CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

diff --git a/ChangeLog b/ChangeLog
index d54d5a895d1f4e24eda58a87a16a26d47412b946..e05c7fe433c32aba0db53100dad9ec07def3cfa2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+
+       [BZ #22320]
+       CVE-2017-15670
+       * posix/glob.c (__glob): Fix one-byte overflow.
+
 2017-09-08  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
        [BZ #1062]

diff --git a/NEWS b/NEWS
index ddc950c6cf94599028e1083c96ed8481a7f4d56f..80248fec89de41b034f99f140d7651d05de73ee6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,11 @@ Security related changes:
   vulnerability; only trusted binaries must be examined using the ldd
   script.)
 
+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE,
+  suffered from a one-byte overflow during ~ operator processing (either
+  on the stack or the heap, depending on the length of the user name).
+  Reported by Tim Rühsen.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.

diff --git a/posix/glob.c b/posix/glob.c
index a7eccf9cb4538be05d27acff4809e42b53b1ce9d..c761c0861ddb49eab67a173938c2f541d6836673 100644 (file)
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -870,7 +870,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                  *p = '\0';
                }
              else
-               *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+               *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                  = '\0';
              user_name = newp;
            }