glibc: Security fix CVE-2017-15671

affects glibc < 2.27 only glibc in current master hash: 77f921dac17c5fa99bd9e926d926c327982895f7 (From OE-Core rev: b12c8f02bbd637ef05ad1518494d666c55eaf544) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-30 18:52:38 +02:00 · 2018-01-20 15:56:58 -08:00
parent 1c27271cdd
commit 0aaf7b828d
2 changed files with 67 additions and 0 deletions
--- a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
@@ -0,0 +1,66 @@
+From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sun, 22 Oct 2017 10:00:57 +0200
+Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
+ #22332]
+
+(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
+
+Upstream-Status: Backport
+CVE: CVE-2017-15671
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog    | 6 ++++++
+ NEWS         | 4 ++++
+ posix/glob.c | 4 ++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -211,6 +211,10 @@ Security related changes:
+   on the stack or the heap, depending on the length of the user name).
+   Reported by Tim Rühsen.
+ 
+  The glob function, when invoked with GLOB_TILDE and without
+  GLOB_NOESCAPE, could write past the end of a buffer while
+  unescaping user names.  Reported by Tim Rühsen.
+
+ The following bugs are resolved with this release:
+ 
+   [984] network: Respond to changed resolv.conf in gethostbyname
+Index: git/posix/glob.c
+===================================================================
+--- git.orig/posix/glob.c
+++ git/posix/glob.c
+@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
+ 		  char *p = mempcpy (newp, dirname + 1,
+ 				     unescape - dirname - 1);
+ 		  char *q = unescape;
+-		  while (*q != '\0')
+		  while (q != end_name)
+ 		    {
+ 		      if (*q == '\\')
+ 			{
+-			  if (q[1] == '\0')
+			  if (q + 1 == end_name)
+ 			    {
+ 			      /* "~fo\\o\\" unescape to user_name "foo\\",
+ 				 but "~fo\\o\\/" unescape to user_name
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,5 +1,10 @@
+
+ 2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
+ 
+       [BZ #22332]
+       * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
+       unescaping.
+
+        [BZ #22320]
+        CVE-2017-15670
+        * posix/glob.c (__glob): Fix one-byte overflow.
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
           file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
           file://CVE-2017-15670.patch \
+           file://CVE-2017-15671.patch \
 "

 NATIVESDKFIXES ?= ""