From 717743bb07471f95bef6ea63d9b12848ad91aaf6 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 20 Oct 2017 18:41:14 +0200 Subject: [PATCH] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) --- ChangeLog | 6 ++++++ NEWS | 7 +++++++ posix/glob.c | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f9ea53f23e4..44eb9d7d7cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-09-08 Adhemerval Zanella [BZ #1062] diff --git a/NEWS b/NEWS index 1879b735e68..98aa362444d 100644 --- a/NEWS +++ b/NEWS @@ -29,6 +29,13 @@ The following bugs are resolved with this release: [21778] Robust mutex may deadlock [21972] assert macro requires operator== (int) for its argument type [22322] libc: [mips64] wrong bits/long-double.h installed + +Security related changes: + + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered + from a one-byte overflow during ~ operator processing (either on the stack + or the heap, depending on the length of the user name). + Version 2.25 diff --git a/posix/glob.c b/posix/glob.c index a7eccf9cb45..c761c0861dd 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -870,7 +870,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } -- 2.47.2