diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2017-10-20 18:41:14 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2017-10-20 19:36:54 +0200 |
commit | a76376df7c07e577a9515c3faa5dbd50bda5da07 (patch) | |
tree | d4050cdc328e1000702b3106a17c9b790c0e4fca | |
parent | 305f4f057dace256e99e4321e21a23267187d77f (diff) |
CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | posix/glob.c | 2 |
3 files changed, 12 insertions, 1 deletions
@@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert <eggert@cs.ucla.edu> + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-09-08 Adhemerval Zanella <adhemerval.zanella@linaro.org> [BZ #1062] @@ -15,6 +15,11 @@ Security related changes: vulnerability; only trusted binaries must be examined using the ldd script.) + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, + suffered from a one-byte overflow during ~ operator processing (either + on the stack or the heap, depending on the length of the user name). + Reported by Tim Rühsen. + The following bugs are resolved with this release: [16750] ldd: Never run file directly. diff --git a/posix/glob.c b/posix/glob.c index a7eccf9cb4..c761c0861d 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -870,7 +870,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } |