diff options
Diffstat (limited to 'recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch')
-rw-r--r-- | recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch new file mode 100644 index 0000000..6401734 --- /dev/null +++ b/recipes-core/glibc/glibc/CVE-2017-16997-Check-for-empty-tokens-before-dynamic-string-tok.patch | |||
@@ -0,0 +1,150 @@ | |||
1 | From 24ee2a5b63d15cf45c43ec598f11fe59878982a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Mon, 22 Oct 2018 11:17:18 +0200 | ||
4 | Subject: [PATCH] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] | ||
5 | |||
6 | The fillin_rpath function in elf/dl-load.c loops over each RPATH or | ||
7 | RUNPATH tokens and interprets empty tokens as the current directory | ||
8 | ("./"). In practice the check for empty token is done *after* the | ||
9 | dynamic string token expansion. The expansion process can return an | ||
10 | empty string for the $ORIGIN token if __libc_enable_secure is set | ||
11 | or if the path of the binary can not be determined (/proc not mounted). | ||
12 | |||
13 | Fix that by moving the check for empty tokens before the dynamic string | ||
14 | token expansion. In addition, check for NULL pointer or empty strings | ||
15 | return by expand_dynamic_string_token. | ||
16 | |||
17 | The above changes highlighted a bug in decompose_rpath, an empty array | ||
18 | is represented by the first element being NULL at the fillin_rpath | ||
19 | level, but by using a -1 pointer in decompose_rpath and other functions. | ||
20 | |||
21 | Changelog: | ||
22 | [BZ #22625] | ||
23 | * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic | ||
24 | string token expansion. Check for NULL pointer or empty string possibly | ||
25 | returned by expand_dynamic_string_token. | ||
26 | (decompose_rpath): Check for empty path after dynamic string | ||
27 | token expansion. | ||
28 | (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef) | ||
29 | |||
30 | CVE: CVE-2017-16997 | ||
31 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869] | ||
32 | |||
33 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
34 | --- | ||
35 | ChangeLog | 10 ++++++++++ | ||
36 | NEWS | 4 ++++ | ||
37 | elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++---------------- | ||
38 | 3 files changed, 47 insertions(+), 16 deletions(-) | ||
39 | |||
40 | diff --git a/ChangeLog b/ChangeLog | ||
41 | index a0c2f51..ad380fd 100644 | ||
42 | --- a/ChangeLog | ||
43 | +++ b/ChangeLog | ||
44 | @@ -1,3 +1,13 @@ | ||
45 | +2017-12-30 Aurelien Jarno <aurelien@aurel32.net> | ||
46 | + Dmitry V. Levin <ldv@altlinux.org> | ||
47 | + | ||
48 | + [BZ #22625] | ||
49 | + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic | ||
50 | + string token expansion. Check for NULL pointer or empty string possibly | ||
51 | + returned by expand_dynamic_string_token. | ||
52 | + (decompose_rpath): Check for empty path after dynamic string | ||
53 | + token expansion. | ||
54 | + | ||
55 | 2017-04-13 Florian Weimer <fweimer@redhat.com> | ||
56 | |||
57 | [BZ #21361] | ||
58 | diff --git a/NEWS b/NEWS | ||
59 | index 29e795a..195c06d 100644 | ||
60 | --- a/NEWS | ||
61 | +++ b/NEWS | ||
62 | @@ -214,6 +214,10 @@ Security related changes: | ||
63 | * The xdr_bytes and xdr_string routines free the internally allocated buffer | ||
64 | if deserialization of the buffer contents fails for any reason. | ||
65 | |||
66 | + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN | ||
67 | + for AT_SECURE or SUID binaries could be used to load libraries from the | ||
68 | + current directory. | ||
69 | + | ||
70 | The following bugs are resolved with this release: | ||
71 | |||
72 | [4099] stdio: Overly agressive caching by stream i/o functions. | ||
73 | diff --git a/elf/dl-load.c b/elf/dl-load.c | ||
74 | index a5318f9..bdb4484 100644 | ||
75 | --- a/elf/dl-load.c | ||
76 | +++ b/elf/dl-load.c | ||
77 | @@ -433,31 +433,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, | ||
78 | { | ||
79 | char *cp; | ||
80 | size_t nelems = 0; | ||
81 | - char *to_free; | ||
82 | |||
83 | while ((cp = __strsep (&rpath, sep)) != NULL) | ||
84 | { | ||
85 | struct r_search_path_elem *dirp; | ||
86 | + char *to_free = NULL; | ||
87 | + size_t len = 0; | ||
88 | |||
89 | - to_free = cp = expand_dynamic_string_token (l, cp, 1); | ||
90 | + /* `strsep' can pass an empty string. */ | ||
91 | + if (*cp != '\0') | ||
92 | + { | ||
93 | + to_free = cp = expand_dynamic_string_token (l, cp, 1); | ||
94 | |||
95 | - size_t len = strlen (cp); | ||
96 | + /* expand_dynamic_string_token can return NULL in case of empty | ||
97 | + path or memory allocation failure. */ | ||
98 | + if (cp == NULL) | ||
99 | + continue; | ||
100 | |||
101 | - /* `strsep' can pass an empty string. This has to be | ||
102 | - interpreted as `use the current directory'. */ | ||
103 | - if (len == 0) | ||
104 | - { | ||
105 | - static const char curwd[] = "./"; | ||
106 | - cp = (char *) curwd; | ||
107 | - } | ||
108 | + /* Compute the length after dynamic string token expansion and | ||
109 | + ignore empty paths. */ | ||
110 | + len = strlen (cp); | ||
111 | + if (len == 0) | ||
112 | + { | ||
113 | + free (to_free); | ||
114 | + continue; | ||
115 | + } | ||
116 | |||
117 | - /* Remove trailing slashes (except for "/"). */ | ||
118 | - while (len > 1 && cp[len - 1] == '/') | ||
119 | - --len; | ||
120 | + /* Remove trailing slashes (except for "/"). */ | ||
121 | + while (len > 1 && cp[len - 1] == '/') | ||
122 | + --len; | ||
123 | |||
124 | - /* Now add one if there is none so far. */ | ||
125 | - if (len > 0 && cp[len - 1] != '/') | ||
126 | - cp[len++] = '/'; | ||
127 | + /* Now add one if there is none so far. */ | ||
128 | + if (len > 0 && cp[len - 1] != '/') | ||
129 | + cp[len++] = '/'; | ||
130 | + } | ||
131 | |||
132 | /* Make sure we don't use untrusted directories if we run SUID. */ | ||
133 | if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) | ||
134 | @@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_struct *sps, | ||
135 | necessary. */ | ||
136 | free (copy); | ||
137 | |||
138 | + /* There is no path after expansion. */ | ||
139 | + if (result[0] == NULL) | ||
140 | + { | ||
141 | + free (result); | ||
142 | + sps->dirs = (struct r_search_path_elem **) -1; | ||
143 | + return false; | ||
144 | + } | ||
145 | + | ||
146 | sps->dirs = result; | ||
147 | /* The caller will change this value if we haven't used a real malloc. */ | ||
148 | sps->malloced = 1; | ||
149 | |||
150 | |||