Bugzilla – Bug 969727
VUL-1: CVE-2016-1234: glibc: buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory
Last modified: 2020-06-11 20:30:44 UTC
bugbot adjusting priority
is public
https://sourceware.org/bugzilla/show_bug.cgi?id=19779 Alexander Cherepanov discovered that the glob implementation in glibc does not correctly handle overlong names in struct dirent buffers when GLOB_ALTDIRFUNC is used. Alexander's reproducer: Indeed, it's easy to create such overlong filename with NTFS: truncate -s 2M ntfs.img mkfs.ntfs -F ntfs.img mkdir dir mount ntfs.img dir cd dir touch `perl -CS -e 'print chr(0x800) x 255'` And I guess this is a problem for some programs. For example, glibc uses NAME_MAX to compute an array size here: https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/glob.c;h=0c04c3ccfdea4677ae8bb511e88ee8e4f37b02b5;hb=HEAD#l1564 The program: #include <stddef.h> #include <dirent.h> #include <sys/stat.h> #include <glob.h> int main() { glob_t g; g.gl_closedir = &closedir; g.gl_readdir = &readdir; g.gl_opendir = &opendir; g.gl_lstat = &lstat; g.gl_stat = &stat; glob("*", GLOB_ALTDIRFUNC, NULL, &g); } crashes when run in a directory created as shown above -- stack buffer overflow by up to 510 bytes with controlled length and (with some constrains) contents.
This is an autogenerated message for OBS integration: This bug (969727) was mentioned in https://build.opensuse.org/request/show/398848 13.2 / glibc
openSUSE-SU-2016:1527-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 969727,973010,973164,980483,980854 CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429 Sources used: openSUSE 13.2 (src): glibc-2.19-16.25.1, glibc-2.19-16.25.2, glibc-testsuite-2.19-16.25.2, glibc-utils-2.19-16.25.1
SUSE-SU-2016:1721-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 968787,969727,973010,973164,975930,980483,980854 CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): glibc-2.19-22.16.2 SUSE Linux Enterprise Server 12 (src): glibc-2.19-22.16.2 SUSE Linux Enterprise Desktop 12 (src): glibc-2.19-22.16.2
SUSE-SU-2016:1733-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 967190,968787,969727,973010,973164,975930,980483,980854 CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): glibc-2.19-38.2 SUSE Linux Enterprise Server 12-SP1 (src): glibc-2.19-38.2 SUSE Linux Enterprise Desktop 12-SP1 (src): glibc-2.19-38.2
openSUSE-SU-2016:1779-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 967190,968787,969727,973010,973164,975930,980483,980854 CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429 Sources used: openSUSE Leap 42.1 (src): glibc-2.19-22.1, glibc-testsuite-2.19-22.2, glibc-utils-2.19-22.1
SUSE-SU-2016:2156-1: An update that solves four vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 931399,965699,969727,973010,973164,973179,980483,980854,986302 CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): glibc-2.11.3-17.102.1 SUSE Linux Enterprise Server 11-SP4 (src): glibc-2.11.3-17.102.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): glibc-2.11.3-17.102.1
released