Last commit made on 2018-04-13
Get this branch:
git clone -b release/2.22/master

Branch merges

Branch information


Recent commits

49a0c33... by Paul Eggert on 2017-10-22

glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]

(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)

d8b6b33... by Florian Weimer on 2017-10-21

glob: Add new test tst-glob-tilde

The new test checks for memory leaks (see bug 22325) and attempts
to trigger the buffer overflow in bug 22320.

(cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)

42a2c81... by Paul Eggert on 2017-10-20

CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320]

(cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90)

3790ec0... by Adhemerval Zanella on 2017-09-04

posix: Sync glob with gnulib [BZ #1062]

This patch syncs posix/glob.c implementation with gnulib version
b5ec983 (glob: simplify symlink detection). The only difference
to gnulib code is

  * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there
    were not already defined. Gnulib code which uses
    HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because
    GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE. Instead
    the patch check for each definition instead.

Also, the patch requires additional globfree and globfree64 files
for compatibility version on some architectures. Also the code
simplification leads to not macro simplification (not need for

Checked on x86_64-linux-gnu and on a build using
for all major architectures.

 [BZ #1062]
 * posix/Makefile (routines): Add globfree, globfree64, and
 * posix/flexmember.h: New file.
 * posix/glob_internal.h: Likewise.
 * posix/glob_pattern_p.c: Likewise.
 * posix/globfree.c: Likewise.
 * posix/globfree64.c: Likewise.
 * sysdeps/gnu/globfree64.c: Likewise.
 * sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise.
 * sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise.
 * sysdeps/unix/sysv/linux/oldglob.c: Likewise.
 * sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise.
 * sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise.
 * sysdeps/wordsize-64/globfree.c: Likewise.
 * sysdeps/wordsize-64/globfree64.c: Likewise.
 * posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead.
 [NDEBUG): Remove comments.
 (GLOB_ONLY_P, _AMIGA, VMS): Remove define.
 (dirent_type): New type. Use uint_fast8_t not
 uint8_t, as C99 does not require uint8_t.
 (DT_UNKNOWN, DT_DIR, DT_LNK): New macros.
 (struct readdir_result): Use dirent_type. Do not define skip_entry
 unless it is needed; this saves a byte on platforms lacking d_ino.
 (readdir_result_type, readdir_result_skip_entry):
 New functions, replacing ...
 (readdir_result_might_be_symlink, readdir_result_might_be_dir):
  these functions, which were removed. This makes the callers
 easier to read. All callers changed.
 (D_INO_TO_RESULT): Now empty if there is no d_ino.
 (size_add_wrapv, glob_use_alloca): New static functions.
 (glob, glob_in_dir): Check for size_t overflow in several places,
 and fix some size_t checks that were not quite right.
 Remove old code using SHELL since Bash no longer
 uses this.
 (glob, prefix_array): Separate MS code better.
 (glob_in_dir): Remove old Amiga and VMS code.
 (globfree, __glob_pattern_type, __glob_pattern_p): Move to
 separate files.
 (glob_in_dir): Do not rely on undefined behavior in accessing
 struct members beyond their bounds. Use a flexible array member
 (link_stat): Rename from link_exists2_p and return -1/0 instead of
 0/1. Caller changed.
 (glob): Fix memory leaks.
 * posix/glob64 (globfree64): Move to separate file.
 * sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define.
 (globfree64): Remove hidden alias.
 * sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add
 * sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to
 separate file.
 * sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove
 Move compat code to separate file.
 * sysdeps/wordsize-64/glob.c (globfree): Move definitions to
 separate file.

(cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f)

017d97c... by Florian Weimer on 2018-02-06

Record CVE-2018-6551 in NEWS and ChangeLog [BZ #22774]

(cherry picked from commit 71aa429b029fdb6f9e65d44050388b51eca460d6)

436359f... by Florian Weimer on 2018-02-01

Record CVE-2018-6485 in ChangeLog and NEWS [BZ #22343]

(cherry picked from commit 4590634fd65162568b9f52fb4beb60aa25da37f2)

407ec87... by Florian Weimer on 2017-08-16

Add ChangeLog reference to bug 16750/CVE-2009-5064

(cherry picked from commit 403143e1df85dadd374f304bd891be0cd7573e3b)

d2450a9... by Arjun Shankar <email address hidden> on 2018-01-18

Fix integer overflows in internal memalign and malloc functions [BZ #22343]

When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
and a requested size close to SIZE_MAX, it falls back to malloc code
(because the alignment of a block returned by malloc is sufficient to
satisfy the call). In this case, an integer overflow in _int_malloc leads
to posix_memalign incorrectly returning successfully.

Upon fixing this and writing a somewhat thorough regression test, it was
discovered that when posix_memalign is called with an alignment larger than
MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
close to SIZE_MAX, a different integer overflow in _int_memalign leads to
posix_memalign incorrectly returning successfully.

Both integer overflows affect other memory allocation functions that use
_int_malloc (one affected malloc in x86) or _int_memalign as well.

This commit fixes both integer overflows. In addition to this, it adds a
regression test to guard against false successful allocations by the
following memory allocation functions when called with too-large allocation
sizes and, where relevant, various valid alignments:
malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
aligned_alloc, valloc, and pvalloc.

(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)

c64d6bc... by Florian Weimer on 2017-12-14

elf: Compute correct array size in _dl_init_paths [BZ #22606]

(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)

d9c5436... by Florian Weimer on 2017-11-02

<array_length.h>: New array_length and array_end macros

(cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5)