diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2017-10-20 18:41:14 +0200 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com> | 2018-04-13 14:30:19 -0300 |
| commit | 42a2c81226c4fd4037aa90cbebf26bafc07b7072 (patch) | |
| tree | fba8522cfe2790c392906b8101db1633b3ad711d | |
| parent | 3790ec0ca5b8cf5d317cd8d43f132ef88c52e824 (diff) | |
| download | glibc-42a2c81226c4fd4037aa90cbebf26bafc07b7072.tar.gz glibc-42a2c81226c4fd4037aa90cbebf26bafc07b7072.tar.xz glibc-42a2c81226c4fd4037aa90cbebf26bafc07b7072.zip | |
CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | posix/glob.c | 2 |
3 files changed, 12 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog index 31377d939e..7e06bb0c97 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert <eggert@cs.ucla.edu> + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org> [BZ #1062] diff --git a/NEWS b/NEWS index db81e9e6b1..d79e8bcaa1 100644 --- a/NEWS +++ b/NEWS @@ -95,6 +95,11 @@ Version 2.22.1 * CVE-2018-6551: The malloc function, when called with an object size near the value of SIZE_MAX, would return a pointer to a buffer which is too small, instead of NULL. + +* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered + from a one-byte overflow during ~ operator processing (either on the stack + or the heap, depending on the length of the user name). + Version 2.22 diff --git a/posix/glob.c b/posix/glob.c index 25f7b5822a..cd28dc52a2 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -886,7 +886,7 @@ glob (pattern, flags, errfunc, pglob) *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } |