From 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 7 Jan 2018 02:03:41 +0000 Subject: linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Currently getcwd(3) can succeed without returning an absolute path because the underlying getcwd syscall, starting with linux commit v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. This is a conformance issue because "The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf". This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). Fix this by checking the path returned by getcwd syscall and falling back to generic_getcwd if the path is not absolute, effectively making getcwd(3) fail with ENOENT. The error code is chosen for consistency with the case when the current directory is unlinked. [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 75bf467..79736db 100644 --- a/NEWS +++ b/NEWS @@ -199,6 +199,10 @@ Security related changes: for AT_SECURE or SUID binaries could be used to load libraries from the current directory. + CVE-2018-1000001: Buffer underflow in realpath function when getcwd function + succeeds without returning an absolute path due to unexpected behaviour + of the Linux kernel getcwd syscall. Reported by halfdog. + The following bugs are resolved with this release: [The release manager will add the list generated by -- cgit v1.1