Your message dated Tue, 18 Oct 2022 20:38:24 +0200
with message-id <[email protected]>
and subject line Re: CVE-2020-1752: 'glob' use-after-free bug
has caused the Debian Bug report #1016886,
regarding CVE-2020-1752: 'glob' use-after-free bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1016886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016886
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libc6
Version: 2.28-10+deb10u1
Severity: normal
Tags: patch
The CVE-2020-1752 was reported to glibc bugzilla[1].
CVE-2020-1752 description from NVD.
A use-after-free vulnerability introduced in glibc upstream version 2.14 was
found in the way the tilde expansion was carried out. Directory paths
containing an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a specially crafted
path that, when processed by the glob function, would potentially lead to
arbitrary code execution. This was fixed in version 2.32.
This CVE has been fixed in release/2.28/master branch[2] about two years ago
but there is no new upstream release for 2.28 series yet.
I ported upstream patch to 2.28-10+deb10u1.
1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414
2.
https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9
*** submitted-Fix-use-after-free-in-glob-when-expanding-user-bug.diff
Index: glibc-2.28/NEWS
===================================================================
--- glibc-2.28.orig/NEWS
+++ glibc-2.28/NEWS
@@ -69,6 +69,7 @@ The following bugs are resolved with thi
[24228] old x86 applications that use legacy libio crash on exit
[24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
[24744] io: Remove the copy_file_range emulation.
+ [25414] 'glob' use-after-free bug (CVE-2020-1752)
Security related changes:
@@ -97,6 +98,10 @@ Security related changes:
CVE-2019-9169: Attempted case-insensitive regular-expression match
via proceed_next_node in posix/regexec.c leads to heap-based buffer
over-read. Reported by Hongxu Chen.
+
+ CVE-2020-1752: A use-after-free vulnerability in the glob function when
+ expanding ~user has been fixed.
+
�
Version 2.28
Index: glibc-2.28/posix/glob.c
===================================================================
--- glibc-2.28.orig/posix/glob.c
+++ glibc-2.28/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags,
{
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
scratch_buffer_free (&pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- d = mempcpy (dirname, p->pw_dir, home_len);
+ d = mempcpy (newp, p->pw_dir, home_len);
if (end_name != NULL)
d = mempcpy (d, end_name, rest_len);
*d = '\0';
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
+
dirlen = home_len + rest_len;
dirname_modified = 1;
}
-- System Information:
Debian Release: 10.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-21-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libc6 depends on:
ii libgcc1 1:8.3.0-6
Versions of packages libc6 recommends:
ii libidn2-0 2.0.5-1+deb10u1
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.71+deb10u1
pn glibc-doc <none>
ii libc-l10n 2.28-10+deb10u1
ii locales 2.28-10+deb10u1
-- debconf information:
libraries/restart-without-asking: false
glibc/restart-services:
glibc/restart-failed:
glibc/kernel-not-supported:
glibc/kernel-too-old:
glibc/upgrade: true
glibc/disable-screensaver:
--- End Message ---
--- Begin Message ---
Version: 2.28-10+deb10u2
On 2022-08-09 09:58, Masami Ichikawa wrote:
> Package: libc6
> Version: 2.28-10+deb10u1
> Severity: normal
> Tags: patch
>
> The CVE-2020-1752 was reported to glibc bugzilla[1].
>
> CVE-2020-1752 description from NVD.
> A use-after-free vulnerability introduced in glibc upstream version 2.14 was
> found in the way the tilde expansion was carried out. Directory paths
> containing an initial tilde followed by a valid username were affected by
> this issue. A local attacker could exploit this flaw by creating a specially
> crafted path that, when processed by the glob function, would potentially
> lead to arbitrary code execution. This was fixed in version 2.32.
>
> This CVE has been fixed in release/2.28/master branch[2] about two years ago
> but there is no new upstream release for 2.28 series yet.
>
> I ported upstream patch to 2.28-10+deb10u1.
>
> 1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414
> 2.
> https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9
>
This has been fixed in glibc 2.28-10+deb10u2. Closing the bug
accordingly.
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
[email protected] http://www.aurel32.net
--- End Message ---
