Opened 4 years ago

Closed 4 years ago

#4157 closed defect (fixed)

Create glibc security patch (CVE-2017-15670 CVE-2017-15671)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: lowest Milestone: 8.2
Component: Book Version: SVN
Severity: critical Keywords:
Cc:

Description

Full Disclosure - I have insider information on this one because of my position at FOXCONN, because they're on OSS-DISTROS. I'd prefer to take this one because I already have a patch developed, that needs testing, and I can have it in by Monday morning.

It is worth noting that the US Department of Homeland Security has issued an emergency alert regarding this vulnerability. It is classified as a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY."

On 2017-10-20, two patches to glibc were released upstream to fix security issues in the GLOB function, triggered in the processing of home directories via the '~' key.

These have been present since 2005 and were just now patched.

Here's some information:

CVE-2017-15670

The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

https://sourceware.org/bugzilla/show_bug.cgi?id=22320

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670

https://nvd.nist.gov/vuln/detail/CVE-2017-15670

https://sourceware.org/bugzilla/attachment.cgi?id=10546 (Reproducer - I've reproduced on LFS 7.7 and above - may I suggest a security email?)

https://bugzilla.redhat.com/show_bug.cgi?id=1504804

http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f

CVE-2017-15671

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).

https://nvd.nist.gov/vuln/detail/CVE-2017-15671

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671

https://sourceware.org/bugzilla/show_bug.cgi?id=22325

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671

Change History (5)

comment:1 by Douglas R. Reno, 4 years ago

Owner: changed from lfs-book@… to Douglas R. Reno
Status: newassigned

comment:2 by bdubbs@…, 4 years ago

I do not see where this is a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY". From what I can see is that it is a local only DoS attack that has been around for 12 years, just now discovered.

I did see where the fundamental change is a one line off by one error that can be corrected with a sed.

I also looked at the glibc mailing list and upstream does not seem to be very excited about this. I'd prefer waiting for upstream to release 2.27 unless there is something more.

comment:3 by Douglas R. Reno, 4 years ago

Priority: highestlowest

There is a remote aspect to it, but we have to wait 7 days for the embargo to expire before it becomes available.

Regardless, I'll move it to hold for now.

comment:4 by DJ Lucas, 4 years ago

glibc-2.26-local_glob_exploits-1.patch

comment:5 by DJ Lucas, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed in r11341.

Note: See TracTickets for help on using tickets.