Package: libc6 Version: 2.28-10+deb10u1 Severity: normal Tags: patch The CVE-2020-1752 was reported to glibc bugzilla[1].
CVE-2020-1752 description from NVD. A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. This CVE has been fixed in release/2.28/master branch[2] about two years ago but there is no new upstream release for 2.28 series yet. I ported upstream patch to 2.28-10+deb10u1. 1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414 2. https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9 *** submitted-Fix-use-after-free-in-glob-when-expanding-user-bug.diff Index: glibc-2.28/NEWS =================================================================== --- glibc-2.28.orig/NEWS +++ glibc-2.28/NEWS @@ -69,6 +69,7 @@ The following bugs are resolved with thi [24228] old x86 applications that use legacy libio crash on exit [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) [24744] io: Remove the copy_file_range emulation. + [25414] 'glob' use-after-free bug (CVE-2020-1752) Security related changes: @@ -97,6 +98,10 @@ Security related changes: CVE-2019-9169: Attempted case-insensitive regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read. Reported by Hongxu Chen. + + CVE-2020-1752: A use-after-free vulnerability in the glob function when + expanding ~user has been fixed. + Version 2.28 Index: glibc-2.28/posix/glob.c =================================================================== --- glibc-2.28.orig/posix/glob.c +++ glibc-2.28/posix/glob.c @@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, { size_t home_len = strlen (p->pw_dir); size_t rest_len = end_name == NULL ? 0 : strlen (end_name); - char *d; + char *d, *newp; + bool use_alloca = glob_use_alloca (alloca_used, + home_len + rest_len + 1); - if (__glibc_unlikely (malloc_dirname)) - free (dirname); - malloc_dirname = 0; - - if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) - dirname = alloca_account (home_len + rest_len + 1, - alloca_used); + if (use_alloca) + newp = alloca_account (home_len + rest_len + 1, alloca_used); else { - dirname = malloc (home_len + rest_len + 1); - if (dirname == NULL) + newp = malloc (home_len + rest_len + 1); + if (newp == NULL) { scratch_buffer_free (&pwtmpbuf); retval = GLOB_NOSPACE; goto out; } - malloc_dirname = 1; } - d = mempcpy (dirname, p->pw_dir, home_len); + d = mempcpy (newp, p->pw_dir, home_len); if (end_name != NULL) d = mempcpy (d, end_name, rest_len); *d = '\0'; + if (__glibc_unlikely (malloc_dirname)) + free (dirname); + dirname = newp; + malloc_dirname = !use_alloca; + dirlen = home_len + rest_len; dirname_modified = 1; } -- System Information: Debian Release: 10.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-21-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libc6 depends on: ii libgcc1 1:8.3.0-6 Versions of packages libc6 recommends: ii libidn2-0 2.0.5-1+deb10u1 Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.71+deb10u1 pn glibc-doc <none> ii libc-l10n 2.28-10+deb10u1 ii locales 2.28-10+deb10u1 -- debconf information: libraries/restart-without-asking: false glibc/restart-services: glibc/restart-failed: glibc/kernel-not-supported: glibc/kernel-too-old: glibc/upgrade: true glibc/disable-screensaver: