Index: b/package/glibc/2.23/0005-glibc-2.23-glob-patches.patch =================================================================== --- /dev/null +++ b/package/glibc/2.23/0005-glibc-2.23-glob-patches.patch @@ -0,0 +1,140 @@ + +From 7279637b9ee732ad7263c68dfe42e577c02bfffa Mon Sep 17 00:00:00 2001 +From: Daniel Dorau +Date: Fri, 9 Mar 2018 14:37:12 +0100 +Subject: [PATCH 1/3] =?UTF-8?q?Fix=20memory=20leak=20f=C3=BCr=20GLOB=5FTIL?= + =?UTF-8?q?DE,=20~xxxx=20und=20~xxxx/foo?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + posix/glob.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/posix/glob.c b/posix/glob.c +index 0c04c3ccfd..9ff92aa65a 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -971,6 +971,8 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + free (pglob->gl_pathv); + pglob->gl_pathv = NULL; + pglob->gl_pathc = 0; ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); + return GLOB_NOSPACE; + } + +@@ -1000,9 +1002,14 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + pglob->gl_pathv[++newcount] = NULL; + ++pglob->gl_pathc; + pglob->gl_flags = flags; ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); + + return 0; + } ++ ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); + + /* Not found. */ + return GLOB_NOMATCH; +@@ -1197,7 +1204,8 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + flags = orig_flags; + goto no_matches; + } +- return status; ++ retval = status; ++ goto out; + } + + if (dirlen > 0) +-- +2.15.1 + +From 215cc04a41e5f888bcf6929d2ecf36248b120905 Mon Sep 17 00:00:00 2001 +From: Daniel Dorau +Date: Fri, 9 Mar 2018 14:41:20 +0100 +Subject: [PATCH 2/3] glob: fix heap buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From 2d1bd71ec70a31b01d01b734faa66bb1ed28961f Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 19 Oct 2017 12:39:45 -0700 +Subject: [PATCH] glob: fix heap buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* lib/glob.c (glob): Fix off-by-one error introduced into +glibc in commit dd7d45e838a42b0ed470c44b55901ea98d0c2bab +dated 1997-10-29 20:33:40. Problem reported by Tim Rühsen in: +https://sourceware.org/bugzilla/show_bug.cgi?id=22320 +Fix suggested by Bruno Haible. +--- + posix/glob.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/posix/glob.c b/posix/glob.c +index 9ff92aa65a..7afbb86007 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -827,7 +827,7 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + *p = '\0'; + } + else +- *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) ++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) + = '\0'; + user_name = newp; + } +-- +2.15.1 + +From 5edd9169ff81fb9c59a3bb8c334960f932ead1ce Mon Sep 17 00:00:00 2001 +From: Daniel Dorau +Date: Fri, 9 Mar 2018 14:42:55 +0100 +Subject: [PATCH 3/3] glob: fix another heap buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From 6803dda53781f7da920f568a31610d41e5c3a351 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Sat, 21 Oct 2017 12:20:29 -0700 +Subject: [PATCH] glob: fix another heap buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Tim Rühsen in: +https://sourceware.org/bugzilla/show_bug.cgi?id=22332 +* lib/glob.c (glob): Avoid buffer overrun when unescaping. +--- + posix/glob.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/posix/glob.c b/posix/glob.c +index 7afbb86007..4aa1b3b3db 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -807,11 +807,11 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + char *p = mempcpy (newp, dirname + 1, + unescape - dirname - 1); + char *q = unescape; +- while (*q != '\0') ++ while (q != end_name) + { + if (*q == '\\') + { +- if (q[1] == '\0') ++ if (q + 1 == end_name) + { + /* "~fo\\o\\" unescape to user_name "foo\\", + but "~fo\\o\\/" unescape to user_name +-- +2.15.1 +