glob: Fix one-byte overflow [BZ #22320]

Message ID	aecce8a1-86a1-4ea0-bc7d-bccdbb7e1364@redhat.com
State	Committed
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 45859C059741 To: GNU C Library <libc-alpha@sourceware.org> From: Florian Weimer <fweimer@redhat.com> Subject: [PATCH] glob: Fix one-byte overflow [BZ #22320] Message-ID: <aecce8a1-86a1-4ea0-bc7d-bccdbb7e1364@redhat.com> Date: Fri, 20 Oct 2017 13:23:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------E8923A5651796AD3B317BE34"

Message ID

aecce8a1-86a1-4ea0-bc7d-bccdbb7e1364@redhat.com

State

Committed

Headers

Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 45859C059741
To: GNU C Library <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Subject: [PATCH] glob: Fix one-byte overflow [BZ #22320]
Message-ID: <aecce8a1-86a1-4ea0-bc7d-bccdbb7e1364@redhat.com>
Date: Fri, 20 Oct 2017 13:23:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="------------E8923A5651796AD3B317BE34"

Commit Message

Florian Weimer Oct. 20, 2017, 11:23 a.m. UTC

  I plan to commit this once we have the CVE ID from MITRE.

Thanks,
Florian

Comments

Adhemerval Zanella Netto Oct. 20, 2017, 12:35 p.m. UTC | #1

As a side note, my glob refactor to use char_array internally does not
fail with the new test tst-glob-tilde.  I still think this refactor is 
an improvement for glob and I plan to resend the patch.  

On 20/10/2017 09:23, Florian Weimer wrote:
> I plan to commit this once we have the CVE ID from MITRE.
> 
> Thanks,
> Florian

Joseph Myers Oct. 20, 2017, 4:15 p.m. UTC | #2

On Fri, 20 Oct 2017, Florian Weimer wrote:

> I plan to commit this once we have the CVE ID from MITRE.

Commits should not need to wait for CVEs; the NEWS entry for a security 
fix can be updated with the CVE later once available.

Florian Weimer Oct. 20, 2017, 4:32 p.m. UTC | #3

* Joseph Myers:

> On Fri, 20 Oct 2017, Florian Weimer wrote:
>
>> I plan to commit this once we have the CVE ID from MITRE.
>
> Commits should not need to wait for CVEs; the NEWS entry for a security 
> fix can be updated with the CVE later once available.

Thanks for the reminder.  Recent turnaround times from MITRE were
amazingly fast, so I thought I would wait this time.  But you are
right, I should commit this now without a CVE ID.

diff mbox

Patch


2017-10-20  Paul Eggert <eggert@cs.ucla.edu>

	[BZ #22320]
	* posix/glob.c (__glob): Fix one-byte overflow.

diff --git a/NEWS b/NEWS
index ad680db874..2b6a022b32 100644
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,10 @@  Security related changes:
   vulnerability; only trusted binaries must be examined using the ldd
   script.)
 
+  The glob function, when invoked with GLOB_TILDE, suffered from a one-byte
+  overflow during ~ operator processing (either on the stack or the heap,
+  depending on the length of the user name).
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/posix/glob.c b/posix/glob.c
index 076ab2bd72..15a6c0cf13 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -790,7 +790,7 @@  __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		  *p = '\0';
 		}
 	      else
-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
 		  = '\0';
 	      user_name = newp;
 	    }