aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Eggert <eggert@cs.ucla.edu>2017-10-20 18:41:14 +0200
committerFlorian Weimer <fweimer@redhat.com>2017-10-20 18:46:48 +0200
commitc369d66e5426a30e4725b100d5cd28e372754f90 (patch)
tree252d4ee0e4196f335fc864d10a38f5c6cb6c36f3
parent6d43de4b85b11d26a19bebe4f55f31be16e3d419 (diff)
downloadglibc-c369d66e5426a30e4725b100d5cd28e372754f90.zip
glibc-c369d66e5426a30e4725b100d5cd28e372754f90.tar.gz
glibc-c369d66e5426a30e4725b100d5cd28e372754f90.tar.bz2
CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--NEWS4
-rw-r--r--posix/glob.c2
3 files changed, 11 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index f0512c5..43f5bfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #22320]
+ CVE-2017-15670
+ * posix/glob.c (__glob): Fix one-byte overflow.
+
2017-10-20 Wilco Dijkstra <wdijkstr@arm.com>
* malloc/malloc.c (sysdep-cancel.h): Add include.
diff --git a/NEWS b/NEWS
index ad680db..e0e5056 100644
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,10 @@ Security related changes:
vulnerability; only trusted binaries must be examined using the ldd
script.)
+ CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+ from a one-byte overflow during ~ operator processing (either on the stack
+ or the heap, depending on the length of the user name).
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/posix/glob.c b/posix/glob.c
index 076ab2b..15a6c0c 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
*p = '\0';
}
else
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
= '\0';
user_name = newp;
}
generated by cgit v1.1 at 2024-11-21 22:42:00 +0000