rpm/glibc
SHA256
1
0
Fork 0
forked from pool/glibc
Code Pull Requests Activity
2a7ebdfb1e
glibc/fillin-rpath-empty-tokens.patch
Andreas Schwab dc304305df Accepting request 568213 from home:Andreas_Schwab:Factory 
- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
  absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)

- dl-init-paths-overflow.patch: Count components of the expanded path in
  _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
  #22607, BZ #22627)
- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
  string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)

OBS-URL: https://build.opensuse.org/request/show/568213
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=488
2018-01-22 16:14:59 +00:00

89 lines
2.5 KiB
Diff
Raw Blame History

2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
Dmitry V. Levin <ldv@altlinux.org>
[BZ #22625]
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
string token expansion. Check for NULL pointer or empty string possibly
returned by expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
Index: glibc-2.26/elf/dl-load.c
===================================================================
--- glibc-2.26.orig/elf/dl-load.c
+++ glibc-2.26/elf/dl-load.c
@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear
{
char *cp;
size_t nelems = 0;
- char *to_free;
while ((cp = __strsep (&rpath, sep)) != NULL)
{
struct r_search_path_elem *dirp;
+ char *to_free = NULL;
+ size_t len = 0;
- to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ /* `strsep' can pass an empty string. */
+ if (*cp != '\0')
+ {
+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
- size_t len = strlen (cp);
+ /* expand_dynamic_string_token can return NULL in case of empty
+ path or memory allocation failure. */
+ if (cp == NULL)
+ continue;
+
+ /* Compute the length after dynamic string token expansion and
+ ignore empty paths. */
+ len = strlen (cp);
+ if (len == 0)
+ {
+ free (to_free);
+ continue;
+ }
- /* `strsep' can pass an empty string. This has to be
- interpreted as `use the current directory'. */
- if (len == 0)
- {
- static const char curwd[] = "./";
- cp = (char *) curwd;
+ /* Remove trailing slashes (except for "/"). */
+ while (len > 1 && cp[len - 1] == '/')
+ --len;
+
+ /* Now add one if there is none so far. */
+ if (len > 0 && cp[len - 1] != '/')
+ cp[len++] = '/';
}
- /* Remove trailing slashes (except for "/"). */
- while (len > 1 && cp[len - 1] == '/')
- --len;
-
- /* Now add one if there is none so far. */
- if (len > 0 && cp[len - 1] != '/')
- cp[len++] = '/';
-
/* Make sure we don't use untrusted directories if we run SUID. */
if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
{
@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st
necessary. */
free (copy);
+ /* There is no path after expansion. */
+ if (result[0] == NULL)
+ {
+ free (result);
+ sps->dirs = (struct r_search_path_elem **) -1;
+ return false;
+ }
+
sps->dirs = result;
/* The caller will change this value if we haven't used a real malloc. */
sps->malloced = 1;
View Git Blame Copy Permalink