From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 14 Dec 2017 14:05:57 +0000 (+0100)
Subject: elf: Count components of the expanded path in _dl_init_path [BZ #22607]
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f87adbcaa47de2109e1c4561a2badf8aa82bc349;p=thirdparty%2Fglibc.git

elf: Count components of the expanded path in _dl_init_path [BZ #22607]

(cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)
---

diff --git a/ChangeLog b/ChangeLog
index 066b0d24029..3c8fd97fe0d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22607]
+	CVE-2017-1000409
+	* elf/dl-load.c (_dl_init_paths): Compute number of components in
+	the expanded path string.
+
 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
 	    Dmitry V. Levin  <ldv@altlinux.org>
 
diff --git a/NEWS b/NEWS
index 3a33aeeea12..7b2e078224d 100644
--- a/NEWS
+++ b/NEWS
@@ -70,6 +70,12 @@ Version 2.22.1
 * CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
   for AT_SECURE or SUID binaries could be used to load libraries from the
   current directory.
+
+* CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+  of the number of search path components.  (This is not a security
+  vulnerability per se because no trust boundary is crossed if the fix for
+  CVE-2017-1000366 has been applied, but it is mentioned here only because
+  of the CVE assignment.)  Reported by Qualys.
 
 Version 2.22
 
diff --git a/elf/dl-load.c b/elf/dl-load.c
index d0ac65e6502..f22fd0d303c 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -792,8 +792,6 @@ _dl_init_paths (const char *llp)
 
   if (llp != NULL && *llp != '\0')
     {
-      size_t nllp;
-      const char *cp = llp;
       char *llp_tmp;
 
 #ifdef SHARED
@@ -816,13 +814,10 @@ _dl_init_paths (const char *llp)
 
       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
 	 elements it has.  */
-      nllp = 1;
-      while (*cp)
-	{
-	  if (*cp == ':' || *cp == ';')
-	    ++nllp;
-	  ++cp;
-	}
+      size_t nllp = 1;
+      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+	if (*cp == ':' || *cp == ';')
+	  ++nllp;
 
       env_path_list.dirs = (struct r_search_path_elem **)
 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));