Chris Clayton wrote:
On 24/12/17 05:41, [email protected] wrote:
Author: dj
Date: Sat Dec 23 21:41:23 2017
New Revision: 3679
Log:
Add glibc-2.26-local_glob_exploits-1.patch
Added:
trunk/glibc/glibc-2.26-local_glob_exploits-1.patch
Added: trunk/glibc/glibc-2.26-local_glob_exploits-1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ trunk/glibc/glibc-2.26-local_glob_exploits-1.patch Sat Dec 23 21:41:23
2017 (r3679)
@@ -0,0 +1,59 @@
+Submitted by: DJ Lucas (dj_AT_linuxfromscratch_DOT_org)
+Date: 2017-12-24
+Initial Package Version: 2.26
+Upstream Status: Comitted
+Origin:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c369d66e5426a30e4725b100d5cd28e372754f90
+ and
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8
+Description: Fixes local-only exploits in glob functions idetified
+ in CVE-2017-15670 and CVE-2017-15671
+
+
+diff -Naurp glibc-2.26-orig/ChangeLog glibc-2.26/ChangeLog
+--- glibc-2.26-orig/ChangeLog 2017-12-23 23:16:40.669052891 -0600
++++ glibc-2.26/ChangeLog 2017-12-23 23:30:21.240500323 -0600
+@@ -1,3 +1,19 @@
++2017-10-21 Paul Eggert <[email protected]>
++
++ glob: fix another heap buffer overflow
++ Problem reported by Tim Rühsen in:
++ https://sourceware.org/bugzilla/show_bug.cgi?id=22332
++ * lib/glob.c (glob): Avoid buffer overrun when unescaping.
++
++2017-10-19 Paul Eggert <[email protected]>
++
++ glob: fix heap buffer overflow
++ * lib/glob.c (glob): Fix off-by-one error introduced into
++ glibc in commit dd7d45e838a42b0ed470c44b55901ea98d0c2bab
++ dated 1997-10-29 20:33:40. Problem reported by Tim Rühsen in:
++ https://sourceware.org/bugzilla/show_bug.cgi?id=22320
++ Fix suggested by Bruno Haible.
++
+ 2017-08-02 Siddhesh Poyarekar <[email protected]>
+
+ * version.h (RELEASE): Set to "stable"
+diff -Naurp glibc-2.26-orig/posix/glob.c glibc-2.26/posix/glob.c
+--- glibc-2.26-orig/posix/glob.c 2017-12-23 23:16:40.803052829 -0600
++++ glibc-2.26/posix/glob.c 2017-12-23 23:20:11.177939148 -0600
+@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
+ char *p = mempcpy (newp, dirname + 1,
+ unescape - dirname - 1);
+ char *q = unescape;
+- while (*q != '\0')
++ while (*q != end_name)
+ {
+ if (*q == '\\')
+ {
+- if (q[1] == '\0')
++ if (q[1] == end_name)
+ {
+ /* "~fo\\o\\" unescape to user_name "foo\\",
+ but "~fo\\o\\/" unescape to user_name
+@@ -843,7 +843,7 @@ glob (const char *pattern, int flags, in
+ *p = '\0';
+ }
+ else
+- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
+ = '\0';
+ user_name = newp;
+ }
glibc with this patch applied doesn't build here. The error I see (with
gcc-7-20171221) is:
gcc ../sysdeps/wordsize-64/glob.c -c -std=gnu11 -fgnu89-inline -O3 -Wall
-Werror -Wundef -Wwrite-strings
...
In file included from ../sysdeps/wordsize-64/glob.c:3:0:
../posix/glob.c: In function 'glob':
../posix/glob.c:826:15: error: comparison between pointer and integer [-Werror]
while (*q != end_name)
^~
../posix/glob.c:830:15: error: comparison between pointer and integer [-Werror]
if (q[1] == end_name)
^~
cc1: all warnings being treated as errors
That looks valid because *q is a (signed) char while end_name is a pointer to a
(signed) char. I think the first hunk of
the patch should be:
char *p = mempcpy (newp, dirname + 1,
+ unescape - dirname - 1);
+ char *q = unescape;
+- while (*q != '\0')
++ while (q != end_name)
+ {
+ if (*q == '\\')
+ {
+- if (q[1] == '\0')
++ if (q + 1 == end_name)
This should be at lfs-dev, not patches.
Your change seems right to me. For the patch, I would skip the changes to
the ChangeLog.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
