[OE-core] [PATCH 3/3] glibc: Security fix for CVE-2017-15804

Armin Kuster akuster808 at gmail.com
Thu Nov 23 03:52:17 UTC 2017 

From: Armin Kuster <akuster at mvista.com>

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.

Affects: glibx < 2.27

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 meta/recipes-core/glibc/glibc/CVE-2017-15804.patch | 111 +++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.26.bb              |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-15804.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15804.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15804.patch
new file mode 100644
index 0000000..b0dada3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-15804.patch
@@ -0,0 +1,111 @@
+From 2fac6a6cd50c22ac28c97d0864306594807ade3e Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Thu, 2 Nov 2017 11:06:45 +0100
+Subject: [PATCH] posix/tst-glob-tilde.c: Add test for bug 22332
+
+Upstream-Status: Backport
+CVE: CVE-2017-15804
+Affects: glibx < 2.27
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ChangeLog              |  7 +++++++
+ posix/tst-glob-tilde.c | 53 ++++++++++++++++++++++++++++----------------------
+ 2 files changed, 37 insertions(+), 23 deletions(-)
+
+Index: git/posix/tst-glob-tilde.c
+===================================================================
+--- git.orig/posix/tst-glob-tilde.c
++++ git/posix/tst-glob-tilde.c
+@@ -1,4 +1,4 @@
+-/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
++/* Check for GLOB_TIDLE heap allocation issues (bugs 22320, 22325, 22332).
+    Copyright (C) 2017 Free Software Foundation, Inc.
+    This file is part of the GNU C Library.
+ 
+@@ -34,6 +34,9 @@ static int do_nocheck;
+ /* Flag which indicates whether to pass the GLOB_MARK flag.  */
+ static int do_mark;
+ 
++/* Flag which indicates whether to pass the GLOB_NOESCAPE flag.  */
++static int do_noescape;
++
+ static void
+ one_test (const char *prefix, const char *middle, const char *suffix)
+ {
+@@ -45,6 +48,8 @@ one_test (const char *prefix, const char
+     flags |= GLOB_NOCHECK;
+   if (do_mark)
+     flags |= GLOB_MARK;
++  if (do_noescape)
++    flags |= GLOB_NOESCAPE;
+   glob_t gl;
+   /* This glob call might result in crashes or memory leaks.  */
+   if (glob (pattern, flags, NULL, &gl) == 0)
+@@ -105,28 +110,30 @@ do_test (void)
+   for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
+     for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
+       for (do_mark = 0; do_mark < 2; ++do_mark)
+-        for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+-          {
+-            for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+-                 ++size_skew)
+-              {
+-                int size = base_sizes[base_idx] + size_skew;
+-                if (size < 0)
+-                  continue;
+-
+-                const char *user_name = repeating_string (size);
+-                one_test ("~", user_name, "/a/b");
+-              }
+-
+-            const char *user_name = repeating_string (base_sizes[base_idx]);
+-            one_test ("~", user_name, "");
+-            one_test ("~", user_name, "/");
+-            one_test ("~", user_name, "/a");
+-            one_test ("~", user_name, "/*/*");
+-            one_test ("~", user_name, "\\/");
+-            one_test ("/~", user_name, "");
+-            one_test ("*/~", user_name, "/a/b");
+-          }
++	for (do_noescape = 0; do_noescape < 2; ++do_noescape)
++	  for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
++	    {
++	      for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
++		   ++size_skew)
++		{
++		  int size = base_sizes[base_idx] + size_skew;
++		  if (size < 0)
++		    continue;
++
++		  const char *user_name = repeating_string (size);
++		  one_test ("~", user_name, "/a/b");
++		  one_test ("~", user_name, "x\\x\\x////x\\a");
++		}
++
++	      const char *user_name = repeating_string (base_sizes[base_idx]);
++	      one_test ("~", user_name, "");
++	      one_test ("~", user_name, "/");
++	      one_test ("~", user_name, "/a");
++	      one_test ("~", user_name, "/*/*");
++	      one_test ("~", user_name, "\\/");
++	      one_test ("/~", user_name, "");
++	      one_test ("*/~", user_name, "/a/b");
++	    }
+ 
+   free (repeat);
+ 
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-22  Paul Eggert <eggert at cs.ucla.edu>
++
++       [BZ #22332]
++       * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
++       unescaping.
++
+ 2017-10-21  Florian Weimer  <fweimer at redhat.com>
+ 
+ 	* posix/Makefile (tests): Add tst-glob-tilde.
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index e4ba28f..76a410d 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
            file://CVE-2017-15670.patch \
            file://CVE-2017-15671.patch \
+           file://CVE-2017-15804.patch \
 "
 
 NATIVESDKFIXES ?= ""
-- 
2.7.4

More information about the Openembedded-core mailing list