Bug#1016886: marked as done (CVE-2020-1752: 'glob' use-after-free bug)

To: Aurelien Jarno <aurel32@debian.org>
Subject: Bug#1016886: marked as done (CVE-2020-1752: 'glob' use-after-free bug)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 18 Oct 2022 18:39:04 +0000
Message-id: <[🔎] handler.1016886.D1016886.16661183103055681.ackdone@bugs.debian.org>
Reply-to: 1016886@bugs.debian.org
References: <Y07yoKYn29VBaqFZ@aurel32.net> <166000671125.12363.11651735234436641240.reportbug@debian10>

Your message dated Tue, 18 Oct 2022 20:38:24 +0200
with message-id <Y07yoKYn29VBaqFZ@aurel32.net>
and subject line Re: CVE-2020-1752: 'glob' use-after-free bug
has caused the Debian Bug report #1016886,
regarding CVE-2020-1752: 'glob' use-after-free bug
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1016886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016886
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2020-1752: 'glob' use-after-free bug
From: Masami Ichikawa <masami256@gmail.com>
Date: Tue, 09 Aug 2022 09:58:31 +0900
Message-id: <166000671125.12363.11651735234436641240.reportbug@debian10>

Package: libc6
Version: 2.28-10+deb10u1
Severity: normal
Tags: patch

The CVE-2020-1752 was reported to glibc bugzilla[1].

CVE-2020-1752 description from NVD.
A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

This CVE has been fixed in release/2.28/master branch[2] about two years ago but there is no new upstream release for 2.28 series yet.

I ported upstream patch to 2.28-10+deb10u1.
 
1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414
2. https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9


*** submitted-Fix-use-after-free-in-glob-when-expanding-user-bug.diff
Index: glibc-2.28/NEWS
===================================================================
--- glibc-2.28.orig/NEWS
+++ glibc-2.28/NEWS
@@ -69,6 +69,7 @@ The following bugs are resolved with thi
   [24228] old x86 applications that use legacy libio crash on exit
   [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
   [24744] io: Remove the copy_file_range emulation.
+  [25414] 'glob' use-after-free bug (CVE-2020-1752)
 
 Security related changes:
 
@@ -97,6 +98,10 @@ Security related changes:
   CVE-2019-9169: Attempted case-insensitive regular-expression match
   via proceed_next_node in posix/regexec.c leads to heap-based buffer
   over-read.  Reported by Hongxu Chen.
+
+  CVE-2020-1752: A use-after-free vulnerability in the glob function when
+  expanding ~user has been fixed.
+
 
 Version 2.28
 
Index: glibc-2.28/posix/glob.c
===================================================================
--- glibc-2.28.orig/posix/glob.c
+++ glibc-2.28/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags,
 	      {
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
-		char *d;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
 
-		if (__glibc_unlikely (malloc_dirname))
-		  free (dirname);
-		malloc_dirname = 0;
-
-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-		  dirname = alloca_account (home_len + rest_len + 1,
-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
 		else
 		  {
-		    dirname = malloc (home_len + rest_len + 1);
-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
 		      {
 			scratch_buffer_free (&pwtmpbuf);
 			retval = GLOB_NOSPACE;
 			goto out;
 		      }
-		    malloc_dirname = 1;
 		  }
-		d = mempcpy (dirname, p->pw_dir, home_len);
+		d = mempcpy (newp, p->pw_dir, home_len);
 		if (end_name != NULL)
 		  d = mempcpy (d, end_name, rest_len);
 		*d = '\0';
 
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
+
 		dirlen = home_len + rest_len;
 		dirname_modified = 1;
 	      }


-- System Information:
Debian Release: 10.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-21-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libc6 depends on:
ii  libgcc1  1:8.3.0-6

Versions of packages libc6 recommends:
ii  libidn2-0  2.0.5-1+deb10u1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.71+deb10u1
pn  glibc-doc              <none>
ii  libc-l10n              2.28-10+deb10u1
ii  locales                2.28-10+deb10u1

-- debconf information:
  libraries/restart-without-asking: false
  glibc/restart-services:
  glibc/restart-failed:
  glibc/kernel-not-supported:
  glibc/kernel-too-old:
  glibc/upgrade: true
  glibc/disable-screensaver:

--- End Message ---

--- Begin Message ---

To: Masami Ichikawa <masami256@gmail.com>
Cc: 1016886-done@bugs.debian.org
Subject: Re: CVE-2020-1752: 'glob' use-after-free bug
From: Aurelien Jarno <aurel32@debian.org>
Date: Tue, 18 Oct 2022 20:38:24 +0200
Message-id: <Y07yoKYn29VBaqFZ@aurel32.net>
In-reply-to: <166000671125.12363.11651735234436641240.reportbug@debian10>
References: <166000671125.12363.11651735234436641240.reportbug@debian10>

Version: 2.28-10+deb10u2

On 2022-08-09 09:58, Masami Ichikawa wrote:
> Package: libc6
> Version: 2.28-10+deb10u1
> Severity: normal
> Tags: patch
> 
> The CVE-2020-1752 was reported to glibc bugzilla[1].
> 
> CVE-2020-1752 description from NVD.
> A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
> 
> This CVE has been fixed in release/2.28/master branch[2] about two years ago but there is no new upstream release for 2.28 series yet.
> 
> I ported upstream patch to 2.28-10+deb10u1.
>  
> 1. https://sourceware.org/bugzilla/show_bug.cgi?id=25414
> 2. https://sourceware.org/git/?p=glibc.git;a=patch;h=21344a3d62a29406fddeec069ee4eb3c341369f9
> 

This has been fixed in glibc 2.28-10+deb10u2. Closing the bug
accordingly.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

--- End Message ---

Reply to:

Prev by Date: Bug#1021977: Tzdata timezone files corruption after clean debian 11 installation
Next by Date: Bug#1021977: Fwd: Tzdata timezone files corruption after clean debian 11 installation
Previous by thread: Processed: notfound 1021973 in glibc/2.31-13
Next by thread: Processed: tagging 1016886
Index(es):
- Date
- Thread