Change-Id: I9dd2088f86e34d4bf9a83c4b7da5b7c25472e161
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4618
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Divya Thaluru <dthaluru@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,114 @@ |
0 |
+From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Aurelien Jarno <aurelien@aurel32.net> |
|
2 |
+Date: Sat, 30 Dec 2017 10:54:23 +0100 |
|
3 |
+Subject: [PATCH] elf: Check for empty tokens before dynamic string token |
|
4 |
+ expansion [BZ #22625] |
|
5 |
+ |
|
6 |
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or |
|
7 |
+RUNPATH tokens and interprets empty tokens as the current directory |
|
8 |
+("./"). In practice the check for empty token is done *after* the |
|
9 |
+dynamic string token expansion. The expansion process can return an |
|
10 |
+empty string for the $ORIGIN token if __libc_enable_secure is set |
|
11 |
+or if the path of the binary can not be determined (/proc not mounted). |
|
12 |
+ |
|
13 |
+Fix that by moving the check for empty tokens before the dynamic string |
|
14 |
+token expansion. In addition, check for NULL pointer or empty strings |
|
15 |
+return by expand_dynamic_string_token. |
|
16 |
+ |
|
17 |
+The above changes highlighted a bug in decompose_rpath, an empty array |
|
18 |
+is represented by the first element being NULL at the fillin_rpath |
|
19 |
+level, but by using a -1 pointer in decompose_rpath and other functions. |
|
20 |
+ |
|
21 |
+Changelog: |
|
22 |
+ [BZ #22625] |
|
23 |
+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic |
|
24 |
+ string token expansion. Check for NULL pointer or empty string possibly |
|
25 |
+ returned by expand_dynamic_string_token. |
|
26 |
+ (decompose_rpath): Check for empty path after dynamic string |
|
27 |
+ token expansion. |
|
28 |
+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef) |
|
29 |
+--- |
|
30 |
+ ChangeLog | 10 ++++++++++ |
|
31 |
+ NEWS | 4 ++++ |
|
32 |
+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++---------------- |
|
33 |
+ 3 files changed, 47 insertions(+), 16 deletions(-) |
|
34 |
+ |
|
35 |
+diff --git a/elf/dl-load.c b/elf/dl-load.c |
|
36 |
+index 50996e2..7397c18 100644 |
|
37 |
+--- a/elf/dl-load.c |
|
38 |
+@@ -434,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, |
|
39 |
+ { |
|
40 |
+ char *cp; |
|
41 |
+ size_t nelems = 0; |
|
42 |
+- char *to_free; |
|
43 |
+ |
|
44 |
+ while ((cp = __strsep (&rpath, sep)) != NULL) |
|
45 |
+ { |
|
46 |
+ struct r_search_path_elem *dirp; |
|
47 |
++ char *to_free = NULL; |
|
48 |
++ size_t len = 0; |
|
49 |
+ |
|
50 |
+- to_free = cp = expand_dynamic_string_token (l, cp, 1); |
|
51 |
++ /* `strsep' can pass an empty string. */ |
|
52 |
++ if (*cp != '\0') |
|
53 |
++ { |
|
54 |
++ to_free = cp = expand_dynamic_string_token (l, cp, 1); |
|
55 |
+ |
|
56 |
+- size_t len = strlen (cp); |
|
57 |
++ /* expand_dynamic_string_token can return NULL in case of empty |
|
58 |
++ path or memory allocation failure. */ |
|
59 |
++ if (cp == NULL) |
|
60 |
++ continue; |
|
61 |
+ |
|
62 |
+- /* `strsep' can pass an empty string. This has to be |
|
63 |
