new file mode 100644

@@ -0,0 +1,23 @@

+From c369d66e5426a30e4725b100d5cd28e372754f90 Mon Sep 17 00:00:00 2001

+From: Paul Eggert <eggert@cs.ucla.edu>

+Date: Fri, 20 Oct 2017 18:41:14 +0200

+Subject: [PATCH] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

+

+---

+ ChangeLog    | 6 ++++++

+ NEWS         | 4 ++++

+ posix/glob.c | 2 +-

+ 3 files changed, 11 insertions(+), 1 deletion(-)

+

+index 076ab2b..15a6c0c 100644 (file)

+--- a/posix/glob.c

+@@ -859,7 +859,7 @@ glob (pattern, flags, errfunc, pglob)

+ 		  *p = '\0';

+ 		}

+ 	      else

+-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))

++		*((char *) mempcpy (newp, dirname + 1, end_name - dirname -1))

+ 		  = '\0';

+ 	      user_name = newp;

+ 	    }

new file mode 100644

@@ -0,0 +1,31 @@

+From a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 Mon Sep 17 00:00:00 2001

+From: Paul Eggert <eggert@cs.ucla.edu>

+Date: Sun, 22 Oct 2017 10:00:57 +0200

+Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ

+ #22332]

+

+---

+ ChangeLog    | 6 ++++++

+ NEWS         | 4 ++++

+ posix/glob.c | 4 ++--

+ 3 files changed, 12 insertions(+), 2 deletions(-)

+

+--- a/posix/glob.c

+@@ -770,11 +770,11 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),

+ 		  char *p = mempcpy (newp, dirname + 1,

+ 				     unescape - dirname - 1);

+ 		  char *q = unescape;

+-		  while (*q != '\0')

++		  while (q != end_name)

+ 		    {

+ 		      if (*q == '\\')

+ 			{

+-			  if (q[1] == '\0')

++			  if (q + 1 == end_name)

+ 			    {

+ 			      /* "~fo\\o\\" unescape to user_name "foo\\",

+ 				 but "~fo\\o\\/" unescape to user_name

+-- 

+2.9.3

+

@@ -6,7 +6,7 @@

 Summary:        Main C library

 Name:           glibc

 Version:        2.22

-Release:        14%{?dist}

+Release:        15%{?dist}

 License:        LGPLv2+

 URL:            http://www.gnu.org/software/libc

 Group:          Applications/System

@@ -39,6 +39,8 @@ Patch14:        CVE-2016-4429-sunrpc-Do-not-use-alloca-in-clntudp_ca.patch

 Patch15:        glibc-fix-CVE-2017-1000366.patch

 #https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491

 Patch16:        glibc-fix-CVE-2017-12133.patch

+Patch17:        glibc-fix-CVE-2017-15670.patch

+Patch18:        glibc-fix-CVE-2017-15804.patch

 Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -81,6 +83,8 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch14 -p1

 %patch15 -p1

 %patch16 -p1

+%patch17 -p1

+%patch18 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -208,6 +212,8 @@ popd

 %changelog

+*   Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 2.22-15

+-   Fix CVE-2017-15670, CVE-2017-15804

 *   Thu Oct 19 2017 Xiaolin Li <xiaolinl@vmware.com> 2.22-14

 -   Fix CVE-2017-12133

 *   Thu Jun 29 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.22-13