diff --git a/Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch b/Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..01563231724707d1013e69847f5661b4d1a878c3 --- /dev/null +++ b/Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch @@ -0,0 +1,63 @@ +From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Wed, 19 Feb 2020 17:21:46 +0100 +Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) + +The value of `end_name' points into the value of `dirname', thus don't +deallocate the latter before the last use of the former. +--- + posix/glob.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/posix/glob.c b/posix/glob.c +index cba9cd18198..4580cefb9fa 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + { + size_t home_len = strlen (p->pw_dir); + size_t rest_len = end_name == NULL ? 0 : strlen (end_name); +- char *d; ++ char *d, *newp; ++ bool use_alloca = glob_use_alloca (alloca_used, ++ home_len + rest_len + 1); + +- if (__glibc_unlikely (malloc_dirname)) +- free (dirname); +- malloc_dirname = 0; +- +- if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) +- dirname = alloca_account (home_len + rest_len + 1, +- alloca_used); ++ if (use_alloca) ++ newp = alloca_account (home_len + rest_len + 1, alloca_used); + else + { +- dirname = malloc (home_len + rest_len + 1); +- if (dirname == NULL) ++ newp = malloc (home_len + rest_len + 1); ++ if (newp == NULL) + { + scratch_buffer_free (&pwtmpbuf); + retval = GLOB_NOSPACE; + goto out; + } +- malloc_dirname = 1; + } +- d = mempcpy (dirname, p->pw_dir, home_len); ++ d = mempcpy (newp, p->pw_dir, home_len); + if (end_name != NULL) + d = mempcpy (d, end_name, rest_len); + *d = '\0'; + ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); ++ dirname = newp; ++ malloc_dirname = !use_alloca; ++ + dirlen = home_len + rest_len; + dirname_modified = 1; + } +-- +2.19.1 + diff --git a/glibc.spec b/glibc.spec index 9ecc6cf6555bdbe1b7d15d4bd0f31c2bd9783122..13159f0a11eaee53518aa0377134a1f0f903fd18 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 32 +Release: 33 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -73,6 +73,8 @@ Source5: glibc-bench-compare Source6: LicenseList Source7: LanguageList +Patch0: Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch + Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) BuildRequires: audit-libs-devel >= 1.1.3, sed >= 3.95, libcap-devel, gettext @@ -912,11 +914,11 @@ fi %changelog +* Tue Mar 10 2020 liqingqing - 2.28-33 +- fix use after free in glob when expanding user bug + * Wed Feb 26 2020 Wang Shuo - 2.28-32 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC: remove aditional require for debugutils package +- remove aditional require for debugutils package * Tue Jan 7 2020 Wang Shuo - 2.28-31 - Fix compile macro