Browse code
curl: Fixed CVE-2018-168{39,40,42}, CVE-2018-14618
Patched for multiple vulnerabilities -
1) CVE-2018-16839
- Integer overflow causing heap based buffer overflow
2) CVE-2018-16840
- A reuse of heap after free issue
3) CVE-2018-16842
- Over read of heap based buffer
4) CVE-2018-14618
- Buffer overrun in NTLM authentication
Change-Id: If576e75b530f68cb66511bb8ab30044873130a50
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6615
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
dweepadvani authored on 2019/01/30 00:43:05Showing 5 changed files
- SPECS/curl/curl-CVE-2018-14618.patch
- SPECS/curl/curl-CVE-2018-16839.patch
- SPECS/curl/curl-CVE-2018-16840.patch
- SPECS/curl/curl-CVE-2018-16842.patch
- SPECS/curl/curl.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,34 @@ |
| 0 |
+From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Mon, 13 Aug 2018 10:35:52 +0200 |
|
| 3 |
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password |
|
| 4 |
+ |
|
| 5 |
+... since it would cause an integer overflow if longer than (max size_t |
|
| 6 |
+/ 2). |
|
| 7 |
+ |
|
| 8 |
+This is CVE-2018-14618 |
|
| 9 |
+ |
|
| 10 |
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html |
|
| 11 |
+Closes #2756 |
|
| 12 |
+Reported-by: Zhaoyang Wu |
|
| 13 |
+--- |
|
| 14 |
+ lib/curl_ntlm_core.c | 5 ++++- |
|
| 15 |
+ 1 file changed, 4 insertions(+), 1 deletion(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c |
|
| 18 |
+index e27cab353c..922e85a926 100644 |
|
| 19 |
+--- a/lib/curl_ntlm_core.c |
|
| 20 |
+@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, |
|
| 21 |
+ unsigned char *ntbuffer /* 21 bytes */) |
|
| 22 |
+ {
|
|
| 23 |
+ size_t len = strlen(password); |
|
| 24 |
+- unsigned char *pw = len ? malloc(len * 2) : strdup("");
|
|
| 25 |
++ unsigned char *pw; |
|
| 26 |
+ CURLcode result; |
|
| 27 |
++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ |
|
| 28 |
++ return CURLE_OUT_OF_MEMORY; |
|
| 29 |
++ pw = len ? malloc(len * 2) : strdup("");
|
|
| 30 |
+ if(!pw) |
|
| 31 |
+ return CURLE_OUT_OF_MEMORY; |
|
| 32 |
+ |
| 0 | 33 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,123 @@ |
| 0 |
+From c1366571b609407cf0d4d9f4a2769d29e1313151 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Tue, 20 Mar 2018 15:15:14 +0100 |
|
| 3 |
+Subject: [PATCH] vauth/cleartext: fix integer overflow check |
|
| 4 |
+ |
|
| 5 |
+Make the integer overflow check not rely on the undefined behavior that |
|
| 6 |
+a size_t wraps around on overflow. |
|
| 7 |
+ |
|
| 8 |
+Detected by lgtm.com |
|
| 9 |
+Closes #2408 |
|
| 10 |
+--- |
|
| 11 |
+ lib/curl_ntlm_core.c | 11 +---------- |
|
| 12 |
+ lib/curl_setup.h | 9 +++++++++ |
|
| 13 |
+ lib/vauth/cleartext.c | 14 ++++---------- |
|
| 14 |
+ 3 files changed, 14 insertions(+), 20 deletions(-) |
|
| 15 |
+ |
|
| 16 |
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c |
|
| 17 |
+index e8962769ca..72eda34ad1 100644 |
|
| 18 |
+--- a/lib/curl_ntlm_core.c |
|
| 19 |
+@@ -5,7 +5,7 @@ |
|
| 20 |
+ * | (__| |_| | _ <| |___ |
|
| 21 |
+ * \___|\___/|_| \_\_____| |
|
| 22 |
+ * |
|
| 23 |
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 24 |
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 25 |
+ * |
|
| 26 |
+ * This software is licensed as described in the file COPYING, which |
