1. photon
  2. Commit 02ae60f121e120c3c36b5196cfeee1f0502c0cdc
Browse code

Fix for CVE-2018-16890 in curl

Change-Id: I5119850c7c991428e0392eaad240425ce23341e1
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6881
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: Anish Swaminathan <anishs@vmware.com>

suezzelur authored on 2019/03/15 08:59:21
Showing 2 changed files
SPECS/curl/curl-CVE-2018-16890.patch
History View file @ 02ae60f
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,39 @@
0 
+From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001
1 
+From: Daniel Stenberg <daniel@haxx.se>
2 
+Date: Wed, 2 Jan 2019 20:33:08 +0100
3 
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
4 
+
5 
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
6 
+Reported-by: Wenxiang Qian
7 
+CVE-2018-16890
8 
+---
9 
+ lib/vauth/ntlm.c | 7 ++++---
10 
+ 1 file changed, 4 insertions(+), 3 deletions(-)
11 
+
12 
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
13 
+index c3d55ed251..0ad4d972e3 100644
14 
+--- a/lib/vauth/ntlm.c
15 
+@@ -5,7 +5,7 @@
16 
+  *                            | (__| |_| |  _ <| |___
17 
+  *                             \___|\___/|_| \_\_____|
18 
+  *
19 
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
20 
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
21 
+  *
22 
+  * This software is licensed as described in the file COPYING, which
23 
+  * you should have received as part of this distribution. The terms
24 
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
25 
+     target_info_len = Curl_read16_le(&buffer[40]);
26 
+     target_info_offset = Curl_read32_le(&buffer[44]);
27 
+     if(target_info_len > 0) {
28 
+-      if(((target_info_offset + target_info_len) > size) ||
29 
++      if((target_info_offset >= size) ||
30 
++         ((target_info_offset + target_info_len) > size) ||
31 
+          (target_info_offset < 48)) {
32 
+         infof(data, "NTLM handshake failure (bad type-2 message). "
33 
+-                    "Target Info Offset Len is set incorrect by the peer\n");
34 
++              "Target Info Offset Len is set incorrect by the peer\n");
35 
+         return CURLE_BAD_CONTENT_ENCODING;
36 
+       }
37 
+
SPECS/curl/curl.spec
History View file @ 02ae60f
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        An URL retrieval utility and library
2 2 
 Name:           curl
3 3 
 Version:        7.59.0
4 
-Release:        6%{?dist}
4 
+Release:        7%{?dist}
5 5 
 License:        MIT
6 6 
 URL:            http://curl.haxx.se
7 7 
 Group:          System Environment/NetworkingLibraries
... ... 
@@ -18,6 +18,7 @@ Patch5:         curl-CVE-2018-16842.patch
18 18 
 Patch6:         curl-CVE-2018-14618.patch
19 19 
 Patch7:         curl-CVE-2019-3822.patch
20 20 
 Patch8:         curl-CVE-2019-3823.patch
21 
+Patch9:         curl-CVE-2018-16890.patch
21 22 
 Requires:       ca-certificates
22 23 
 BuildRequires:  ca-certificates
23 24 
 Requires:       openssl
... ... 
@@ -45,6 +46,7 @@ sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
45 45 
 %patch6 -p1
46 46 
 %patch7 -p1
47 47 
 %patch8 -p1
48 
+%patch9 -p1
48 49
49 50 
 %build
50 51 
 ./configure \
... ... 
@@ -90,6 +92,8 @@ rm -rf %{buildroot}/*
90 90 
 %{_docdir}/%{name}-%{version}
91 91
92 92 
 %changelog
93 
+*   Thu Mar 14 2019 Anish Swaminathan <anishs@vmware.com> 7.59.0-7
94 
+-   Patch for CVE-2018-16890
93 95 
 *   Thu Feb 14 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-6
94 96 
 -   Fixed CVE-2019-3822 and CVE-2019-3823
95 97 
 *   Wed Jan 30 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-5