diff options
| author | Florian Weimer <fweimer@redhat.com> | 2017-12-14 15:05:57 +0100 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com> | 2018-04-06 16:23:54 -0300 |
| commit | f87adbcaa47de2109e1c4561a2badf8aa82bc349 (patch) | |
| tree | de1d032ada4eed15f2eb9da6549685eeb958784f | |
| parent | 21c5d14bfb4e08bee86f94fd815535d3be2c3869 (diff) | |
| download | glibc-f87adbcaa47de2109e1c4561a2badf8aa82bc349.tar.gz glibc-f87adbcaa47de2109e1c4561a2badf8aa82bc349.tar.xz glibc-f87adbcaa47de2109e1c4561a2badf8aa82bc349.zip | |
elf: Count components of the expanded path in _dl_init_path [BZ #22607]
(cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | elf/dl-load.c | 13 |
3 files changed, 17 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog index 066b0d2402..3c8fd97fe0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2017-12-14 Florian Weimer <fweimer@redhat.com> + + [BZ #22607] + CVE-2017-1000409 + * elf/dl-load.c (_dl_init_paths): Compute number of components in + the expanded path string. + 2017-12-30 Aurelien Jarno <aurelien@aurel32.net> Dmitry V. Levin <ldv@altlinux.org> diff --git a/NEWS b/NEWS index 3a33aeeea1..7b2e078224 100644 --- a/NEWS +++ b/NEWS @@ -70,6 +70,12 @@ Version 2.22.1 * CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN for AT_SECURE or SUID binaries could be used to load libraries from the current directory. + +* CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation + of the number of search path components. (This is not a security + vulnerability per se because no trust boundary is crossed if the fix for + CVE-2017-1000366 has been applied, but it is mentioned here only because + of the CVE assignment.) Reported by Qualys. Version 2.22 diff --git a/elf/dl-load.c b/elf/dl-load.c index d0ac65e650..f22fd0d303 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -792,8 +792,6 @@ _dl_init_paths (const char *llp) if (llp != NULL && *llp != '\0') { - size_t nllp; - const char *cp = llp; char *llp_tmp; #ifdef SHARED @@ -816,13 +814,10 @@ _dl_init_paths (const char *llp) /* Decompose the LD_LIBRARY_PATH contents. First determine how many elements it has. */ - nllp = 1; - while (*cp) - { - if (*cp == ':' || *cp == ';') - ++nllp; - ++cp; - } + size_t nllp = 1; + for (const char *cp = llp_tmp; *cp != '\0'; ++cp) + if (*cp == ':' || *cp == ';') + ++nllp; env_path_list.dirs = (struct r_search_path_elem **) malloc ((nllp + 1) * sizeof (struct r_search_path_elem *)); |