3 files changed, 17 insertions, 9 deletions

diff --git a/ChangeLog b/ChangeLog
index 066b0d2402..3c8fd97fe0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22607]
+	CVE-2017-1000409
+	* elf/dl-load.c (_dl_init_paths): Compute number of components in
+	the expanded path string.
+
 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
 	    Dmitry V. Levin  <ldv@altlinux.org>
 
diff --git a/NEWS b/NEWS
index 3a33aeeea1..7b2e078224 100644
--- a/NEWS
+++ b/NEWS
@@ -70,6 +70,12 @@ Version 2.22.1
 * CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
   for AT_SECURE or SUID binaries could be used to load libraries from the
   current directory.
+
+* CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+  of the number of search path components.  (This is not a security
+  vulnerability per se because no trust boundary is crossed if the fix for
+  CVE-2017-1000366 has been applied, but it is mentioned here only because
+  of the CVE assignment.)  Reported by Qualys.
 
 Version 2.22
 
diff --git a/elf/dl-load.c b/elf/dl-load.c
index d0ac65e650..f22fd0d303 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -792,8 +792,6 @@ _dl_init_paths (const char *llp)
 
   if (llp != NULL && *llp != '\0')
     {
-      size_t nllp;
-      const char *cp = llp;
       char *llp_tmp;
 
 #ifdef SHARED
@@ -816,13 +814,10 @@ _dl_init_paths (const char *llp)
 
       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
 	 elements it has.  */
-      nllp = 1;
-      while (*cp)
-	{
-	  if (*cp == ':' || *cp == ';')
-	    ++nllp;
-	  ++cp;
-	}
+      size_t nllp = 1;
+      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+	if (*cp == ':' || *cp == ';')
+	  ++nllp;
 
       env_path_list.dirs = (struct r_search_path_elem **)
 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));