aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Eggert <eggert@cs.ucla.edu>2017-10-20 18:41:14 +0200
committerAurelien Jarno <aurelien@aurel32.net>2017-12-02 22:50:14 +0100
commit1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 (patch)
tree630f22f273efd7216a2129b142b452a68c1b1574
parent832e2ec56701f85b892b782b8b749bc5a33899fb (diff)
downloadglibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.tar
glibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.tar.gz
glibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.tar.bz2
glibc-1f523e3c6efd673bdd05cbec85ff6ba178ba6e08.zip
CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--NEWS4
-rw-r--r--posix/glob.c2
3 files changed, 11 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 7d47dd8d7d..5229661ab1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #22320]
+ CVE-2017-15670
+ * posix/glob.c (__glob): Fix one-byte overflow.
+
2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org>
[BZ #1062]
diff --git a/NEWS b/NEWS
index 9a9e487ee6..8c10e88ec5 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,10 @@ Security related changes:
question type which is outside the range of valid question type values.
(CVE-2015-5180)
+* CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+ from a one-byte overflow during ~ operator processing (either on the stack
+ or the heap, depending on the length of the user name).
+
The following bugs are resolved with this release:
[20790] Fix rpcgen buffer overrun
diff --git a/posix/glob.c b/posix/glob.c
index ea6a240209..026bc063d3 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -883,7 +883,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
*p = '\0';
}
else
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
= '\0';
user_name = newp;
}
generated by cgit v1.2.3-70-g09d2 (git 2.48.1) at 2025-01-26 00:59:38 +0000