[lfs-dev] [lfs-patches] r3679 - trunk/glibc

Bruce Dubbs bruce.dubbs at gmail.com
Sun Dec 24 10:30:44 PST 2017


Chris Clayton wrote:
>
>
> On 24/12/17 05:41, dj at higgs.linuxfromscratch.org wrote:
>> Author: dj
>> Date: Sat Dec 23 21:41:23 2017
>> New Revision: 3679
>>
>> Log:
>> Add glibc-2.26-local_glob_exploits-1.patch
>>
>> Added:
>>     trunk/glibc/glibc-2.26-local_glob_exploits-1.patch
>>
>> Added: trunk/glibc/glibc-2.26-local_glob_exploits-1.patch
>> ==============================================================================
>> --- /dev/null	00:00:00 1970	(empty, because file is newly added)
>> +++ trunk/glibc/glibc-2.26-local_glob_exploits-1.patch	Sat Dec 23 21:41:23 2017	(r3679)
>> @@ -0,0 +1,59 @@
>> +Submitted by:            DJ Lucas (dj_AT_linuxfromscratch_DOT_org)
>> +Date:                    2017-12-24
>> +Initial Package Version: 2.26
>> +Upstream Status:         Comitted
>> +Origin:                  https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c369d66e5426a30e4725b100d5cd28e372754f90
>> +                         and https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8
>> +Description:             Fixes local-only exploits in glob functions idetified
>> +                         in CVE-2017-15670 and CVE-2017-15671
>> +
>> +
>> +diff -Naurp glibc-2.26-orig/ChangeLog glibc-2.26/ChangeLog
>> +--- glibc-2.26-orig/ChangeLog	2017-12-23 23:16:40.669052891 -0600
>> ++++ glibc-2.26/ChangeLog	2017-12-23 23:30:21.240500323 -0600
>> +@@ -1,3 +1,19 @@
>> ++2017-10-21  Paul Eggert <eggert at cs.ucla.edu>
>> ++
>> ++	glob: fix another heap buffer overflow
>> ++	Problem reported by Tim Rühsen in:
>> ++	https://sourceware.org/bugzilla/show_bug.cgi?id=22332
>> ++	* lib/glob.c (glob): Avoid buffer overrun when unescaping.
>> ++
>> ++2017-10-19  Paul Eggert  <eggert at cs.ucla.edu>
>> ++
>> ++	glob: fix heap buffer overflow
>> ++	* lib/glob.c (glob): Fix off-by-one error introduced into
>> ++	glibc in commit dd7d45e838a42b0ed470c44b55901ea98d0c2bab
>> ++	dated 1997-10-29 20:33:40.  Problem reported by Tim Rühsen in:
>> ++	https://sourceware.org/bugzilla/show_bug.cgi?id=22320
>> ++	Fix suggested by Bruno Haible.
>> ++
>> + 2017-08-02  Siddhesh Poyarekar  <siddhesh at sourceware.org>
>> +
>> + 	* version.h (RELEASE): Set to "stable"
>> +diff -Naurp glibc-2.26-orig/posix/glob.c glibc-2.26/posix/glob.c
>> +--- glibc-2.26-orig/posix/glob.c	2017-12-23 23:16:40.803052829 -0600
>> ++++ glibc-2.26/posix/glob.c	2017-12-23 23:20:11.177939148 -0600
>> +@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
>> + 		  char *p = mempcpy (newp, dirname + 1,
>> + 				     unescape - dirname - 1);
>> + 		  char *q = unescape;
>> +-		  while (*q != '\0')
>> ++		  while (*q != end_name)
>> + 		    {
>> + 		      if (*q == '\\')
>> + 			{
>> +-			  if (q[1] == '\0')
>> ++			  if (q[1] == end_name)
>> + 			    {
>> + 			      /* "~fo\\o\\" unescape to user_name "foo\\",
>> + 				 but "~fo\\o\\/" unescape to user_name
>> +@@ -843,7 +843,7 @@ glob (const char *pattern, int flags, in
>> + 		  *p = '\0';
>> + 		}
>> + 	      else
>> +-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
>> ++		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
>> + 		  = '\0';
>> + 	      user_name = newp;
>> + 	    }
>>
>
> glibc with this patch applied doesn't build here. The error I see (with gcc-7-20171221) is:
>
> gcc ../sysdeps/wordsize-64/glob.c -c -std=gnu11 -fgnu89-inline  -O3 -Wall -Werror -Wundef -Wwrite-strings

...

> In file included from ../sysdeps/wordsize-64/glob.c:3:0:
> ../posix/glob.c: In function 'glob':
> ../posix/glob.c:826:15: error: comparison between pointer and integer [-Werror]
>       while (*q != end_name)
>                 ^~
> ../posix/glob.c:830:15: error: comparison between pointer and integer [-Werror]
>        if (q[1] == end_name)
>                 ^~
> cc1: all warnings being treated as errors
>
> That looks valid because *q is a (signed) char while end_name is a pointer to a (signed) char. I think the first hunk of
> the patch should be:
>
>   		  char *p = mempcpy (newp, dirname + 1,
>> + 				     unescape - dirname - 1);
>> + 		  char *q = unescape;
>> +-		  while (*q != '\0')
>> ++		  while (q != end_name)
>> + 		    {
>> + 		      if (*q == '\\')
>> + 			{
>> +-			  if (q[1] == '\0')
>> ++			  if (q + 1 == end_name)

This should be at lfs-dev, not patches.

Your change seems right to me.  For the patch, I would skip the changes to 
the ChangeLog.

   -- Bruce




More information about the lfs-dev mailing list