From 3ff3dfa5af313a6ea33f3393916f30eece4f0171 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 14 Dec 2017 15:05:57 +0100
Subject: elf: Count components of the expanded path in _dl_init_path [BZ
 #22607]

---
 ChangeLog     |  7 +++++++
 NEWS          |  6 ++++++
 elf/dl-load.c | 13 ++++---------
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 521ef46..018edea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2017-12-14  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #22607]
+	CVE-2017-1000409
+	* elf/dl-load.c (_dl_init_paths): Compute number of components in
+	the expanded path string.
+
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #22606]
 	CVE-2017-1000408
 	* elf/dl-load.c (system_dirs): Update comment.
diff --git a/NEWS b/NEWS
index eef51b6..c5607c8 100644
--- a/NEWS
+++ b/NEWS
@@ -130,6 +130,12 @@ Security related changes:
   it is mentioned here only because of the CVE assignment.)  Reported by
   Qualys.
 
+  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+  of the number of search path components.  (This is not a security
+  vulnerability per se because no trust boundary is crossed if the fix for
+  CVE-2017-1000366 has been applied, but it is mentioned here only because
+  of the CVE assignment.)  Reported by Qualys.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 5f1f908..bbd3be9e 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -773,8 +773,6 @@ _dl_init_paths (const char *llp)
 
   if (llp != NULL && *llp != '\0')
     {
-      size_t nllp;
-      const char *cp = llp;
       char *llp_tmp;
 
 #ifdef SHARED
@@ -797,13 +795,10 @@ _dl_init_paths (const char *llp)
 
       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
 	 elements it has.  */
-      nllp = 1;
-      while (*cp)
-	{
-	  if (*cp == ':' || *cp == ';')
-	    ++nllp;
-	  ++cp;
-	}
+      size_t nllp = 1;
+      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+	if (*cp == ':' || *cp == ';')
+	  ++nllp;
 
       env_path_list.dirs = (struct r_search_path_elem **)
 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
-- 
cgit v1.1