Opened 7 years ago
Closed 7 years ago
#4157 closed defect (fixed)
Create glibc security patch (CVE-2017-15670 CVE-2017-15671)
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | lowest | Milestone: | 8.2 |
| Component: | Book | Version: | SVN |
| Severity: | critical | Keywords: | |
| Cc: |
Description
Full Disclosure - I have insider information on this one because of my position at FOXCONN, because they're on OSS-DISTROS. I'd prefer to take this one because I already have a patch developed, that needs testing, and I can have it in by Monday morning.
It is worth noting that the US Department of Homeland Security has issued an emergency alert regarding this vulnerability. It is classified as a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY."
On 2017-10-20, two patches to glibc were released upstream to fix security issues in the GLOB function, triggered in the processing of home directories via the '~' key.
These have been present since 2005 and were just now patched.
Here's some information:
CVE-2017-15670
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
https://sourceware.org/bugzilla/show_bug.cgi?id=22320
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
https://nvd.nist.gov/vuln/detail/CVE-2017-15670
https://sourceware.org/bugzilla/attachment.cgi?id=10546 (Reproducer - I've reproduced on LFS 7.7 and above - may I suggest a security email?)
https://bugzilla.redhat.com/show_bug.cgi?id=1504804
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f
CVE-2017-15671
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).
https://nvd.nist.gov/vuln/detail/CVE-2017-15671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
Change History (5)
comment:1 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 7 years ago
comment:3 by , 7 years ago
| Priority: | highest → lowest |
|---|
There is a remote aspect to it, but we have to wait 7 days for the embargo to expire before it becomes available.
Regardless, I'll move it to hold for now.
I do not see where this is a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY". From what I can see is that it is a local only DoS attack that has been around for 12 years, just now discovered.
I did see where the fundamental change is a one line off by one error that can be corrected with a sed.
I also looked at the glibc mailing list and upstream does not seem to be very excited about this. I'd prefer waiting for upstream to release 2.27 unless there is something more.