about summary refs log tree commit diff
path: root/NEWS
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@redhat.com>2014-11-19 11:44:12 -0500
committerCarlos O'Donell <carlos@redhat.com>2014-11-19 14:35:03 -0500
commita39208bd7fb76c1b01c127b4c61f9bfd915bfe7c (patch)
tree699430f828076d3ae74ecf4b5be5025953cc34f5 /NEWS
parent130ac68ca25c9aa65e027e3e37337bc048205c69 (diff)
downloadglibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar.gz
glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar.xz
glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.zip
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.

We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.

On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).

Tested on x86_64 with no regressions.
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS8
1 files changed, 7 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index b152488cee..4b7eeb4bc2 100644
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,13 @@ Version 2.21
   6652, 12926, 14132, 14138, 14171, 15215, 15884, 17266, 17344, 17363,
   17370, 17371, 17411, 17460, 17475, 17485, 17501, 17506, 17508, 17522,
   17555, 17570, 17571, 17572, 17573, 17574, 17582, 17583, 17584, 17585,
-  17589, 17594, 17616.
+  17589, 17594, 17616, 17625.
+
+* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
+  under certain input conditions resulting in the execution of a shell for
+  command substitution when the applicaiton did not request it. The
+  implementation now checks WRDE_NOCMD immediately before executing the
+  shell and returns the error WRDE_CMDSUB as expected.
 
 * The minimum GCC version that can be used to build this version of the GNU
   C Library is GCC 4.6.  Older GCC versions, and non-GNU compilers, can