Message ID | aecce8a1-86a1-4ea0-bc7d-bccdbb7e1364@redhat.com |
---|---|
State | New |
Headers | show |
Series | glob: Fix one-byte overflow [BZ #22320] | expand |
As a side note, my glob refactor to use char_array internally does not fail with the new test tst-glob-tilde. I still think this refactor is an improvement for glob and I plan to resend the patch. On 20/10/2017 09:23, Florian Weimer wrote: > I plan to commit this once we have the CVE ID from MITRE. > > Thanks, > Florian
On Fri, 20 Oct 2017, Florian Weimer wrote:
> I plan to commit this once we have the CVE ID from MITRE.
Commits should not need to wait for CVEs; the NEWS entry for a security
fix can be updated with the CVE later once available.
* Joseph Myers: > On Fri, 20 Oct 2017, Florian Weimer wrote: > >> I plan to commit this once we have the CVE ID from MITRE. > > Commits should not need to wait for CVEs; the NEWS entry for a security > fix can be updated with the CVE later once available. Thanks for the reminder. Recent turnaround times from MITRE were amazingly fast, so I thought I would wait this time. But you are right, I should commit this now without a CVE ID.
2017-10-20 Paul Eggert <eggert@cs.ucla.edu> [BZ #22320] * posix/glob.c (__glob): Fix one-byte overflow. diff --git a/NEWS b/NEWS index ad680db874..2b6a022b32 100644 --- a/NEWS +++ b/NEWS @@ -72,6 +72,10 @@ Security related changes: vulnerability; only trusted binaries must be examined using the ldd script.) + The glob function, when invoked with GLOB_TILDE, suffered from a one-byte + overflow during ~ operator processing (either on the stack or the heap, + depending on the length of the user name). + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/posix/glob.c b/posix/glob.c index 076ab2bd72..15a6c0cf13 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; }