Opened 6 years ago

Closed 6 years ago

#4157 closed defect (fixed)

Create glibc security patch (CVE-2017-15670 CVE-2017-15671)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: lowest Milestone: 8.2
Component: Book Version: SVN
Severity: critical Keywords:


Full Disclosure - I have insider information on this one because of my position at FOXCONN, because they're on OSS-DISTROS. I'd prefer to take this one because I already have a patch developed, that needs testing, and I can have it in by Monday morning.

It is worth noting that the US Department of Homeland Security has issued an emergency alert regarding this vulnerability. It is classified as a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY."

On 2017-10-20, two patches to glibc were released upstream to fix security issues in the GLOB function, triggered in the processing of home directories via the '~' key.

These have been present since 2005 and were just now patched.

Here's some information:


The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. (Reproducer - I've reproduced on LFS 7.7 and above - may I suggest a security email?)


The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).

Change History (5)

comment:1 by Douglas R. Reno, 6 years ago

Owner: changed from lfs-book@… to Douglas R. Reno
Status: newassigned

comment:2 by bdubbs@…, 6 years ago

I do not see where this is a "CRITICAL AND GRAVE THREAT TO CYBERSECURITY". From what I can see is that it is a local only DoS attack that has been around for 12 years, just now discovered.

I did see where the fundamental change is a one line off by one error that can be corrected with a sed.

I also looked at the glibc mailing list and upstream does not seem to be very excited about this. I'd prefer waiting for upstream to release 2.27 unless there is something more.

comment:3 by Douglas R. Reno, 6 years ago

Priority: highestlowest

There is a remote aspect to it, but we have to wait 7 days for the embargo to expire before it becomes available.

Regardless, I'll move it to hold for now.

comment:4 by DJ Lucas, 6 years ago


comment:5 by DJ Lucas, 6 years ago

Resolution: fixed
Status: assignedclosed

Fixed in r11341.

Note: See TracTickets for help on using tickets.