+- interpreted as `use the current directory'. */ |
|
64 |
+- if (len == 0) |
|
65 |
+- { |
|
66 |
+- static const char curwd[] = "./"; |
|
67 |
+- cp = (char *) curwd; |
|
68 |
+- } |
|
69 |
++ /* Compute the length after dynamic string token expansion and |
|
70 |
++ ignore empty paths. */ |
|
71 |
++ len = strlen (cp); |
|
72 |
++ if (len == 0) |
|
73 |
++ { |
|
74 |
++ free (to_free); |
|
75 |
++ continue; |
|
76 |
++ } |
|
77 |
+ |
|
78 |
+- /* Remove trailing slashes (except for "/"). */ |
|
79 |
+- while (len > 1 && cp[len - 1] == '/') |
|
80 |
+- --len; |
|
81 |
++ /* Remove trailing slashes (except for "/"). */ |
|
82 |
++ while (len > 1 && cp[len - 1] == '/') |
|
83 |
++ --len; |
|
84 |
+ |
|
85 |
+- /* Now add one if there is none so far. */ |
|
86 |
+- if (len > 0 && cp[len - 1] != '/') |
|
87 |
+- cp[len++] = '/'; |
|
88 |
++ /* Now add one if there is none so far. */ |
|
89 |
++ if (len > 0 && cp[len - 1] != '/') |
|
90 |
++ cp[len++] = '/'; |
|
91 |
++ } |
|
92 |
+ |
|
93 |
+ /* Make sure we don't use untrusted directories if we run SUID. */ |
|
94 |
+ if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) |
|
95 |
+@@ -622,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps, |
|
96 |
+ necessary. */ |
|
97 |
+ free (copy); |
|
98 |
+ |
|
99 |
++ /* There is no path after expansion. */ |
|
100 |
++ if (result[0] == NULL) |
|
101 |
++ { |
|
102 |
++ free (result); |
|
103 |
++ sps->dirs = (struct r_search_path_elem **) -1; |
|
104 |
++ return false; |
|
105 |
++ } |
|
106 |
++ |
|
107 |
+ sps->dirs = result; |
|
108 |
+ /* The caller will change this value if we haven't used a real malloc. */ |
|
109 |
+ sps->malloced = 1; |
|
110 |
+-- |
|
111 |
+2.9.3 |
|
112 |
+ |
... | ... |
@@ -4,7 +4,7 @@ |
4 | 4 |
Summary: Main C library |
5 | 5 |
Name: glibc |
6 | 6 |
Version: 2.26 |
7 |
-Release: 8%{?dist} |
|
7 |
+Release: 9%{?dist} |
|
8 | 8 |
License: LGPLv2+ |
9 | 9 |
URL: http://www.gnu.org/software/libc |
10 | 10 |
Group: Applications/System |
... | ... |
@@ -21,6 +21,7 @@ Patch3: 0002-malloc-arena-fix.patch |
21 | 21 |
Patch4: glibc-fix-CVE-2017-15670.patch |
22 | 22 |
Patch5: glibc-fix-CVE-2017-15804.patch |
23 | 23 |
Patch6: glibc-fix-CVE-2017-17426.patch |
24 |
+Patch7: glibc-fix-CVE-2017-16997.patch |
|
24 | 25 |
Provides: rtld(GNU_HASH) |
25 | 26 |
Requires: filesystem |
26 | 27 |
%description |
... | ... |
@@ -81,6 +82,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile |
81 | 81 |
%patch4 -p1 |
82 | 82 |
%patch5 -p1 |
83 | 83 |
%patch6 -p1 |
84 |
+%patch7 -p1 |
|
84 | 85 |
install -vdm 755 %{_builddir}/%{name}-build |
85 | 86 |
# do not try to explicitly provide GLIBC_PRIVATE versioned libraries |
86 | 87 |
%define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh |
... | ... |
@@ -285,6 +287,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: |
285 | 285 |
|
286 | 286 |
|
287 | 287 |
%changelog |
288 |
+* Mon Jan 08 2018 Xiaolin Li <xiaolinl@vmware.com> 2.26-9 |
|
289 |
+- Fix CVE-2017-16997 |
|
288 | 290 |
* Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-8 |
289 | 291 |
- Fix CVE-2017-17426 |
290 | 292 |
* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-7 |