Submitted by:            DJ Lucas (dj_AT_linuxfromscratch_DOT_org)
Date:                    2017-12-24
Initial Package Version: 2.26
Upstream Status:         Comitted
Origin:                  https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c369d66e5426a30e4725b100d5cd28e372754f90
                         and https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8
Description:             Fixes local-only exploits in glob functions idetified
                         in CVE-2017-15670 and CVE-2017-15671

diff -Naurp glibc-2.26-orig/ChangeLog glibc-2.26/ChangeLog
--- glibc-2.26-orig/ChangeLog	2017-12-23 23:16:40.669052891 -0600
+++ glibc-2.26/ChangeLog	2017-12-23 23:30:21.240500323 -0600
@@ -1,3 +1,19 @@
+2017-10-21  Paul Eggert <eggert@cs.ucla.edu>
+
+	glob: fix another heap buffer overflow
+	Problem reported by Tim Rühsen in:
+	https://sourceware.org/bugzilla/show_bug.cgi?id=22332
+	* lib/glob.c (glob): Avoid buffer overrun when unescaping.
+
+2017-10-19  Paul Eggert  <eggert@cs.ucla.edu>
+
+	glob: fix heap buffer overflow
+	* lib/glob.c (glob): Fix off-by-one error introduced into
+	glibc in commit dd7d45e838a42b0ed470c44b55901ea98d0c2bab
+	dated 1997-10-29 20:33:40.  Problem reported by Tim Rühsen in:
+	https://sourceware.org/bugzilla/show_bug.cgi?id=22320
+	Fix suggested by Bruno Haible.
+
 2017-08-02  Siddhesh Poyarekar  <siddhesh@sourceware.org>
 
 	* version.h (RELEASE): Set to "stable"
diff -Naurp glibc-2.26-orig/posix/glob.c glibc-2.26/posix/glob.c
--- glibc-2.26-orig/posix/glob.c	2017-12-23 23:16:40.803052829 -0600
+++ glibc-2.26/posix/glob.c	2017-12-24 12:59:03.197896628 -0600
@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
 		  char *p = mempcpy (newp, dirname + 1,
 				     unescape - dirname - 1);
 		  char *q = unescape;
-		  while (*q != '\0')
+		  while (q != end_name)
 		    {
 		      if (*q == '\\')
 			{
-			  if (q[1] == '\0')
+			  if (q + 1 == end_name)
 			    {
 			      /* "~fo\\o\\" unescape to user_name "foo\\",
 				 but "~fo\\o\\/" unescape to user_name
@@ -843,7 +843,7 @@ glob (const char *pattern, int flags, in
 		  *p = '\0';
 		}
 	      else
-		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
 		  = '\0';
 	      user_name = newp;
 	    }