Bug#1016886: CVE-2020-1752: 'glob' use-after-free bug
Package: libc6
Version: 2.28-10+deb10u1
Severity: normal
Tags: patch
The CVE-2020-1752 was reported to glibc bugzilla[1].
CVE-2020-1752 description from NVD.
A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
This CVE has been fixed in release/2.28/master branch[2] about two years ago but there is no new upstream release for 2.28 series yet.
I ported upstream patch to 2.28-10+deb10u1.
1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414
2. https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9
*** submitted-Fix-use-after-free-in-glob-when-expanding-user-bug.diff
Index: glibc-2.28/NEWS
===================================================================
--- glibc-2.28.orig/NEWS
+++ glibc-2.28/NEWS
@@ -69,6 +69,7 @@ The following bugs are resolved with thi
[24228] old x86 applications that use legacy libio crash on exit
[24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
[24744] io: Remove the copy_file_range emulation.
+ [25414] 'glob' use-after-free bug (CVE-2020-1752)
Security related changes:
@@ -97,6 +98,10 @@ Security related changes:
CVE-2019-9169: Attempted case-insensitive regular-expression match
via proceed_next_node in posix/regexec.c leads to heap-based buffer
over-read. Reported by Hongxu Chen.
+
+ CVE-2020-1752: A use-after-free vulnerability in the glob function when
+ expanding ~user has been fixed.
+
�
Version 2.28
Index: glibc-2.28/posix/glob.c
===================================================================
--- glibc-2.28.orig/posix/glob.c
+++ glibc-2.28/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags,
{
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
scratch_buffer_free (&pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- d = mempcpy (dirname, p->pw_dir, home_len);
+ d = mempcpy (newp, p->pw_dir, home_len);
if (end_name != NULL)
d = mempcpy (d, end_name, rest_len);
*d = '\0';
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
+
dirlen = home_len + rest_len;
dirname_modified = 1;
}
-- System Information:
Debian Release: 10.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-21-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libc6 depends on:
ii libgcc1 1:8.3.0-6
Versions of packages libc6 recommends:
ii libidn2-0 2.0.5-1+deb10u1
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.71+deb10u1
pn glibc-doc <none>
ii libc-l10n 2.28-10+deb10u1
ii locales 2.28-10+deb10u1
-- debconf information:
libraries/restart-without-asking: false
glibc/restart-services:
glibc/restart-failed:
glibc/kernel-not-supported:
glibc/kernel-too-old:
glibc/upgrade: true
glibc/disable-screensaver:
Reply to: