elf: Count components of the expanded path in _dl_init_path [BZ #22607]

This commit is contained in:
Florian Weimer 2017-12-14 15:05:57 +01:00
parent 8a0b17e48b
commit 3ff3dfa5af
3 changed files with 17 additions and 9 deletions

View File

@ -1,3 +1,10 @@
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22607]
CVE-2017-1000409
* elf/dl-load.c (_dl_init_paths): Compute number of components in
the expanded path string.
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22606]

6
NEWS
View File

@ -130,6 +130,12 @@ Security related changes:
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
of the number of search path components. (This is not a security
vulnerability per se because no trust boundary is crossed if the fix for
CVE-2017-1000366 has been applied, but it is mentioned here only because
of the CVE assignment.) Reported by Qualys.
The following bugs are resolved with this release:
[The release manager will add the list generated by

View File

@ -773,8 +773,6 @@ _dl_init_paths (const char *llp)
if (llp != NULL && *llp != '\0')
{
size_t nllp;
const char *cp = llp;
char *llp_tmp;
#ifdef SHARED
@ -797,13 +795,10 @@ _dl_init_paths (const char *llp)
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
elements it has. */
nllp = 1;
while (*cp)
{
size_t nllp = 1;
for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
if (*cp == ':' || *cp == ';')
++nllp;
++cp;
}
env_path_list.dirs = (struct r_search_path_elem **)
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));