CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

2024-11-08 14:20:07 +00:00 · 2017-10-20 18:41:14 +02:00 · 2017-10-20 18:41:14 +02:00 · c369d66e54
commit c369d66e54
parent 6d43de4b85
3 changed files with 11 additions and 1 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+
+	[BZ #22320]
+	CVE-2017-15670
+	* posix/glob.c (__glob): Fix one-byte overflow.
+
 2017-10-20  Wilco Dijkstra  <wdijkstr@arm.com>

 	* malloc/malloc.c (sysdep-cancel.h): Add include.
--- a/4
+++ b/4
@ -72,6 +72,10 @@ Security related changes:
  vulnerability; only trusted binaries must be examined using the ldd
  script.)

+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
+  from a one-byte overflow during ~ operator processing (either on the stack
+  or the heap, depending on the length of the user name).
+
 The following bugs are resolved with this release:

  [The release manager will add the list generated by
--- a/posix/glob.c
+++ b/posix/glob.c
@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		  *p = '\0';
 		}
 	      else
-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
 		  = '\0';
 	      user_name = newp;
 	    }