CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

diff --git a/ChangeLog b/ChangeLog
index f9ea53f23e4646c57888e0659b68e8d9fda1dcef..44eb9d7d7cb87f01507495eb04e530ebc3bb7d0f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+
+       [BZ #22320]
+       CVE-2017-15670
+       * posix/glob.c (__glob): Fix one-byte overflow.
+
 2017-09-08  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
        [BZ #1062]

diff --git a/NEWS b/NEWS
index 1879b735e685a64c8ef12e6d198b4b9f7f22121b..98aa362444de1189c5f25e77e0dc737cb9b929ab 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,13 @@ The following bugs are resolved with this release:
   [21778] Robust mutex may deadlock
   [21972] assert macro requires operator== (int) for its argument type
   [22322] libc: [mips64] wrong bits/long-double.h installed
+
+Security related changes:
+
+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+  from a one-byte overflow during ~ operator processing (either on the stack
+  or the heap, depending on the length of the user name).
+
 \f
 Version 2.25
 

diff --git a/posix/glob.c b/posix/glob.c
index a7eccf9cb4538be05d27acff4809e42b53b1ce9d..c761c0861ddb49eab67a173938c2f541d6836673 100644 (file)
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -870,7 +870,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                  *p = '\0';
                }
              else
-               *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+               *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                  = '\0';
              user_name = newp;
            }