glibc: Security fix CVE-2017-15671

affects glibc < 2.27 only glibc in current master hash: 77f921dac17c5fa99bd9e926d926c327982895f7 (From OE-Core rev: b12c8f02bbd637ef05ad1518494d666c55eaf544) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2018-01-20 15:56:58 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-25 11:36:25 +0000
commit: 0aaf7b828dc60aca5cdcafdbb0d43e433773756a (patch)
tree: 4dc59b892124a51754f3b3bd26d0fa31a1d67623
parent: 1c27271cddf337755bfcd27e3c2c05c71372cd7f (diff)
download: poky-0aaf7b828dc60aca5cdcafdbb0d43e433773756a.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
new file mode 100644
index 0000000000..35692820d4
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
@@ -0,0 +1,66 @@
+From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sun, 22 Oct 2017 10:00:57 +0200
+Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
+ #22332]
+(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
+Upstream-Status: Backport
+CVE: CVE-2017-15671
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog    | 6 ++++++
+ NEWS         | 4 ++++
+ posix/glob.c | 4 ++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -211,6 +211,10 @@ Security related changes:
+   on the stack or the heap, depending on the length of the user name).
+   Reported by Tim Rühsen.
+ 
+  The glob function, when invoked with GLOB_TILDE and without
+  GLOB_NOESCAPE, could write past the end of a buffer while
+  unescaping user names.  Reported by Tim Rühsen.
+
+ The following bugs are resolved with this release:
+ 
+   [984] network: Respond to changed resolv.conf in gethostbyname
+Index: git/posix/glob.c
+===================================================================
+--- git.orig/posix/glob.c
+++ git/posix/glob.c
+@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
+                  char *p = mempcpy (newp, dirname + 1,
+                                     unescape - dirname - 1);
+                  char *q = unescape;
+-                 while (*q != '\0')
+                 while (q != end_name)
+                    {
+                      if (*q == '\\')
+                        {
+-                         if (q[1] == '\0')
+                         if (q + 1 == end_name)
+                            {
+                              /* "~fo\\o\\" unescape to user_name "foo\\",
+                                 but "~fo\\o\\/" unescape to user_name
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,5 +1,10 @@
+
+ 2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+ 
+       [BZ #22332]
+       * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+       unescaping.
+
+        [BZ #22320]
+        CVE-2017-15670
+        * posix/glob.c (__glob): Fix one-byte overflow.
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index ed4ea4f624..e4ba28fffd 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
           file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
           file://CVE-2017-15670.patch \
+           file://CVE-2017-15671.patch \
 "
 NATIVESDKFIXES ?= ""
author	Armin Kuster <akuster808@gmail.com>	2018-01-20 15:56:58 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-25 11:36:25 +0000
commit	0aaf7b828dc60aca5cdcafdbb0d43e433773756a (patch)
tree	4dc59b892124a51754f3b3bd26d0fa31a1d67623
parent	1c27271cddf337755bfcd27e3c2c05c71372cd7f (diff)
download	poky-0aaf7b828dc60aca5cdcafdbb0d43e433773756a.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch new file mode 100644 index 0000000000..35692820d4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
@@ -0,0 +1,66 @@
		1	From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
		2	From: Paul Eggert <eggert@cs.ucla.edu>
		3	Date: Sun, 22 Oct 2017 10:00:57 +0200
		4	Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
		5	#22332]
		6
		7	(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2017-15671
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	---
		14	ChangeLog \| 6 ++++++
		15	NEWS \| 4 ++++
		16	posix/glob.c \| 4 ++--
		17	3 files changed, 12 insertions(+), 2 deletions(-)
		18
		19	Index: git/NEWS
		20	===================================================================
		21	--- git.orig/NEWS
		22	+++ git/NEWS
		23	@@ -211,6 +211,10 @@ Security related changes:
		24	on the stack or the heap, depending on the length of the user name).
		25	Reported by Tim Rühsen.
		26
		27	+ The glob function, when invoked with GLOB_TILDE and without
		28	+ GLOB_NOESCAPE, could write past the end of a buffer while
		29	+ unescaping user names. Reported by Tim Rühsen.
		30	+
		31	The following bugs are resolved with this release:
		32
		33	[984] network: Respond to changed resolv.conf in gethostbyname
		34	Index: git/posix/glob.c
		35	===================================================================
		36	--- git.orig/posix/glob.c
		37	+++ git/posix/glob.c
		38	@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
		39	char *p = mempcpy (newp, dirname + 1,
		40	unescape - dirname - 1);
		41	char *q = unescape;
		42	- while (*q != '\0')
		43	+ while (q != end_name)
		44	{
		45	if (*q == '\\')
		46	{
		47	- if (q[1] == '\0')
		48	+ if (q + 1 == end_name)
		49	{
		50	/* "~fo\\o\\" unescape to user_name "foo\\",
		51	but "~fo\\o\\/" unescape to user_name
		52	Index: git/ChangeLog
		53	===================================================================
		54	--- git.orig/ChangeLog
		55	+++ git/ChangeLog
		56	@@ -1,5 +1,10 @@
		57	+
		58	2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
		59
		60	+ [BZ #22332]
		61	+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
		62	+ unescaping.
		63	+
		64	[BZ #22320]
		65	CVE-2017-15670
		66	* posix/glob.c (__glob): Fix one-byte overflow.


diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index ed4ea4f624..e4ba28fffd 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
44	file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \	44	file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
45	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \	45	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
46	file://CVE-2017-15670.patch \	46	file://CVE-2017-15670.patch \
		47	file://CVE-2017-15671.patch \
47	"	48	"
48		49
49	NATIVESDKFIXES ?= ""	50	NATIVESDKFIXES ?= ""