From patchwork Fri Oct 20 11:23:11 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 23725
Received: (qmail 23567 invoked by alias); 20 Oct 2017 11:23:16 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 23556 invoked by uid 89); 20 Oct 2017 11:23:15 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=suffered,
	H*M:86a1, H*MI:86a1, cve
X-HELO: mx1.redhat.com
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 45859C059741
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
	spf=fail smtp.mailfrom=fweimer@redhat.com
To: GNU C Library <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Subject: [PATCH] glob: Fix one-byte overflow [BZ #22320]
Message-ID: <aecce8a1-86a1-4ea0-bc7d-bccdbb7e1364@redhat.com>
Date: Fri, 20 Oct 2017 13:23:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.3.0
MIME-Version: 1.0

I plan to commit this once we have the CVE ID from MITRE.

Thanks,
Florian


2017-10-20  Paul Eggert <eggert@cs.ucla.edu>

	[BZ #22320]
	* posix/glob.c (__glob): Fix one-byte overflow.

diff --git a/NEWS b/NEWS
index ad680db874..2b6a022b32 100644
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,10 @@ Security related changes:
   vulnerability; only trusted binaries must be examined using the ldd
   script.)
 
+  The glob function, when invoked with GLOB_TILDE, suffered from a one-byte
+  overflow during ~ operator processing (either on the stack or the heap,
+  depending on the length of the user name).
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/posix/glob.c b/posix/glob.c
index 076ab2bd72..15a6c0cf13 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		  *p = '\0';
 		}
 	      else
-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
 		  = '\0';
 	      user_name = newp;
 	    }