Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635118 (CVE-2017-15804) - <sys-libs/glibc-2.25-r9: glob function contains a buffer overflow during unescaping of user names with the ~ operator
Summary: <sys-libs/glibc-2.25-r9: glob function contains a buffer overflow during unes...
Alias: CVE-2017-15804
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on: 637140 CVE-2018-6551
  Show dependency tree
Reported: 2017-10-22 22:29 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-04-04 01:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-22 22:29:45 UTC
CVE-2017-15804 (

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 

Comment 1 Andreas K. Hüttel archtester gentoo-dev 2017-10-25 22:00:29 UTC
Patch added to gentoo/2.25 and gentoo/2.26 branch
Comment 2 Larry the Git Cow gentoo-dev 2017-10-27 23:30:35 UTC
The bug has been referenced in the following commit(s):

commit d93339d7f5bfe90901a8c6921d1c221b54c8302a
Author:     Andreas K. Hüttel <>
AuthorDate: 2017-10-27 23:30:07 +0000
Commit:     Andreas K. Hüttel <>
CommitDate: 2017-10-27 23:30:19 +0000

    sys-libs/glibc: Revision bump to 2.25 patchlevel 12, unkeyworded so far
    Resolves CVE-2017-15670, CVE-2017-15804, CVE-2016-6261
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 sys-libs/glibc/Manifest             |   1 +
 sys-libs/glibc/glibc-2.25-r9.ebuild | 154 ++++++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)}
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-11-29 12:01:51 UTC
All vulnerable versions are masked. No further cleanup (toolchain package). 
Nothing to do for toolchain here anymore.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-04-04 01:55:26 UTC
This issue was resolved and addressed in
 GLSA 201804-02 at
by GLSA coordinator Aaron Bauman (b-man).