diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2017-10-20 18:41:14 +0200 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2017-12-02 22:50:14 +0100 |
| commit | 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 (patch) | |
| tree | 630f22f273efd7216a2129b142b452a68c1b1574 | |
| parent | 832e2ec56701f85b892b782b8b749bc5a33899fb (diff) | |
| download | glibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.tar.gz glibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.tar.xz glibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.zip | |
CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | posix/glob.c | 2 |
3 files changed, 11 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog index 7d47dd8d7d..5229661ab1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert <eggert@cs.ucla.edu> + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org> [BZ #1062] diff --git a/NEWS b/NEWS index 9a9e487ee6..8c10e88ec5 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,10 @@ Security related changes: question type which is outside the range of valid question type values. (CVE-2015-5180) +* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered + from a one-byte overflow during ~ operator processing (either on the stack + or the heap, depending on the length of the user name). + The following bugs are resolved with this release: [20790] Fix rpcgen buffer overrun diff --git a/posix/glob.c b/posix/glob.c index ea6a240209..026bc063d3 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -883,7 +883,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } |