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-11-02 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #22332]
+ * posix/tst-glob-tilde.c (do_noescape): New variable.
+ (one_test): Process it.
+ (do_test): Set do_noescape. Add unescaping test case.
+
2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
[BZ #22332]
diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
index 9518b4a..6886f43 100644
--- a/posix/tst-glob-tilde.c
+++ b/posix/tst-glob-tilde.c
@@ -1,4 +1,4 @@
-/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
+/* Check for GLOB_TIDLE heap allocation issues (bugs 22320, 22325, 22332).
Copyright (C) 2017 Free Software Foundation, Inc.
This file is part of the GNU C Library.
@@ -34,6 +34,9 @@ static int do_nocheck;
/* Flag which indicates whether to pass the GLOB_MARK flag. */
static int do_mark;
+/* Flag which indicates whether to pass the GLOB_NOESCAPE flag. */
+static int do_noescape;
+
static void
one_test (const char *prefix, const char *middle, const char *suffix)
{
@@ -45,6 +48,8 @@ one_test (const char *prefix, const char *middle, const char *suffix)
flags |= GLOB_NOCHECK;
if (do_mark)
flags |= GLOB_MARK;
+ if (do_noescape)
+ flags |= GLOB_NOESCAPE;
glob_t gl;
/* This glob call might result in crashes or memory leaks. */
if (glob (pattern, flags, NULL, &gl) == 0)
@@ -105,28 +110,30 @@ do_test (void)
for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
for (do_mark = 0; do_mark < 2; ++do_mark)
- for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
- {
- for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
- ++size_skew)
- {
- int size = base_sizes[base_idx] + size_skew;
- if (size < 0)
- continue;
-
- const char *user_name = repeating_string (size);
- one_test ("~", user_name, "/a/b");
- }
-
- const char *user_name = repeating_string (base_sizes[base_idx]);
- one_test ("~", user_name, "");
- one_test ("~", user_name, "/");
- one_test ("~", user_name, "/a");
- one_test ("~", user_name, "/*/*");
- one_test ("~", user_name, "\\/");
- one_test ("/~", user_name, "");
- one_test ("*/~", user_name, "/a/b");
- }
+ for (do_noescape = 0; do_noescape < 2; ++do_noescape)
+ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+ {
+ for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+ ++size_skew)
+ {
+ int size = base_sizes[base_idx] + size_skew;
+ if (size < 0)
+ continue;
+
+ const char *user_name = repeating_string (size);
+ one_test ("~", user_name, "/a/b");
+ one_test ("~", user_name, "x\\x\\x////x\\a");
+ }
+
+ const char *user_name = repeating_string (base_sizes[base_idx]);
+ one_test ("~", user_name, "");
+ one_test ("~", user_name, "/");
+ one_test ("~", user_name, "/a");
+ one_test ("~", user_name, "/*/*");
+ one_test ("~", user_name, "\\/");
+ one_test ("/~", user_name, "");
+ one_test ("*/~", user_name, "/a/b");
+ }
free (repeat);
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f1cf98b583787cfb6278baea46e286a0ee7567fd
commit f1cf98b583787cfb6278baea46e286a0ee7567fd
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun Oct 22 10:00:57 2017 +0200
glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]
(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
diff --git a/ChangeLog b/ChangeLog
index 1793816..0ab0878 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #22332]
+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+ unescaping.
+
2017-10-23 Wilco Dijkstra <wdijkstr@arm.com>
* malloc/malloc.c (_int_malloc): Add SINGLE_THREAD_P path.
diff --git a/NEWS b/NEWS
index 037b28c..7d3a326 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,10 @@ Security related changes:
processing, leading to a memory leak and, potentially, to a denial
of service.
+ The glob function, when invoked with GLOB_TILDE and without
+ GLOB_NOESCAPE, could write past the end of a buffer while
+ unescaping user names. Reported by Tim Rühsen.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
diff --git a/posix/glob.c b/posix/glob.c
index c761c08..b2273ea 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
char *p = mempcpy (newp, dirname + 1,
unescape - dirname - 1);
char *q = unescape;
- while (*q != '\0')
+ while (q != end_name)
{
if (*q == '\\')
{
- if (q[1] == '\0')
+ if (q + 1 == end_name)
{
/* "~fo\\o\\" unescape to user_name "foo\\",
but "~fo\\o\\/" unescape to user_name
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6f9f307b5db6b2eeb7b92f2a75e5ab3e749c3d56
commit 6f9f307b5db6b2eeb7b92f2a75e5ab3e749c3d56
Author: Florian Weimer <fweimer@redhat.com>
Date: Sun Oct 22 09:29:52 2017 +0200
Update NEWS and ChangeLog for CVE-2017-15671
(cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6)
diff --git a/NEWS b/NEWS
index 359465f..037b28c 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,11 @@ Security related changes:
on the stack or the heap, depending on the length of the user name).
Reported by Tim Rühsen.
+ CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
+ would sometimes fail to free memory allocated during ~ operator
+ processing, leading to a memory leak and, potentially, to a denial
+ of service.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 13 +++++++++++
NEWS | 9 ++++++++
posix/glob.c | 4 +-
posix/tst-glob-tilde.c | 53 +++++++++++++++++++++++++++--------------------
4 files changed, 54 insertions(+), 25 deletions(-)
hooks/post-receive
--
GNU C Library master sources