diff options
| author | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 11:44:12 -0500 |
|---|---|---|
| committer | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 14:35:03 -0500 |
| commit | a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c (patch) | |
| tree | 699430f828076d3ae74ecf4b5be5025953cc34f5 /ChangeLog | |
| parent | 130ac68ca25c9aa65e027e3e37337bc048205c69 (diff) | |
| download | glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar.gz glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar.xz glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.zip | |
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ``))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD in exec_comm(), the only place that can execute a shell. All other checks for WRDE_NOCMD are superfluous and removed. We expand the testsuite and add 3 new regression tests of roughly the same form but with a couple of nested levels. On top of the 3 new tests we add fork validation to the WRDE_NOCMD testing. If any forks are detected during the execution of a wordexp() call with WRDE_NOCMD, the test is marked as failed. This is slightly heuristic since vfork might be used in the future, but it provides a higher level of assurance that no shells were executed as part of command substitution with WRDE_NOCMD in effect. In addition it doesn't require libpthread or libdl, instead we use the public implementation namespace function __register_atfork (already part of the public ABI for libpthread). Tested on x86_64 with no regressions.
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index 09e308c9c7..2fa59cfcc0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,25 @@ +2014-11-19 Carlos O'Donell <carlos@redhat.com> + Florian Weimer <fweimer@redhat.com> + Joseph Myers <joseph@codesourcery.com> + Adam Conrad <adconrad@0c3.net> + Andreas Schwab <schwab@suse.de> + Brooks <bmoses@google.com> + + [BZ #17625] + * wordexp-test.c (__dso_handle): Add prototype. + (__register_atfork): Likewise. + (__app_register_atfork): New function. + (registered_forks): New global. + (register_fork): New function. + (test_case): Add 3 new tests for WRDE_CMDSUB. + (main): Call __app_register_atfork. + (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if + fork count is non-zero fail the test. + * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag + is set. + (parse_dollars): Remove check for WRDE_NOCMD. + (parse_dquote): Likewise. + 2014-11-19 Siddhesh Poyarekar <siddhesh@redhat.com> * Makeconfig (built-modules): List non-library modules to be |