|
| 27 |
+ * you should have received as part of this distribution. The terms |
|
| 28 |
+@@ -646,15 +646,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, |
|
| 29 |
+ return CURLE_OK; |
|
| 30 |
+ } |
|
| 31 |
+ |
|
| 32 |
+-#ifndef SIZE_T_MAX |
|
| 33 |
+-/* some limits.h headers have this defined, some don't */ |
|
| 34 |
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) |
|
| 35 |
+-#define SIZE_T_MAX 18446744073709551615U |
|
| 36 |
+-#else |
|
| 37 |
+-#define SIZE_T_MAX 4294967295U |
|
| 38 |
+-#endif |
|
| 39 |
+-#endif |
|
| 40 |
+- |
|
| 41 |
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode |
|
| 42 |
+ * (uppercase UserName + Domain) as the data |
|
| 43 |
+ */ |
|
| 44 |
+diff --git a/lib/curl_setup.h b/lib/curl_setup.h |
|
| 45 |
+index f128696e9d..e4503c64ca 100644 |
|
| 46 |
+--- a/lib/curl_setup.h |
|
| 47 |
+@@ -447,6 +447,15 @@ |
|
| 48 |
+ # endif |
|
| 49 |
+ #endif |
|
| 50 |
+ |
|
| 51 |
++#ifndef SIZE_T_MAX |
|
| 52 |
++/* some limits.h headers have this defined, some don't */ |
|
| 53 |
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) |
|
| 54 |
++#define SIZE_T_MAX 18446744073709551615U |
|
| 55 |
++#else |
|
| 56 |
++#define SIZE_T_MAX 4294967295U |
|
| 57 |
++#endif |
|
| 58 |
++#endif |
|
| 59 |
++ |
|
| 60 |
+ /* |
|
| 61 |
+ * Arg 2 type for gethostname in case it hasn't been defined in config file. |
|
| 62 |
+ */ |
|
| 63 |
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c |
|
| 64 |
+index a761ae7846..5d61ce6dc2 100644 |
|
| 65 |
+--- a/lib/vauth/cleartext.c |
|
| 66 |
+@@ -5,7 +5,7 @@ |
|
| 67 |
+ * | (__| |_| | _ <| |___ |
|
| 68 |
+ * \___|\___/|_| \_\_____| |
|
| 69 |
+ * |
|
| 70 |
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 71 |
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 72 |
+ * |
|
| 73 |
+ * This software is licensed as described in the file COPYING, which |
|
| 74 |
+ * you should have received as part of this distribution. The terms |
|
| 75 |
+@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, |
|
| 76 |
+ ulen = strlen(userp); |
|
| 77 |
+ plen = strlen(passwdp); |
|
| 78 |
+ |
|
| 79 |
+- /* Compute binary message length, checking for overflows. */ |
|
| 80 |
+- plainlen = 2 * ulen; |
|
| 81 |
+- if(plainlen < ulen) |
|
| 82 |
+- return CURLE_OUT_OF_MEMORY; |
|
| 83 |
+- plainlen += plen; |
|
| 84 |
+- if(plainlen < plen) |
|
| 85 |
+- return CURLE_OUT_OF_MEMORY; |
|
| 86 |
+- plainlen += 2; |
|
| 87 |
+- if(plainlen < 2) |
|
| 88 |
++ /* Compute binary message length. Check for overflows. */ |
|
| 89 |
++ if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) |
|
| 90 |
+ return CURLE_OUT_OF_MEMORY; |
|
| 91 |
++ plainlen = 2 * ulen + plen + 2; |
|
| 92 |
+ |
|
| 93 |
+ plainauth = malloc(plainlen); |
|
| 94 |
+ if(!plainauth) |
|
| 95 |
+From f3a24d7916b9173c69a3e0ee790102993833d6c5 Mon Sep 17 00:00:00 2001 |
|
| 96 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 97 |
+Date: Fri, 28 Sep 2018 16:08:16 +0200 |
|
| 98 |
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check |
|
| 99 |
+ |
|
| 100 |
+CVE-2018-16839 |
|
| 101 |
+Reported-by: Harry Sintonen |
|
| 102 |
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html |
|
| 103 |
+--- |
|
| 104 |
+ lib/vauth/cleartext.c | 2 +- |
|
