1 files changed, 150 insertions, 0 deletions
diff --git a/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch
new file mode 100644
index 0000000..6401734
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch
@@ -0,0 +1,150 @@
+From 24ee2a5b63d15cf45c43ec598f11fe59878982a8 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 11:17:18 +0200
+Subject: [PATCH] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+Changelog:
+        [BZ #22625]
+        * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+        string token expansion. Check for NULL pointer or empty string possibly
+        returned by expand_dynamic_string_token.
+        (decompose_rpath): Check for empty path after dynamic string
+        token expansion.
+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
+CVE: CVE-2017-16997
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ ChangeLog     | 10 ++++++++++
+ NEWS          |  4 ++++
+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 47 insertions(+), 16 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index a0c2f51..ad380fd 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,13 @@
+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+           Dmitry V. Levin  <ldv@altlinux.org>
+
+       [BZ #22625]
+       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+       string token expansion. Check for NULL pointer or empty string possibly
+       returned by expand_dynamic_string_token.
+       (decompose_rpath): Check for empty path after dynamic string
+       token expansion.
+
+ 2017-04-13  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #21361]
+diff --git a/NEWS b/NEWS
+index 29e795a..195c06d 100644
+--- a/NEWS
+++ b/NEWS
+@@ -214,6 +214,10 @@ Security related changes:
+ * The xdr_bytes and xdr_string routines free the internally allocated buffer
+   if deserialization of the buffer contents fails for any reason.
+ 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
+ The following bugs are resolved with this release:
+ 
+   [4099] stdio: Overly agressive caching by stream i/o functions.
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a5318f9..bdb4484 100644
+--- a/elf/dl-load.c
+++ b/elf/dl-load.c
+@@ -433,31 +433,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
+      char *to_free = NULL;
+      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
+      /* `strsep' can pass an empty string.  */
+      if (*cp != '\0')
+       {
+         to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
+         /* expand_dynamic_string_token can return NULL in case of empty
+            path or memory allocation failure.  */
+         if (cp == NULL)
+           continue;
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-        interpreted as `use the current directory'. */
+-      if (len == 0)
+-       {
+-         static const char curwd[] = "./";
+-         cp = (char *) curwd;
+-       }
+         /* Compute the length after dynamic string token expansion and
+            ignore empty paths.  */
+         len = strlen (cp);
+         if (len == 0)
+           {
+             free (to_free);
+             continue;
+           }
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-       --len;
+         /* Remove trailing slashes (except for "/").  */
+         while (len > 1 && cp[len - 1] == '/')
+           --len;
+ 
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-       cp[len++] = '/';
+         /* Now add one if there is none so far.  */
+         if (len > 0 && cp[len - 1] != '/')
+           cp[len++] = '/';
+       }
+ 
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_struct *sps,
+      necessary.  */
+   free (copy);
+ 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL)
+    {
+      free (result);
+      sps->dirs = (struct r_search_path_elem **) -1;
+      return false;
+    }
+
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;

diff --git a/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch new file mode 100644 index 0000000..6401734 --- /dev/null +++ b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch
@@ -0,0 +1,150 @@
	1	From 24ee2a5b63d15cf45c43ec598f11fe59878982a8 Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 11:17:18 +0200
	4	Subject: [PATCH] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
	5
	6	The fillin_rpath function in elf/dl-load.c loops over each RPATH or
	7	RUNPATH tokens and interprets empty tokens as the current directory
	8	("./"). In practice the check for empty token is done after the
	9	dynamic string token expansion. The expansion process can return an
	10	empty string for the $ORIGIN token if __libc_enable_secure is set
	11	or if the path of the binary can not be determined (/proc not mounted).
	12
	13	Fix that by moving the check for empty tokens before the dynamic string
	14	token expansion. In addition, check for NULL pointer or empty strings
	15	return by expand_dynamic_string_token.
	16
	17	The above changes highlighted a bug in decompose_rpath, an empty array
	18	is represented by the first element being NULL at the fillin_rpath
	19	level, but by using a -1 pointer in decompose_rpath and other functions.
	20
	21	Changelog:
	22	[BZ #22625]
	23	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
	24	string token expansion. Check for NULL pointer or empty string possibly
	25	returned by expand_dynamic_string_token.
	26	(decompose_rpath): Check for empty path after dynamic string
	27	token expansion.
