[OE-core] [PATCH 3/3] glibc: Security fix for CVE-2017-15804
Armin Kuster
akuster808 at gmail.com
Thu Nov 23 03:52:17 UTC 2017
From: Armin Kuster <akuster at mvista.com>
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
Affects: glibx < 2.27
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2017-15804.patch | 111 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.26.bb | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-15804.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15804.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15804.patch
new file mode 100644
index 0000000..b0dada3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-15804.patch
@@ -0,0 +1,111 @@
+From 2fac6a6cd50c22ac28c97d0864306594807ade3e Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Thu, 2 Nov 2017 11:06:45 +0100
+Subject: [PATCH] posix/tst-glob-tilde.c: Add test for bug 22332
+
+Upstream-Status: Backport
+CVE: CVE-2017-15804
+Affects: glibx < 2.27
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ChangeLog | 7 +++++++
+ posix/tst-glob-tilde.c | 53 ++++++++++++++++++++++++++++----------------------
+ 2 files changed, 37 insertions(+), 23 deletions(-)
+
+Index: git/posix/tst-glob-tilde.c
+===================================================================
+--- git.orig/posix/tst-glob-tilde.c
++++ git/posix/tst-glob-tilde.c
+@@ -1,4 +1,4 @@
+-/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
++/* Check for GLOB_TIDLE heap allocation issues (bugs 22320, 22325, 22332).
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+@@ -34,6 +34,9 @@ static int do_nocheck;
+ /* Flag which indicates whether to pass the GLOB_MARK flag. */
+ static int do_mark;
+
++/* Flag which indicates whether to pass the GLOB_NOESCAPE flag. */
++static int do_noescape;
++
+ static void
+ one_test (const char *prefix, const char *middle, const char *suffix)
+ {
+@@ -45,6 +48,8 @@ one_test (const char *prefix, const char
+ flags |= GLOB_NOCHECK;
+ if (do_mark)
+ flags |= GLOB_MARK;
++ if (do_noescape)
++ flags |= GLOB_NOESCAPE;
+ glob_t gl;
+ /* This glob call might result in crashes or memory leaks. */
+ if (glob (pattern, flags, NULL, &gl) == 0)
+@@ -105,28 +110,30 @@ do_test (void)
+ for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
+ for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
+ for (do_mark = 0; do_mark < 2; ++do_mark)
+- for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+- {
+- for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+- ++size_skew)
+- {
+- int size = base_sizes[base_idx] + size_skew;
+- if (size < 0)
+- continue;
+-
+- const char *user_name = repeating_string (size);
+- one_test ("~", user_name, "/a/b");
+- }
+-
+- const char *user_name = repeating_string (base_sizes[base_idx]);
+- one_test ("~", user_name, "");
+- one_test ("~", user_name, "/");
+- one_test ("~", user_name, "/a");
+- one_test ("~", user_name, "/*/*");
+- one_test ("~", user_name, "\\/");
+- one_test ("/~", user_name, "");
+- one_test ("*/~", user_name, "/a/b");
+- }
++ for (do_noescape = 0; do_noescape < 2; ++do_noescape)
++ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
++ {
++ for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
++ ++size_skew)
++ {
++ int size = base_sizes[base_idx] + size_skew;
++ if (size < 0)
++ continue;
++
++ const char *user_name = repeating_string (size);
++ one_test ("~", user_name, "/a/b");
++ one_test ("~", user_name, "x\\x\\x////x\\a");
++ }
++
++ const char *user_name = repeating_string (base_sizes[base_idx]);
++ one_test ("~", user_name, "");
++ one_test ("~", user_name, "/");
++ one_test ("~", user_name, "/a");
++ one_test ("~", user_name, "/*/*");
++ one_test ("~", user_name, "\\/");
++ one_test ("/~", user_name, "");
++ one_test ("*/~", user_name, "/a/b");
++ }
+
+ free (repeat);
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-22 Paul Eggert <eggert at cs.ucla.edu>
++
++ [BZ #22332]
++ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
++ unescaping.
++
+ 2017-10-21 Florian Weimer <fweimer at redhat.com>
+
+ * posix/Makefile (tests): Add tst-glob-tilde.
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index e4ba28f..76a410d 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
file://CVE-2017-15670.patch \
file://CVE-2017-15671.patch \
+ file://CVE-2017-15804.patch \
"
NATIVESDKFIXES ?= ""
--
2.7.4
More information about the Openembedded-core
mailing list