| 105 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
| 106 |
+ |
|
| 107 |
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c |
|
| 108 |
+index a10edbdc74..be6d6111e2 100644 |
|
| 109 |
+--- a/lib/vauth/cleartext.c |
|
| 110 |
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, |
|
| 111 |
+ plen = strlen(passwdp); |
|
| 112 |
+ |
|
| 113 |
+ /* Compute binary message length. Check for overflows. */ |
|
| 114 |
+- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) |
|
| 115 |
++ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) |
|
| 116 |
+ return CURLE_OUT_OF_MEMORY; |
|
| 117 |
+ plainlen = 2 * ulen + plen + 2; |
|
| 118 |
+ |
| 0 | 119 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,33 @@ |
| 0 |
+From 81d135d67155c5295b1033679c606165d4e28f3f Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Thu, 18 Oct 2018 15:07:15 +0200 |
|
| 3 |
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid |
|
| 4 |
+ use-after-free |
|
| 5 |
+ |
|
| 6 |
+Regression from b46cfbc068 (7.59.0) |
|
| 7 |
+CVE-2018-16840 |
|
| 8 |
+Reported-by: Brian Carpenter (Geeknik Labs) |
|
| 9 |
+ |
|
| 10 |
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html |
|
| 11 |
+--- |
|
| 12 |
+ lib/url.c | 4 +++- |
|
| 13 |
+ 1 file changed, 3 insertions(+), 1 deletion(-) |
|
| 14 |
+ |
|
| 15 |
+diff --git a/lib/url.c b/lib/url.c |
|
| 16 |
+index 723b898065..0d5a13f996 100644 |
|
| 17 |
+--- a/lib/url.c |
|
| 18 |
+@@ -331,10 +331,12 @@ CURLcode Curl_close(struct Curl_easy *data) |
|
| 19 |
+ and detach this handle from there. */ |
|
| 20 |
+ curl_multi_remove_handle(data->multi, data); |
|
| 21 |
+ |
|
| 22 |
+- if(data->multi_easy) |
|
| 23 |
++ if(data->multi_easy) {
|
|
| 24 |
+ /* when curl_easy_perform() is used, it creates its own multi handle to |
|
| 25 |
+ use and this is the one */ |
|
| 26 |
+ curl_multi_cleanup(data->multi_easy); |
|
| 27 |
++ data->multi_easy = NULL; |
|
| 28 |
++ } |
|
| 29 |
+ |
|
| 30 |
+ /* Destroy the timeout list that is held in the easy handle. It is |
|
| 31 |
+ /normally/ done by curl_multi_remove_handle() but this is "just in |
| 0 | 32 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,25 @@ |
| 0 |
+From d530e92f59ae9bb2d47066c3c460b25d2ffeb211 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Sun, 28 Oct 2018 01:33:23 +0200 |
|
| 3 |
+Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr |
|
| 4 |
+ |
|
| 5 |
+CVE-2018-16842 |
|
| 6 |
+Reported-by: Brian Carpenter |
|
| 7 |
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html |
|
| 8 |
+--- |
|
| 9 |
+ src/tool_msgs.c | 2 +- |
|
| 10 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
| 11 |
+ |
|
| 12 |
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c |
|
| 13 |
+index 832ed8147b..f5e1df25fb 100644 |
|
| 14 |
+--- a/src/tool_msgs.c |
|
| 15 |
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config, |
|
| 16 |
+ (void)fwrite(ptr, cut + 1, 1, config->errors); |
|
| 17 |
+ fputs("\n", config->errors);
|
|
| 18 |
+ ptr += cut + 1; /* skip the space too */ |
|
| 19 |
+- len -= cut; |
|
| 20 |
++ len -= cut + 1; |
|
| 21 |
+ } |
|
| 22 |
+ else {
|
|
| 23 |
+ fputs(ptr, config->errors); |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: An URL retrieval utility and library |
| 2 | 2 |
Name: curl |
| 3 | 3 |
Version: 7.59.0 |
