Create glibc security patch (CVE-2017-15670 CVE-2017-15671)
|Reported by:||Douglas R. Reno||Owned by:||Douglas R. Reno|
Full Disclosure - I have insider information on this one because of my position at FOXCONN, because they're on OSS-DISTROS. I'd prefer to take this one because I already have a patch developed, that needs testing, and I can have it in by Monday morning.
It is worth noting that the US Department of Homeland Security has issued an emergency alert regarding this vulnerability. It is classified as a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY."
On 2017-10-20, two patches to glibc were released upstream to fix security issues in the GLOB function, triggered in the processing of home directories via the '~' key.
These have been present since 2005 and were just now patched.
Here's some information:
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
https://sourceware.org/bugzilla/attachment.cgi?id=10546 (Reproducer - I've reproduced on LFS 7.7 and above - may I suggest a security email?)
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).