current/SOURCES/216-CVE-2017-15670-glob-Fix-one-byte-overflow-BZ-22320.patch

From 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 20 Oct 2017 18:41:14 +0200
Subject: [PATCH 3/8] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
---
 ChangeLog    | 6 ++++++
 NEWS         | 4 ++++
 posix/glob.c | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

#diff --git a/ChangeLog b/ChangeLog
#index 7d47dd8d7d..5229661ab1 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,3 +1,9 @@
#+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
#+
#+      [BZ #22320]
#+      CVE-2017-15670
#+      * posix/glob.c (__glob): Fix one-byte overflow.
#+
# 2017-09-08  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
# 
#       [BZ #1062]
#diff --git a/NEWS b/NEWS
#index 9a9e487ee6..8c10e88ec5 100644
#--- a/NEWS
#+++ b/NEWS
##@@ -21,6 +21,10 @@ Security related changes:
#   question type which is outside the range of valid question type values.
#   (CVE-2015-5180)
# 
#+* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
#+  from a one-byte overflow during ~ operator processing (either on the stack
#+  or the heap, depending on the length of the user name).
#+
# The following bugs are resolved with this release:
# 
#   [20790] Fix rpcgen buffer overrun
diff --git a/posix/glob.c b/posix/glob.c
index ea6a240209..026bc063d3 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -883,7 +883,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
                  *p = '\0';
                }
              else
-               *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+               *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
                  = '\0';
              user_name = newp;
            }
-- 
2.15.1
1	From 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 Mon Sep 17 00:00:00 2001
2	From: Paul Eggert <eggert@cs.ucla.edu>
3	Date: Fri, 20 Oct 2017 18:41:14 +0200
4	Subject: [PATCH 3/8] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
5
6	(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
7	---
8	ChangeLog \| 6 ++++++
9	NEWS \| 4 ++++
10	posix/glob.c \| 2 +-
11	3 files changed, 11 insertions(+), 1 deletion(-)
12
13	#diff --git a/ChangeLog b/ChangeLog
14	#index 7d47dd8d7d..5229661ab1 100644
15	#--- a/ChangeLog
16	#+++ b/ChangeLog
17	#@@ -1,3 +1,9 @@
18	#+2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
19	#+
20	#+ [BZ #22320]
21	#+ CVE-2017-15670
22	#+ * posix/glob.c (__glob): Fix one-byte overflow.
23	#+
24	# 2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org>
25	#
26	# [BZ #1062]
27	#diff --git a/NEWS b/NEWS
28	#index 9a9e487ee6..8c10e88ec5 100644
29	#--- a/NEWS
30	#+++ b/NEWS
31	##@@ -21,6 +21,10 @@ Security related changes:
32	# question type which is outside the range of valid question type values.
33	# (CVE-2015-5180)
34	#
35	#+* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
36	#+ from a one-byte overflow during ~ operator processing (either on the stack
37	#+ or the heap, depending on the length of the user name).
38	#+
39	# The following bugs are resolved with this release:
40	#
41	# [20790] Fix rpcgen buffer overrun
42	diff --git a/posix/glob.c b/posix/glob.c
43	index ea6a240209..026bc063d3 100644
44	--- a/posix/glob.c
45	+++ b/posix/glob.c
46	@@ -883,7 +883,7 @@ glob (const char pattern, int flags, int (errfunc) (const char *, int),
47	*p = '\0';
48	}
49	else
50	- ((char ) mempcpy (newp, dirname + 1, end_name - dirname))
51	+ ((char ) mempcpy (newp, dirname + 1, end_name - dirname - 1))
52	= '\0';
53	user_name = newp;
54	}
55	--
56	2.15.1