glob: Fix one-byte overflow [BZ #22320]
Commit Message
I plan to commit this once we have the CVE ID from MITRE.
Thanks,
Florian
Comments
As a side note, my glob refactor to use char_array internally does not
fail with the new test tst-glob-tilde. I still think this refactor is
an improvement for glob and I plan to resend the patch.
On 20/10/2017 09:23, Florian Weimer wrote:
> I plan to commit this once we have the CVE ID from MITRE.
>
> Thanks,
> Florian
On Fri, 20 Oct 2017, Florian Weimer wrote:
> I plan to commit this once we have the CVE ID from MITRE.
Commits should not need to wait for CVEs; the NEWS entry for a security
fix can be updated with the CVE later once available.
* Joseph Myers:
> On Fri, 20 Oct 2017, Florian Weimer wrote:
>
>> I plan to commit this once we have the CVE ID from MITRE.
>
> Commits should not need to wait for CVEs; the NEWS entry for a security
> fix can be updated with the CVE later once available.
Thanks for the reminder. Recent turnaround times from MITRE were
amazingly fast, so I thought I would wait this time. But you are
right, I should commit this now without a CVE ID.
2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
[BZ #22320]
* posix/glob.c (__glob): Fix one-byte overflow.
@@ -72,6 +72,10 @@ Security related changes:
vulnerability; only trusted binaries must be examined using the ldd
script.)
+ The glob function, when invoked with GLOB_TILDE, suffered from a one-byte
+ overflow during ~ operator processing (either on the stack or the heap,
+ depending on the length of the user name).
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
@@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
*p = '\0';
}
else
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
= '\0';
user_name = newp;
}