1 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
new file mode 100644
index 0000000000..6c347cd414
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
@@ -0,0 +1,66 @@
+From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 19 Feb 2020 17:21:46 +0100
+Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
+The value of `end_name' points into the value of `dirname', thus don't
+deallocate the latter before the last use of the former.
+CVE: CVE-2020-1752
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ posix/glob.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+diff --git a/posix/glob.c b/posix/glob.c
+index cba9cd1819..4580cefb9f 100644
+--- a/posix/glob.c
+++ b/posix/glob.c
+@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
+              {
+                size_t home_len = strlen (p->pw_dir);
+                size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+-               char *d;
+               char *d, *newp;
+               bool use_alloca = glob_use_alloca (alloca_used,
+                                                  home_len + rest_len + 1);
+ 
+-               if (__glibc_unlikely (malloc_dirname))
+-                 free (dirname);
+-               malloc_dirname = 0;
+-
+-               if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
+-                 dirname = alloca_account (home_len + rest_len + 1,
+-                                           alloca_used);
+               if (use_alloca)
+                 newp = alloca_account (home_len + rest_len + 1, alloca_used);
+                else
+                  {
+-                   dirname = malloc (home_len + rest_len + 1);
+-                   if (dirname == NULL)
+                   newp = malloc (home_len + rest_len + 1);
+                   if (newp == NULL)
+                      {
+                        scratch_buffer_free (&pwtmpbuf);
+                        retval = GLOB_NOSPACE;
+                        goto out;
+                      }
+-                   malloc_dirname = 1;
+                  }
+-               d = mempcpy (dirname, p->pw_dir, home_len);
+               d = mempcpy (newp, p->pw_dir, home_len);
+                if (end_name != NULL)
+                  d = mempcpy (d, end_name, rest_len);
+                *d = '\0';
+ 
+               if (__glibc_unlikely (malloc_dirname))
+                 free (dirname);
+               dirname = newp;
+               malloc_dirname = !use_alloca;
+
+                dirlen = home_len + rest_len;
+                dirname_modified = 1;
+              }
+-- 
+2.18.2

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch new file mode 100644 index 0000000000..6c347cd414 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
@@ -0,0 +1,66 @@
	1	From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
	2	From: Andreas Schwab <schwab@suse.de>
	3	Date: Wed, 19 Feb 2020 17:21:46 +0100
	4	Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
	5
	6	The value of `end_name' points into the value of `dirname', thus don't
	7	deallocate the latter before the last use of the former.
	8
	9	CVE: CVE-2020-1752
	10	Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
	11	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	12	---
	13	posix/glob.c \| 25 +++++++++++++------------
	14	1 file changed, 13 insertions(+), 12 deletions(-)
	15
	16	diff --git a/posix/glob.c b/posix/glob.c
	17	index cba9cd1819..4580cefb9f 100644
	18	--- a/posix/glob.c
	19	+++ b/posix/glob.c
	20	@@ -827,31 +827,32 @@ __glob (const char pattern, int flags, int (errfunc) (const char *, int),
	21	{
	22	size_t home_len = strlen (p->pw_dir);
	23	size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
	24	- char *d;
	25	+ char d, newp;
	26	+ bool use_alloca = glob_use_alloca (alloca_used,
	27	+ home_len + rest_len + 1);
	28
	29	- if (__glibc_unlikely (malloc_dirname))
	30	- free (dirname);
	31	- malloc_dirname = 0;
	32	-
	33	- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
	34	- dirname = alloca_account (home_len + rest_len + 1,
	35	- alloca_used);
	36	+ if (use_alloca)
	37	+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
	38	else
	39	{
	40	- dirname = malloc (home_len + rest_len + 1);
	41	- if (dirname == NULL)
	42	+ newp = malloc (home_len + rest_len + 1);
	43	+ if (newp == NULL)
	44	{
	45	scratch_buffer_free (&pwtmpbuf);
	46	retval = GLOB_NOSPACE;
	47	goto out;
	48	}
	49	- malloc_dirname = 1;
	50	}
	51	- d = mempcpy (dirname, p->pw_dir, home_len);
	52	+ d = mempcpy (newp, p->pw_dir, home_len);
	53	if (end_name != NULL)
	54	d = mempcpy (d, end_name, rest_len);
	55	*d = '\0';
	56
	57	+ if (__glibc_unlikely (malloc_dirname))
	58	+ free (dirname);
	59	+ dirname = newp;
	60	+ malloc_dirname = !use_alloca;
	61	+
	62	dirlen = home_len + rest_len;
	63	dirname_modified = 1;
	64	}
	65	--
	66	2.18.2