new file mode 100644

@@ -0,0 +1,23 @@

+From c369d66e5426a30e4725b100d5cd28e372754f90 Mon Sep 17 00:00:00 2001

+From: Paul Eggert <eggert@cs.ucla.edu>

+Date: Fri, 20 Oct 2017 18:41:14 +0200

+Subject: [PATCH] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

+

+---

+ ChangeLog    | 6 ++++++

+ NEWS         | 4 ++++

+ posix/glob.c | 2 +-

+ 3 files changed, 11 insertions(+), 1 deletion(-)

+

+index 076ab2b..15a6c0c 100644 (file)

+--- a/posix/glob.c

+@@ -859,7 +859,7 @@ glob (pattern, flags, errfunc, pglob)

+ 		  *p = '\0';

+ 		}

+ 	      else

+-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))

++		*((char *) mempcpy (newp, dirname + 1, end_name - dirname -1))

+ 		  = '\0';

+ 	      user_name = newp;

+ 	    }

new file mode 100644

@@ -0,0 +1,31 @@

+From a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 Mon Sep 17 00:00:00 2001

+From: Paul Eggert <eggert@cs.ucla.edu>

+Date: Sun, 22 Oct 2017 10:00:57 +0200

+Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ

+ #22332]

+

+---

+ ChangeLog    | 6 ++++++

+ NEWS         | 4 ++++

+ posix/glob.c | 4 ++--

+ 3 files changed, 12 insertions(+), 2 deletions(-)

+

+--- a/posix/glob.c

+@@ -770,11 +770,11 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),

+ 		  char *p = mempcpy (newp, dirname + 1,

+ 				     unescape - dirname - 1);

+ 		  char *q = unescape;

+-		  while (*q != '\0')

++		  while (q != end_name)

+ 		    {

+ 		      if (*q == '\\')

+ 			{

+-			  if (q[1] == '\0')

++			  if (q + 1 == end_name)

+ 			    {

+ 			      /* "~fo\\o\\" unescape to user_name "foo\\",

+ 				 but "~fo\\o\\/" unescape to user_name

+-- 

+2.9.3

+

@@ -4,7 +4,7 @@

 Summary:	Main C library

 Name:		glibc

 Version:	2.26

-Release:	5%{?dist}

+Release:	6%{?dist}

 License:	LGPLv2+

 URL:		http://www.gnu.org/software/libc

 Group:		Applications/System

@@ -18,6 +18,8 @@ Patch0:   	http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.25-fh

 Patch1:		glibc-2.24-bindrsvport-blacklist.patch

 Patch2:		0001-Fix-range-check-in-do_tunable_update_val.patch

 Patch3:		0002-malloc-arena-fix.patch

+Patch4:     glibc-fix-CVE-2017-15670.patch

+Patch5:     glibc-fix-CVE-2017-15804.patch

 Provides:	rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -75,6 +77,8 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch1 -p1

 %patch2 -p1

 %patch3 -p1

+%patch4 -p1

+%patch5 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -278,6 +282,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:

 %changelog

+*   Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-6

+-   Fix CVE-2017-15670 and CVE-2017-15804

 *   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-5

 -   Compile out tcache.

 *   Fri Sep 15 2017 Bo Gan <ganb@vmware.com> 2.26-4