diff options
| author | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 11:44:12 -0500 |
|---|---|---|
| committer | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 15:29:48 -0500 |
| commit | 33ceaf6187b31ea15284ac65131749e1cb68d2ae (patch) | |
| tree | a53160ae8adbc1a1840c2edd2b26d83c940ea2a3 /NEWS | |
| parent | e42643491c47dcd1c226b4f00f716023e9bcc5ca (diff) | |
| download | glibc-33ceaf6187b31ea15284ac65131749e1cb68d2ae.tar.gz | |
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
(cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -9,7 +9,14 @@ Version 2.20.1 * The following bugs are resolved with this release: - 17266, 17370, 17371, 17460, 17485, 17555. + 17266, 17370, 17371, 17460, 17485, 17555, 17625. + +* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag + under certain input conditions resulting in the execution of a shell for + command substitution when the applicaiton did not request it. The + implementation now checks WRDE_NOCMD immediately before executing the + shell and returns the error WRDE_CMDSUB as expected. + Version 2.20 |