diff options
author | Florian Weimer <fweimer@redhat.com> | 2017-12-14 15:05:57 +0100 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2017-12-14 15:31:46 +0100 |
commit | 3ff3dfa5af313a6ea33f3393916f30eece4f0171 (patch) | |
tree | 41be59a9eb6037aba0ee37116d2b35c0a324392f | |
parent | 8a0b17e48b83e933960dfeb8fa08b259f03f310e (diff) | |
download | glibc-3ff3dfa5af313a6ea33f3393916f30eece4f0171.zip glibc-3ff3dfa5af313a6ea33f3393916f30eece4f0171.tar.gz glibc-3ff3dfa5af313a6ea33f3393916f30eece4f0171.tar.bz2 |
elf: Count components of the expanded path in _dl_init_path [BZ #22607]
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | elf/dl-load.c | 13 |
3 files changed, 17 insertions, 9 deletions
@@ -1,5 +1,12 @@ 2017-12-14 Florian Weimer <fweimer@redhat.com> + [BZ #22607] + CVE-2017-1000409 + * elf/dl-load.c (_dl_init_paths): Compute number of components in + the expanded path string. + +2017-12-14 Florian Weimer <fweimer@redhat.com> + [BZ #22606] CVE-2017-1000408 * elf/dl-load.c (system_dirs): Update comment. @@ -130,6 +130,12 @@ Security related changes: it is mentioned here only because of the CVE assignment.) Reported by Qualys. + CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation + of the number of search path components. (This is not a security + vulnerability per se because no trust boundary is crossed if the fix for + CVE-2017-1000366 has been applied, but it is mentioned here only because + of the CVE assignment.) Reported by Qualys. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/elf/dl-load.c b/elf/dl-load.c index 5f1f908..bbd3be9e 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -773,8 +773,6 @@ _dl_init_paths (const char *llp) if (llp != NULL && *llp != '\0') { - size_t nllp; - const char *cp = llp; char *llp_tmp; #ifdef SHARED @@ -797,13 +795,10 @@ _dl_init_paths (const char *llp) /* Decompose the LD_LIBRARY_PATH contents. First determine how many elements it has. */ - nllp = 1; - while (*cp) - { - if (*cp == ':' || *cp == ';') - ++nllp; - ++cp; - } + size_t nllp = 1; + for (const char *cp = llp_tmp; *cp != '\0'; ++cp) + if (*cp == ':' || *cp == ';') + ++nllp; env_path_list.dirs = (struct r_search_path_elem **) malloc ((nllp + 1) * sizeof (struct r_search_path_elem *)); |