	28	(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
	29
	30	CVE: CVE-2017-16997
	31	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869]
	32
	33	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	34	---
	35	ChangeLog \| 10 ++++++++++
	36	NEWS \| 4 ++++
	37	elf/dl-load.c \| 49 +++++++++++++++++++++++++++++++++----------------
	38	3 files changed, 47 insertions(+), 16 deletions(-)
	39
	40	diff --git a/ChangeLog b/ChangeLog
	41	index a0c2f51..ad380fd 100644
	42	--- a/ChangeLog
	43	+++ b/ChangeLog
	44	@@ -1,3 +1,13 @@
	45	+2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
	46	+ Dmitry V. Levin <ldv@altlinux.org>
	47	+
	48	+ [BZ #22625]
	49	+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
	50	+ string token expansion. Check for NULL pointer or empty string possibly
	51	+ returned by expand_dynamic_string_token.
	52	+ (decompose_rpath): Check for empty path after dynamic string
	53	+ token expansion.
	54	+
	55	2017-04-13 Florian Weimer <fweimer@redhat.com>
	56
	57	[BZ #21361]
	58	diff --git a/NEWS b/NEWS
	59	index 29e795a..195c06d 100644
	60	--- a/NEWS
	61	+++ b/NEWS
	62	@@ -214,6 +214,10 @@ Security related changes:
	63	* The xdr_bytes and xdr_string routines free the internally allocated buffer
	64	if deserialization of the buffer contents fails for any reason.
	65
	66	+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
	67	+ for AT_SECURE or SUID binaries could be used to load libraries from the
	68	+ current directory.
	69	+
	70	The following bugs are resolved with this release:
	71
	72	[4099] stdio: Overly agressive caching by stream i/o functions.
	73	diff --git a/elf/dl-load.c b/elf/dl-load.c
	74	index a5318f9..bdb4484 100644
	75	--- a/elf/dl-load.c
	76	+++ b/elf/dl-load.c
	77	@@ -433,31 +433,40 @@ fillin_rpath (char rpath, struct r_search_path_elem result, const char sep,
	78	{
	79	char *cp;
	80	size_t nelems = 0;
	81	- char *to_free;
	82
	83	while ((cp = __strsep (&rpath, sep)) != NULL)
	84	{
	85	struct r_search_path_elem *dirp;
	86	+ char *to_free = NULL;
	87	+ size_t len = 0;
	88
	89	- to_free = cp = expand_dynamic_string_token (l, cp, 1);
	90	+ /* `strsep' can pass an empty string. */
	91	+ if (*cp != '\0')
	92	+ {
	93	+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
	94
	95	- size_t len = strlen (cp);
	96	+ /* expand_dynamic_string_token can return NULL in case of empty
	97	+ path or memory allocation failure. */
	98	+ if (cp == NULL)
	99	+ continue;
	100
	101	- /* `strsep' can pass an empty string. This has to be
	102	- interpreted as `use the current directory'. */
	103	- if (len == 0)
	104	- {
	105	- static const char curwd[] = "./";
	106	- cp = (char *) curwd;
	107	- }
	108	+ /* Compute the length after dynamic string token expansion and
	109	+ ignore empty paths. */
	110	+ len = strlen (cp);
	111	+ if (len == 0)
	112	+ {
	113	+ free (to_free);
	114	+ continue;
	115	+ }
	116
	117	- /* Remove trailing slashes (except for "/"). */
	118	- while (len > 1 && cp[len - 1] == '/')
	119	- --len;
	120	+ /* Remove trailing slashes (except for "/"). */
	121	+ while (len > 1 && cp[len - 1] == '/')
	122	+ --len;
	123
	124	- /* Now add one if there is none so far. */
	125	- if (len > 0 && cp[len - 1] != '/')
	126	- cp[len++] = '/';
	127	+ /* Now add one if there is none so far. */
	128	+ if (len > 0 && cp[len - 1] != '/')
	129	+ cp[len++] = '/';
	130	+ }
	131
	132	/* Make sure we don't use untrusted directories if we run SUID. */
	133	if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
	134	@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_struct *sps,
	135	necessary. */
	136	free (copy);
	137
	138	+ /* There is no path after expansion. */
	139	+ if (result[0] == NULL)
	140	+ {
	141	+ free (result);
	142	+ sps->dirs = (struct r_search_path_elem **) -1;
	143	+ return false;
	144	+ }
	145	+
	146	sps->dirs = result;
	147	/* The caller will change this value if we haven't used a real malloc. */
	148	sps->malloced = 1;
	149
	150