| 4 |
-Release: 3%{?dist}
|
|
| 4 |
+Release: 4%{?dist}
|
|
| 5 | 5 |
License: MIT |
| 6 | 6 |
URL: http://curl.haxx.se |
| 7 | 7 |
Group: System Environment/NetworkingLibraries |
| ... | ... |
@@ -12,6 +12,10 @@ Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.gz
|
| 12 | 12 |
Patch0: curl-CVE-2018-1000300.patch |
| 13 | 13 |
Patch1: curl-CVE-2018-1000301.patch |
| 14 | 14 |
Patch2: curl-CVE-2018-0500.patch |
| 15 |
+Patch3: curl-CVE-2018-16839.patch |
|
| 16 |
+Patch4: curl-CVE-2018-16840.patch |
|
| 17 |
+Patch5: curl-CVE-2018-16842.patch |
|
| 18 |
+Patch6: curl-CVE-2018-14618.patch |
|
| 15 | 19 |
BuildRequires: ca-certificates |
| 16 | 20 |
BuildRequires: openssl-devel |
| 17 | 21 |
BuildRequires: krb5-devel |
| ... | ... |
@@ -22,10 +26,10 @@ Requires: krb5 |
| 22 | 22 |
Requires: libssh2 |
| 23 | 23 |
Requires: curl-libs = %{version}-%{release}
|
| 24 | 24 |
%description |
| 25 |
-The cURL package contains an utility and a library used for |
|
| 26 |
-transferring files with URL syntax to any of the following |
|
| 27 |
-protocols: FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, |
|
| 28 |
-DICT, LDAP, LDAPS and FILE. Its ability to both download and |
|
| 25 |
+The cURL package contains an utility and a library used for |
|
| 26 |
+transferring files with URL syntax to any of the following |
|
| 27 |
+protocols: FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, |
|
| 28 |
+DICT, LDAP, LDAPS and FILE. Its ability to both download and |
|
| 29 | 29 |
upload files can be incorporated into other programs to support |
| 30 | 30 |
functions like streaming media. |
| 31 | 31 |
|
| ... | ... |
@@ -47,6 +51,11 @@ This package contains minimal set of shared curl libraries. |
| 47 | 47 |
%patch0 -p1 |
| 48 | 48 |
%patch1 -p1 |
| 49 | 49 |
%patch2 -p1 |
| 50 |
+%patch3 -p1 |
|
| 51 |
+%patch4 -p1 |
|
| 52 |
+%patch5 -p1 |
|
| 53 |
+%patch6 -p1 |
|
| 54 |
+ |
|
| 50 | 55 |
%build |
| 51 | 56 |
./configure \ |
| 52 | 57 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -62,6 +71,7 @@ This package contains minimal set of shared curl libraries. |
| 62 | 62 |
--with-libssh2 \ |
| 63 | 63 |
--with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt |
| 64 | 64 |
make %{?_smp_mflags}
|
| 65 |
+ |
|
| 65 | 66 |
%install |
| 66 | 67 |
[ %{buildroot} != "/"] && rm -rf %{buildroot}/*
|
| 67 | 68 |
make DESTDIR=%{buildroot} install
|
| ... | ... |
@@ -73,9 +83,12 @@ find %{buildroot}/%{_libdir} -name '*.la' -delete
|
| 73 | 73 |
make %{?_smp_mflags} check
|
| 74 | 74 |
|
| 75 | 75 |
%post -p /sbin/ldconfig |
| 76 |
+ |
|
| 76 | 77 |
%postun -p /sbin/ldconfig |
| 78 |
+ |
|
| 77 | 79 |
%clean |
| 78 | 80 |
rm -rf %{buildroot}/*
|
| 81 |
+ |
|
| 79 | 82 |
%files |
| 80 | 83 |
%defattr(-,root,root) |
| 81 | 84 |
%{_bindir}/*
|
| ... | ... |
@@ -94,6 +107,8 @@ rm -rf %{buildroot}/*
|
| 94 | 94 |
%{_libdir}/libcurl.so.*
|
| 95 | 95 |
|
| 96 | 96 |
%changelog |
| 97 |
+* Tue Jan 29 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-4 |
|
| 98 |
+- Fix for CVE-2018-16839, CVE-2018-16840, CVE-2018-16842 and CVE-2018-14618 |
|
| 97 | 99 |
* Tue Sep 18 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-3 |
| 98 | 100 |
- Fix for CVE-2018-0500 |
| 99 | 101 |
* Thu Jul 05 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-2 |