glibc: Security fix CVE-2017-15671

affects glibc < 2.27 only glibc in current master hash: 77f921dac17c5fa99bd9e926d926c327982895f7 (From OE-Core rev: 9e411843b26d296ba2b048b581d31bd0221e25e6) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2018-01-21 09:59:54 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-23 23:43:45 +0000
commit: 042e562a7732f78828a26fb0443f12925435cc12 (patch)
tree: 52a86c2f1ea27e8631a0284da9956e870e6c98f1
parent: 1aa417df604d2627c56232a7a2c396c6b085d74b (diff)
download: poky-042e562a7732f78828a26fb0443f12925435cc12.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
new file mode 100644
index 0000000000..9a08784106
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
@@ -0,0 +1,65 @@
+From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sun, 22 Oct 2017 10:00:57 +0200
+Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
+ #22332]
+(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
+Upstream-Status: Backport
+CVE: CVE-2017-15671
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog    | 6 ++++++
+ NEWS         | 4 ++++
+ posix/glob.c | 4 ++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -20,6 +20,10 @@ Security related changes:
+   on the stack or the heap, depending on the length of the user name).
+   Reported by Tim Rühsen.
+ 
+  The glob function, when invoked with GLOB_TILDE and without
+  GLOB_NOESCAPE, could write past the end of a buffer while
+  unescaping user names.  Reported by Tim Rühsen.
+
+ The following bugs are resolved with this release:
+ 
+   [16750] ldd: Never run file directly.
+Index: git/posix/glob.c
+===================================================================
+--- git.orig/posix/glob.c
+++ git/posix/glob.c
+@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, in
+                  char *p = mempcpy (newp, dirname + 1,
+                                     unescape - dirname - 1);
+                  char *q = unescape;
+-                 while (*q != '\0')
+                 while (q != end_name)
+                    {
+                      if (*q == '\\')
+                        {
+-                         if (q[1] == '\0')
+                         if (q + 1 == end_name)
+                            {
+                              /* "~fo\\o\\" unescape to user_name "foo\\",
+                                 but "~fo\\o\\/" unescape to user_name
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,9 @@
+2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
+
+       [BZ #22332]
+       * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+       unescaping.
+
+ 2017-10-13  James Clarke  <jrtc27@jrtc27.com>
+ 
+        * sysdeps/powerpc/powerpc32/dl-machine.h (elf_machine_rela):
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 04d97734b3..0ba29e4525 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
           file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
           file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
+           file://CVE-2017-15671.patch \
 "
 NATIVESDKFIXES ?= ""
author	Armin Kuster <akuster808@gmail.com>	2018-01-21 09:59:54 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-23 23:43:45 +0000
commit	042e562a7732f78828a26fb0443f12925435cc12 (patch)
tree	52a86c2f1ea27e8631a0284da9956e870e6c98f1
parent	1aa417df604d2627c56232a7a2c396c6b085d74b (diff)
download	poky-042e562a7732f78828a26fb0443f12925435cc12.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch new file mode 100644 index 0000000000..9a08784106 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
@@ -0,0 +1,65 @@
		1	From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
		2	From: Paul Eggert <eggert@cs.ucla.edu>
		3	Date: Sun, 22 Oct 2017 10:00:57 +0200
		4	Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
		5	#22332]
		6
		7	(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2017-15671
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	---
		14	ChangeLog \| 6 ++++++
		15	NEWS \| 4 ++++
		16	posix/glob.c \| 4 ++--
		17	3 files changed, 12 insertions(+), 2 deletions(-)
		18
		19	Index: git/NEWS
		20	===================================================================
		21	--- git.orig/NEWS
		22	+++ git/NEWS
		23	@@ -20,6 +20,10 @@ Security related changes:
		24	on the stack or the heap, depending on the length of the user name).
		25	Reported by Tim Rühsen.
		26
		27	+ The glob function, when invoked with GLOB_TILDE and without
		28	+ GLOB_NOESCAPE, could write past the end of a buffer while
		29	+ unescaping user names. Reported by Tim Rühsen.
		30	+
		31	The following bugs are resolved with this release:
		32
		33	[16750] ldd: Never run file directly.
		34	Index: git/posix/glob.c
		35	===================================================================
		36	--- git.orig/posix/glob.c
		37	+++ git/posix/glob.c
		38	@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, in
		39	char *p = mempcpy (newp, dirname + 1,
		40	unescape - dirname - 1);
		41	char *q = unescape;
		42	- while (*q != '\0')
		43	+ while (q != end_name)
		44	{
		45	if (*q == '\\')
		46	{
		47	- if (q[1] == '\0')
		48	+ if (q + 1 == end_name)
		49	{
		50	/* "~fo\\o\\" unescape to user_name "foo\\",
		51	but "~fo\\o\\/" unescape to user_name
		52	Index: git/ChangeLog
		53	===================================================================
		54	--- git.orig/ChangeLog
		55	+++ git/ChangeLog
		56	@@ -1,3 +1,9 @@
		57	+2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
		58	+
		59	+ [BZ #22332]
		60	+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
		61	+ unescaping.
		62	+
		63	2017-10-13 James Clarke <jrtc27@jrtc27.com>
		64
		65	* sysdeps/powerpc/powerpc32/dl-machine.h (elf_machine_rela):


diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 04d97734b3..0ba29e4525 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
43	file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \	43	file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
44	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \	44	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \	45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
		46	file://CVE-2017-15671.patch \
46	"	47	"
47		48
48	NATIVESDKFIXES ?= ""	49	NATIVESDKFIXES ?= ""