From patchwork Fri Oct 20 11:23:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 828557 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-86180-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="aCZMc8Oe"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yJNhW2XHWz9t6m for ; Fri, 20 Oct 2017 22:23:23 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:message-id:date:mime-version :content-type; q=dns; s=default; b=TlLwv8Epg16mGhEfMLfotjOqrsrKL PIs1VCV8RXSR7P7EUrkSlSCQCBUn+UlW4twEy1+qINwrr+D9OFu8FaBJiokfPeqx UN/bHCzzx62kQBmrk8vqcjgJ1S66CjsHGH4t8JLC0Ddhu8hahAeo/LNIsRFgHr3d OkItsu4D2RW2pA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:message-id:date:mime-version :content-type; s=default; bh=VZf2nWpBkjsBy1O4zsLgS60BkAs=; b=aCZ Mc8OeDkCzPOXskuyyjAUvTKfNIKphUEo3C5lKl6JeOke1V96S4CCALqwHvy/bHCQ SZ8WpUOzX/8+SjjWb4u4JBjTolAdEMv3PhzEb1tFVt3/nlpbA1NAU3OfG16z++LL mklMYbWvPUxl8VklP+osnfkyWITTQ9GkpifFc9+4= Received: (qmail 23567 invoked by alias); 20 Oct 2017 11:23:16 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 23556 invoked by uid 89); 20 Oct 2017 11:23:15 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=suffered, H*M:86a1, H*MI:86a1, cve X-HELO: mx1.redhat.com DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 45859C059741 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer@redhat.com To: GNU C Library From: Florian Weimer Subject: [PATCH] glob: Fix one-byte overflow [BZ #22320] Message-ID: Date: Fri, 20 Oct 2017 13:23:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 I plan to commit this once we have the CVE ID from MITRE. Thanks, Florian 2017-10-20 Paul Eggert [BZ #22320] * posix/glob.c (__glob): Fix one-byte overflow. diff --git a/NEWS b/NEWS index ad680db874..2b6a022b32 100644 --- a/NEWS +++ b/NEWS @@ -72,6 +72,10 @@ Security related changes: vulnerability; only trusted binaries must be examined using the ldd script.) + The glob function, when invoked with GLOB_TILDE, suffered from a one-byte + overflow during ~ operator processing (either on the stack or the heap, + depending on the length of the user name). + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/posix/glob.c b/posix/glob.c index 076ab2bd72..15a6c0cf13 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; }