CVE-2018-1000001

Published: 11 January 2018

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

From the Ubuntu security team

libc does not account for all the possible return values from the kernel getcwd(2) syscall; arbitrary code execution may result from applications making further assumptions on the return value from the getcwd(3) libary function.

Priority

High

CVSS 3 base score: 7.8

Status

Package Release Status
dietlibc
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(vulnerable code not present)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(vulnerable code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(vulnerable code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
eglibc
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.19-0ubuntu6.14)
glibc
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.26-0ubuntu2.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.23-0ubuntu10)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
musl
Launchpad, Ubuntu, Debian
Upstream
Released (1.1.19)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.1.19-1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(no security impact in musl)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=23ddab8569ef8ae3488c1d67b6bccaa081c73245

Notes

AuthorNote
seth-arnold
I wonder where Go, busybox, and similar "do it ourselves" tools fit.
I added dietlibc and musl to this page out of an abundance of caution. Someone
should investigate.
sbeattie
introduced a regression in glusterfs geo-rep due to its usage
of rsync. See redhat bug for compensating patch for rsync.
msalvatore
Unlike in glibc, this issue does not cause a buffer underflow in
musl. Furthermore, realpath() does not call getcwd() in musl.

References

Bugs