diff options
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-15671.patch | 66 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.26.bb | 1 |
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch new file mode 100644 index 0000000000..35692820d4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch @@ -0,0 +1,66 @@ +From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@cs.ucla.edu> +Date: Sun, 22 Oct 2017 10:00:57 +0200 +Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ + #22332] + +(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) + +Upstream-Status: Backport +CVE: CVE-2017-15671 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 6 ++++++ + NEWS | 4 ++++ + posix/glob.c | 4 ++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -211,6 +211,10 @@ Security related changes: + on the stack or the heap, depending on the length of the user name). + Reported by Tim Rühsen. + ++ The glob function, when invoked with GLOB_TILDE and without ++ GLOB_NOESCAPE, could write past the end of a buffer while ++ unescaping user names. Reported by Tim Rühsen. ++ + The following bugs are resolved with this release: + + [984] network: Respond to changed resolv.conf in gethostbyname +Index: git/posix/glob.c +=================================================================== +--- git.orig/posix/glob.c ++++ git/posix/glob.c +@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in + char *p = mempcpy (newp, dirname + 1, + unescape - dirname - 1); + char *q = unescape; +- while (*q != '\0') ++ while (q != end_name) + { + if (*q == '\\') + { +- if (q[1] == '\0') ++ if (q + 1 == end_name) + { + /* "~fo\\o\\" unescape to user_name "foo\\", + but "~fo\\o\\/" unescape to user_name +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,5 +1,10 @@ ++ + 2017-10-20 Paul Eggert <eggert@cs.ucla.edu> + ++ [BZ #22332] ++ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE ++ unescaping. ++ + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index ed4ea4f624..e4ba28fffd 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb @@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \ file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \ file://CVE-2017-15670.patch \ + file://CVE-2017-15671.patch \ " NATIVESDKFIXES ?= "" |