Bug 634920 (CVE-2017-15670, CVE-2017-15671)

Summary:	<sys-libs/glibc-2.25-r9: Multiple Vulnerabilities
Product:	Gentoo Security	Reporter:	Aleksandr Wagner (Kivak) <alwag>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alexander
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [glsa+ cve]
Package list:		Runtime testing required:	---
Bug Depends on:	637140, 646492
Bug Blocks:

Description Aleksandr Wagner (Kivak) 2017-10-21 02:36:23 UTC

CVE-2017-15671 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671):

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). 

References:

https://sourceware.org/bugzilla/show_bug.cgi?id=22325

CVE-2017-15670 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670):

The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. 

References:

https://sourceware.org/bugzilla/show_bug.cgi?id=22320

Comment 1 Andreas K. Hüttel archtester

2017-10-26 08:25:42 UTC

(In reply to Aleksandr Wagner (Kivak) from comment #0)
> CVE-2017-15671
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671):
> 
> The glob function in glob.c in the GNU C Library (aka glibc or libc6) before
> 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when
> processing the ~ operator with a long user name, potentially leading to a
> denial of service (memory leak). 
> 
> References:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=22325

This is too invasive for a backport to 2.25 (by me).
However, it already is in the gentoo/2.26 branch.

> 
> CVE-2017-15670
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670):
> 
> The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one
> error leading to a heap-based buffer overflow in the glob function in
> glob.c, related to the processing of home directories using the ~ operator
> followed by a long string. 
> 
> References:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=22320

Fix added to gentoo/2.25 branch, already backported upstream in gentoo/2.26 branch

Comment 2 Larry the Git Cow gentoo-dev

2017-10-27 23:30:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93339d7f5bfe90901a8c6921d1c221b54c8302a

commit d93339d7f5bfe90901a8c6921d1c221b54c8302a
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2017-10-27 23:30:07 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2017-10-27 23:30:19 +0000

    sys-libs/glibc: Revision bump to 2.25 patchlevel 12, unkeyworded so far
    
    Resolves CVE-2017-15670, CVE-2017-15804, CVE-2016-6261
    
    Bug: https://bugs.gentoo.org/634920
    Bug: https://bugs.gentoo.org/635010
    Bug: https://bugs.gentoo.org/635118
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 sys-libs/glibc/Manifest             |   1 +
 sys-libs/glibc/glibc-2.25-r9.ebuild | 154 ++++++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)}

Comment 3 Andreas K. Hüttel archtester

2017-11-29 12:00:44 UTC

All vulnerable versions are masked. No further cleanup (toolchain package). 
Nothing to do for toolchain here anymore.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2018-04-04 01:55:18 UTC

This issue was resolved and addressed in
 GLSA 201804-02 at https://security.gentoo.org/glsa/201804-02
by GLSA coordinator Aaron Bauman (b-man).