CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

diff --git a/ChangeLog b/ChangeLog
index f0512c524d206b93e5c3083d885f41d432f704cb..43f5bfa5d209e40c55299a4404eae78e10335a53 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+
+       [BZ #22320]
+       CVE-2017-15670
+       * posix/glob.c (__glob): Fix one-byte overflow.
+
 2017-10-20  Wilco Dijkstra  <wdijkstr@arm.com>
 
        * malloc/malloc.c (sysdep-cancel.h): Add include.

diff --git a/NEWS b/NEWS
index ad680db874c5b6c07e1f74dbf755ffe3a042d77b..e0e505690bf8f02b4dea98556310972f98045abf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,10 @@ Security related changes:
   vulnerability; only trusted binaries must be examined using the ldd
   script.)
 
+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+  from a one-byte overflow during ~ operator processing (either on the stack
+  or the heap, depending on the length of the user name).
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by

diff --git a/posix/glob.c b/posix/glob.c
index 076ab2bd7257dd2b6ffe40259925ff08a755578a..15a6c0cf13bdccb7972183884f87c5d4be2a2f1b 100644 (file)
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                  *p = '\0';
                }
              else
-               *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+               *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                  = '\0';
              user_name = newp;
            }