From 9e411843b26d296ba2b048b581d31bd0221e25e6 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sun, 21 Jan 2018 09:59:54 -0800 Subject: glibc: Security fix CVE-2017-15671 affects glibc < 2.27 only glibc in current master hash: 77f921dac17c5fa99bd9e926d926c327982895f7 Signed-off-by: Armin Kuster Signed-off-by: Ross Burton --- meta/recipes-core/glibc/glibc/CVE-2017-15671.patch | 65 ++++++++++++++++++++++ meta/recipes-core/glibc/glibc_2.26.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-15671.patch (limited to 'meta/recipes-core/glibc') diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch new file mode 100644 index 0000000000..9a08784106 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch @@ -0,0 +1,65 @@ +From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Sun, 22 Oct 2017 10:00:57 +0200 +Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ + #22332] + +(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) + +Upstream-Status: Backport +CVE: CVE-2017-15671 +Signed-off-by: Armin Kuster + +--- + ChangeLog | 6 ++++++ + NEWS | 4 ++++ + posix/glob.c | 4 ++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -20,6 +20,10 @@ Security related changes: + on the stack or the heap, depending on the length of the user name). + Reported by Tim Rühsen. + ++ The glob function, when invoked with GLOB_TILDE and without ++ GLOB_NOESCAPE, could write past the end of a buffer while ++ unescaping user names. Reported by Tim Rühsen. ++ + The following bugs are resolved with this release: + + [16750] ldd: Never run file directly. +Index: git/posix/glob.c +=================================================================== +--- git.orig/posix/glob.c ++++ git/posix/glob.c +@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, in + char *p = mempcpy (newp, dirname + 1, + unescape - dirname - 1); + char *q = unescape; +- while (*q != '\0') ++ while (q != end_name) + { + if (*q == '\\') + { +- if (q[1] == '\0') ++ if (q + 1 == end_name) + { + /* "~fo\\o\\" unescape to user_name "foo\\", + but "~fo\\o\\/" unescape to user_name +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,9 @@ ++2017-10-22 Paul Eggert ++ ++ [BZ #22332] ++ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE ++ unescaping. ++ + 2017-10-13 James Clarke + + * sysdeps/powerpc/powerpc32/dl-machine.h (elf_machine_rela): diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 04d97734b3..0ba29e4525 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb @@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \ file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \ file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ + file://CVE-2017-15671.patch \ " NATIVESDKFIXES ?= "" -- cgit 1.2.3-korg