1 |
From 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 Mon Sep 17 00:00:00 2001 |
2 |
From: Paul Eggert <eggert@cs.ucla.edu> |
3 |
Date: Fri, 20 Oct 2017 18:41:14 +0200 |
4 |
Subject: [PATCH 3/8] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] |
5 |
|
6 |
(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) |
7 |
--- |
8 |
ChangeLog | 6 ++++++ |
9 |
NEWS | 4 ++++ |
10 |
posix/glob.c | 2 +- |
11 |
3 files changed, 11 insertions(+), 1 deletion(-) |
12 |
|
13 |
#diff --git a/ChangeLog b/ChangeLog |
14 |
#index 7d47dd8d7d..5229661ab1 100644 |
15 |
#--- a/ChangeLog |
16 |
#+++ b/ChangeLog |
17 |
#@@ -1,3 +1,9 @@ |
18 |
#+2017-10-20 Paul Eggert <eggert@cs.ucla.edu> |
19 |
#+ |
20 |
#+ [BZ #22320] |
21 |
#+ CVE-2017-15670 |
22 |
#+ * posix/glob.c (__glob): Fix one-byte overflow. |
23 |
#+ |
24 |
# 2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org> |
25 |
# |
26 |
# [BZ #1062] |
27 |
#diff --git a/NEWS b/NEWS |
28 |
#index 9a9e487ee6..8c10e88ec5 100644 |
29 |
#--- a/NEWS |
30 |
#+++ b/NEWS |
31 |
##@@ -21,6 +21,10 @@ Security related changes: |
32 |
# question type which is outside the range of valid question type values. |
33 |
# (CVE-2015-5180) |
34 |
# |
35 |
#+* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered |
36 |
#+ from a one-byte overflow during ~ operator processing (either on the stack |
37 |
#+ or the heap, depending on the length of the user name). |
38 |
#+ |
39 |
# The following bugs are resolved with this release: |
40 |
# |
41 |
# [20790] Fix rpcgen buffer overrun |
42 |
diff --git a/posix/glob.c b/posix/glob.c |
43 |
index ea6a240209..026bc063d3 100644 |
44 |
--- a/posix/glob.c |
45 |
+++ b/posix/glob.c |
46 |
@@ -883,7 +883,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), |
47 |
*p = '\0'; |
48 |
} |
49 |
else |
50 |
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) |
51 |
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) |
52 |
= '\0'; |
53 |
user_name = newp; |
54 |
} |
55 |
-- |
56 |
2.15.1 |