[oe-commits] [openembedded-core] 04/07: glibc: Security Fix CVE-2017-16997

git at git.openembedded.org git at git.openembedded.org
Thu Jan 25 11:36:49 UTC 2018 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch rocko
in repository openembedded-core.

commit bcf148d95015d32104b2b7ad318ab943f2c27374
Author: Armin Kuster <akuster808 at gmail.com>
AuthorDate: Sat Jan 20 09:48:39 2018 -0800

    glibc: Security Fix CVE-2017-16997
    
    Affect glibc < 2.27
    including current master glibc hash: 77f921dac17c5fa99bd9e926d926c327982895f7
    
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 meta/recipes-core/glibc/glibc/CVE-2017-16997.patch | 150 +++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.26.bb              |   1 +
 2 files changed, 151 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
new file mode 100644
index 0000000..38731e4
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
@@ -0,0 +1,150 @@
+From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
+From: Aurelien Jarno <aurelien at aurel32.net>
+Date: Sat, 30 Dec 2017 10:54:23 +0100
+Subject: [PATCH] elf: Check for empty tokens before dynamic string token
+ expansion [BZ #22625]
+
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+
+Changelog:
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+	string token expansion. Check for NULL pointer or empty string possibly
+	returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
+
+Upstream-Status: Backport
+CVE: CVE-2017-16997
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ChangeLog     | 10 ++++++++++
+ NEWS          |  4 ++++
+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 47 insertions(+), 16 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -215,6 +215,10 @@ Security related changes:
+   GLOB_NOESCAPE, could write past the end of a buffer while
+   unescaping user names.  Reported by Tim Rühsen.
+ 
++  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
++  for AT_SECURE or SUID binaries could be used to load libraries from the
++  current directory.
++
+ The following bugs are resolved with this release:
+ 
+   [984] network: Respond to changed resolv.conf in gethostbyname
+Index: git/elf/dl-load.c
+===================================================================
+--- git.orig/elf/dl-load.c
++++ git/elf/dl-load.c
+@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
++      char *to_free = NULL;
++      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
++      /* `strsep' can pass an empty string.  */
++      if (*cp != '\0')
++	{
++	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
++	  /* expand_dynamic_string_token can return NULL in case of empty
++	     path or memory allocation failure.  */
++	  if (cp == NULL)
++	    continue;
++
++	  /* Compute the length after dynamic string token expansion and
++	     ignore empty paths.  */
++	  len = strlen (cp);
++	  if (len == 0)
++	    {
++	      free (to_free);
++	      continue;
++	    }
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-	 interpreted as `use the current directory'. */
+-      if (len == 0)
+-	{
+-	  static const char curwd[] = "./";
+-	  cp = (char *) curwd;
++	  /* Remove trailing slashes (except for "/").  */
++	  while (len > 1 && cp[len - 1] == '/')
++	    --len;
++
++	  /* Now add one if there is none so far.  */
++	  if (len > 0 && cp[len - 1] != '/')
++	    cp[len++] = '/';
+ 	}
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-	--len;
+-
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-	cp[len++] = '/';
+-
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+ 	{
+@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
+      necessary.  */
+   free (copy);
+ 
++  /* There is no path after expansion.  */
++  if (result[0] == NULL)
++    {
++      free (result);
++      sps->dirs = (struct r_search_path_elem **) -1;
++      return false;
++    }
++
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,12 @@
++2017-12-30  Aurelien Jarno  <aurelien at aurel32.net>
++           Dmitry V. Levin  <ldv at altlinux.org>
++
++       [BZ #22625]
++       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
++       string token expansion. Check for NULL pointer or empty string possibly
++       returned by expand_dynamic_string_token.
++       (decompose_rpath): Check for empty path after dynamic string
++       token expansion.
+ 
+ 2017-10-20  Paul Eggert <eggert at cs.ucla.edu>
+ 
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index a42a25f..caf8e37 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://CVE-2017-15670.patch \
            file://CVE-2017-15671.patch \
            file://0029-assert-Support-types-without-operator-int-BZ-21972.patch \
+           file://CVE-2017-16997.patch \
 "
 
 NATIVESDKFIXES ?= ""

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list