New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800007 link

Starred by 2 users
Status: Verified
Owner:
yunlian@chromium.org
Last visit > 30 days ago
Closed: Feb 2018
Cc:
llozano@chromium.org
sawlani@google.com
manojgupta@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocked on:
issue 799705
Blocking:
issue 799705



Sign in to add a comment

need to fix CVE-2017-16997

Project Member Reported by yunlian@chromium.org, Jan 8 2018 
We need to cherry pick an upstream glibc patch to fix this issue.

Comment 1 by yunlian@chromium.org, Jan 8 2018

Cc: -wonderyfly@chromium.org -sawlani@chromium.org sawlani@google.com

Comment 2 by yunlian@chromium.org, Jan 8 2018

Cc: wonderyfly@google.com

Comment 3 by yunlian@chromium.org, Jan 10 2018

Cc: -wonderyfly@google.com

Comment 4 by yunlian@chromium.org, Jan 10 2018

Blockedon: 799705
Blocking: 799705
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 10 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/9a3e60646540a5a5329781affa5dd91b3606ad11

commit 9a3e60646540a5a5329781affa5dd91b3606ad11
Author: Yunlian Jiang <yunlian@chromium.org>
Date: Wed Jan 10 23:44:35 2018

glibc: backport upstream patch to fix CVE-2017-16997

This backports an upstream patch to fix CVE-2017-16997
The original commit message is

commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).

    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.

    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.

BUG= chromium:800007 
TEST=cbuildbot chromiumos-sdk {arm,arm64,amd64}-toolchain

Change-Id: Ia2ec1c735321ecbaa5468d3217e0a9736219cf0f
Reviewed-on: https://chromium-review.googlesource.com/854769
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Caroline Tice <cmtice@chromium.org>

[rename] https://crrev.com/9a3e60646540a5a5329781affa5dd91b3606ad11/sys-libs/glibc/glibc-2.23-r13.ebuild
[add] https://crrev.com/9a3e60646540a5a5329781affa5dd91b3606ad11/sys-libs/glibc/files/local/glibc-2.23-empty-token.patch

Comment 6 by yunlian@chromium.org, Feb 9 2018

Status: Verified (was: Untriaged)

Sign in to add a comment