diff options
| author | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 11:44:12 -0500 |
|---|---|---|
| committer | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2015-01-15 15:28:04 -0500 |
| commit | 6ff69e1eb81719ee907642f615cef889d5bf8b2c (patch) | |
| tree | ca160d9f2e9ce7b6bd09a62f3684e490b8e5d093 /ChangeLog | |
| parent | 3ded3d365f0237e92e8af90c878b233f265d7b4a (diff) | |
| download | glibc-6ff69e1eb81719ee907642f615cef889d5bf8b2c.tar.gz glibc-6ff69e1eb81719ee907642f615cef889d5bf8b2c.tar.xz glibc-6ff69e1eb81719ee907642f615cef889d5bf8b2c.zip | |
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ``))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD in exec_comm(), the only place that can execute a shell. All other checks for WRDE_NOCMD are superfluous and removed. We expand the testsuite and add 3 new regression tests of roughly the same form but with a couple of nested levels. On top of the 3 new tests we add fork validation to the WRDE_NOCMD testing. If any forks are detected during the execution of a wordexp() call with WRDE_NOCMD, the test is marked as failed. This is slightly heuristic since vfork might be used in the future, but it provides a higher level of assurance that no shells were executed as part of command substitution with WRDE_NOCMD in effect. In addition it doesn't require libpthread or libdl, instead we use the public implementation namespace function __register_atfork (already part of the public ABI for libpthread). Tested on x86_64 with no regressions.
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index e64ffd1c5e..e3f16eacb6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,25 @@ +2014-11-19 Carlos O'Donell <carlos@redhat.com> + Florian Weimer <fweimer@redhat.com> + Joseph Myers <joseph@codesourcery.com> + Adam Conrad <adconrad@0c3.net> + Andreas Schwab <schwab@suse.de> + Brooks <bmoses@google.com> + + [BZ #17625] + * wordexp-test.c (__dso_handle): Add prototype. + (__register_atfork): Likewise. + (__app_register_atfork): New function. + (registered_forks): New global. + (register_fork): New function. + (test_case): Add 3 new tests for WRDE_CMDSUB. + (main): Call __app_register_atfork. + (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if + fork count is non-zero fail the test. + * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag + is set. + (parse_dollars): Remove check for WRDE_NOCMD. + (parse_dquote): Likewise. + 2014-12-16 Florian Weimer <fweimer@redhat.com> [BZ #17630] |