new file mode 100644

@@ -0,0 +1,114 @@

+From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001

+From: Aurelien Jarno <aurelien@aurel32.net>

+Date: Sat, 30 Dec 2017 10:54:23 +0100

+Subject: [PATCH] elf: Check for empty tokens before dynamic string token

+ expansion [BZ #22625]

+

+The fillin_rpath function in elf/dl-load.c loops over each RPATH or

+RUNPATH tokens and interprets empty tokens as the current directory

+("./"). In practice the check for empty token is done *after* the

+dynamic string token expansion. The expansion process can return an

+empty string for the $ORIGIN token if __libc_enable_secure is set

+or if the path of the binary can not be determined (/proc not mounted).

+

+Fix that by moving the check for empty tokens before the dynamic string

+token expansion. In addition, check for NULL pointer or empty strings

+return by expand_dynamic_string_token.

+

+The above changes highlighted a bug in decompose_rpath, an empty array

+is represented by the first element being NULL at the fillin_rpath

+level, but by using a -1 pointer in decompose_rpath and other functions.

+

+Changelog:

+	[BZ #22625]

+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic

+	string token expansion. Check for NULL pointer or empty string possibly

+	returned by expand_dynamic_string_token.

+	(decompose_rpath): Check for empty path after dynamic string

+	token expansion.

+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

+---

+ ChangeLog     | 10 ++++++++++

+ NEWS          |  4 ++++

+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------

+ 3 files changed, 47 insertions(+), 16 deletions(-)

+

+diff --git a/elf/dl-load.c b/elf/dl-load.c

+index 50996e2..7397c18 100644

+--- a/elf/dl-load.c

+@@ -434,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,

+ {

+   char *cp;

+   size_t nelems = 0;

+-  char *to_free;

+ 

+   while ((cp = __strsep (&rpath, sep)) != NULL)

+     {

+       struct r_search_path_elem *dirp;

++      char *to_free = NULL;

++      size_t len = 0;

+ 

+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);

++      /* `strsep' can pass an empty string.  */

++      if (*cp != '\0')

++	{

++	  to_free = cp = expand_dynamic_string_token (l, cp, 1);

+ 

+-      size_t len = strlen (cp);

++	  /* expand_dynamic_string_token can return NULL in case of empty

++	     path or memory allocation failure.  */

++	  if (cp == NULL)

++	    continue;

+ 

+-      /* `strsep' can pass an empty string.  This has to be

+-	 interpreted as `use the current directory'. */

+-      if (len == 0)

+-	{

+-	  static const char curwd[] = "./";

+-	  cp = (char *) curwd;

+-	}

++	  /* Compute the length after dynamic string token expansion and

++	     ignore empty paths.  */

++	  len = strlen (cp);

++	  if (len == 0)

++	    {

++	      free (to_free);

++	      continue;

++	    }

+ 

+-      /* Remove trailing slashes (except for "/").  */

+-      while (len > 1 && cp[len - 1] == '/')

+-	--len;

++	  /* Remove trailing slashes (except for "/").  */

++	  while (len > 1 && cp[len - 1] == '/')

++	    --len;

+ 

+-      /* Now add one if there is none so far.  */

+-      if (len > 0 && cp[len - 1] != '/')

+-	cp[len++] = '/';

++	  /* Now add one if there is none so far.  */

++	  if (len > 0 && cp[len - 1] != '/')

++	    cp[len++] = '/';

++	}

+ 

+       /* Make sure we don't use untrusted directories if we run SUID.  */

+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))

+@@ -622,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps,

+      necessary.  */

+   free (copy);

+ 

++  /* There is no path after expansion.  */

++  if (result[0] == NULL)

++    {

++      free (result);

++      sps->dirs = (struct r_search_path_elem **) -1;

++      return false;

++    }

++

+   sps->dirs = result;

+   /* The caller will change this value if we haven't used a real malloc.  */

+   sps->malloced = 1;

+-- 

+2.9.3

+

@@ -4,7 +4,7 @@

 Summary:        Main C library

 Name:           glibc

 Version:        2.26

-Release:        8%{?dist}

+Release:        9%{?dist}

 License:        LGPLv2+

 URL:            http://www.gnu.org/software/libc

 Group:          Applications/System

@@ -21,6 +21,7 @@ Patch3:         0002-malloc-arena-fix.patch

 Patch4:         glibc-fix-CVE-2017-15670.patch

 Patch5:         glibc-fix-CVE-2017-15804.patch

 Patch6:         glibc-fix-CVE-2017-17426.patch

+Patch7:         glibc-fix-CVE-2017-16997.patch

 Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -81,6 +82,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch4 -p1

 %patch5 -p1

 %patch6 -p1

+%patch7 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -285,6 +287,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:

 %changelog

+*   Mon Jan 08 2018 Xiaolin Li <xiaolinl@vmware.com> 2.26-9

+-   Fix CVE-2017-16997

 *   Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-8

 -   Fix CVE-2017-17426

 *   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-7