diff --git a/ChangeLog b/ChangeLog index f0512c524d..43f5bfa5d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2017-10-20 Paul Eggert + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-10-20 Wilco Dijkstra * malloc/malloc.c (sysdep-cancel.h): Add include. diff --git a/NEWS b/NEWS index ad680db874..e0e505690b 100644 --- a/NEWS +++ b/NEWS @@ -72,6 +72,10 @@ Security related changes: vulnerability; only trusted binaries must be examined using the ldd script.) + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered + from a one-byte overflow during ~ operator processing (either on the stack + or the heap, depending on the length of the user name). + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/posix/glob.c b/posix/glob.c index 076ab2bd72..15a6c0cf13 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -790,7 +790,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; }