Browse code
Fix for CVEs in curl
Fix for following CVEs
1. CVE-2018-1000300
2. CVE-2018-1000301
Change-Id: Idb05d9c35074525a0ec8f8581440304536236fd0
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5323
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Keerthana K authored on 2018/07/05 21:58:40Showing 3 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,39 @@ |
| 0 |
+From 583b42cb3b809b1bf597af160468ccba728c2248 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Fri, 23 Mar 2018 23:30:04 +0100 |
|
| 3 |
+Subject: [PATCH] pingpong: fix response cache memcpy overflow |
|
| 4 |
+ |
|
| 5 |
+Response data for a handle with a large buffer might be cached and then |
|
| 6 |
+used with the "closure" handle when it has a smaller buffer and then the |
|
| 7 |
+larger cache will be copied and overflow the new smaller heap based |
|
| 8 |
+buffer. |
|
| 9 |
+ |
|
| 10 |
+Reported-by: Dario Weisser |
|
| 11 |
+CVE: CVE-2018-1000300 |
|
| 12 |
+Bug: https://curl.haxx.se/docs/adv_2018-82c2.html |
|
| 13 |
+--- |
|
| 14 |
+ lib/pingpong.c | 5 ++++- |
|
| 15 |
+ 1 file changed, 4 insertions(+), 1 deletion(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/lib/pingpong.c b/lib/pingpong.c |
|
| 18 |
+index 438856a99..ad370ee82 100644 |
|
| 19 |
+--- a/lib/pingpong.c |
|
| 20 |
+@@ -302,11 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, |
|
| 21 |
+ * |
|
| 22 |
+ * pp->cache_size is cast to ssize_t here. This should be safe, because |
|
| 23 |
+ * it would have been populated with something of size int to begin |
|
| 24 |
+ * with, even though its datatype may be larger than an int. |
|
| 25 |
+ */ |
|
| 26 |
+- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); |
|
| 27 |
++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
|
|
| 28 |
++ failf(data, "cached response data too big to handle"); |
|
| 29 |
++ return CURLE_RECV_ERROR; |
|
| 30 |
++ } |
|
| 31 |
+ memcpy(ptr, pp->cache, pp->cache_size); |
|
| 32 |
+ gotbytes = (ssize_t)pp->cache_size; |
|
| 33 |
+ free(pp->cache); /* free the cache */ |
|
| 34 |
+ pp->cache = NULL; /* clear the pointer */ |
|
| 35 |
+ pp->cache_size = 0; /* zero the size just in case */ |
|
| 36 |
+-- |
|
| 37 |
+2.17.0 |
| 0 | 38 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,51 @@ |
| 0 |
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Sat, 24 Mar 2018 23:47:41 +0100 |
|
| 3 |
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed |
|
| 4 |
+ |
|
| 5 |
+... leaving the k->str could lead to buffer over-reads later on. |
|
| 6 |
+ |
|
| 7 |
+CVE: CVE-2018-1000301 |
|
| 8 |
+Assisted-by: Max Dymond |
|
| 9 |
+ |
|
| 10 |
+Detected by OSS-Fuzz. |
|
| 11 |
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html |
|
| 12 |
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 |
|
| 13 |
+--- |
|
| 14 |
+ lib/http.c | 6 +++++- |
|
| 15 |
+ 1 file changed, 5 insertions(+), 1 deletion(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/lib/http.c b/lib/http.c |
|
| 18 |
+index 1a313b4fb..e080ae513 100644 |
|
| 19 |
+--- a/lib/http.c |
|
| 20 |
+@@ -3012,10 +3012,12 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, |
|
| 21 |
+ ssize_t *nread, |
|
| 22 |
+ bool *stop_reading) |
|
| 23 |
+ {
|
|
| 24 |
+ CURLcode result; |
|
| 25 |
+ struct SingleRequest *k = &data->req; |
|
| 26 |
++ ssize_t onread = *nread; |
|
| 27 |
++ char *ostr = k->str; |
|
| 28 |
+ |
|
| 29 |
+ /* header line within buffer loop */ |
|
| 30 |
+ do {
|
|
| 31 |
+ size_t rest_length; |
|
| 32 |
+ size_t full_length; |
|
| 33 |
+@@ -3076,11 +3078,13 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, |
|
| 34 |
+ /* since there's more, this is a partial bad header */ |
|
| 35 |
+ k->badheader = HEADER_PARTHEADER; |
|
| 36 |
+ else {
|
|
| 37 |
+ /* this was all we read so it's all a bad header */ |
|
| 38 |
+ k->badheader = HEADER_ALLBAD; |
|
| 39 |
+- *nread = (ssize_t)rest_length; |
|
| 40 |
++ *nread = onread; |
|
| 41 |
++ k->str = ostr; |
|
| 42 |
++ return CURLE_OK; |
|
| 43 |
+ } |
|
| 44 |
+ break; |
|
| 45 |
+ } |
|
| 46 |
+ } |
|
| 47 |
+ |
|
| 48 |
+-- |
|
| 49 |
+2.17.0 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: An URL retrieval utility and library |
| 2 | 2 |
Name: curl |
| 3 | 3 |
Version: 7.59.0 |
| 4 |
-Release: 1%{?dist}
|
|
| 4 |
+Release: 2%{?dist}
|
|
| 5 | 5 |
License: MIT |
| 6 | 6 |
URL: http://curl.haxx.se |
| 7 | 7 |
Group: System Environment/NetworkingLibraries |
| ... | ... |
@@ -9,6 +9,8 @@ Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.gz
|
| 11 | 11 |
%define sha1 curl=1a9bd7e201e645207b23a4b4dc38a32cc494a638 |
| 12 |
+Patch0: curl-CVE-2018-1000300.patch |
|
| 13 |
+Patch1: curl-CVE-2018-1000301.patch |
|
| 12 | 14 |
BuildRequires: ca-certificates |
| 13 | 15 |
BuildRequires: openssl-devel |
| 14 | 16 |
BuildRequires: krb5-devel |
| ... | ... |
@@ -41,6 +43,8 @@ This package contains minimal set of shared curl libraries. |
| 41 | 41 |
|
| 42 | 42 |
%prep |
| 43 | 43 |
%setup -q |
| 44 |
+%patch0 -p1 |
|
| 45 |
+%patch1 -p1 |
|
| 44 | 46 |
%build |
| 45 | 47 |
./configure \ |
| 46 | 48 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -88,6 +92,8 @@ rm -rf %{buildroot}/*
|
| 88 | 88 |
%{_libdir}/libcurl.so.*
|
| 89 | 89 |
|
| 90 | 90 |
%changelog |
| 91 |
+* Thu Jul 05 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-2 |
|
| 92 |
+- Fix for CVE-2018-1000300, CVE-2018-1000301. |
|
| 91 | 93 |
* Wed Apr 04 2018 Dheeraj Shetty <dheerajs@vmware.com> 7.59.0-1 |
| 92 | 94 |
- Update to version 7.59.0 |
| 93 | 95 |
* Thu Feb 08 2018 Xiaolin Li <xiaolinl@vmware.com> 7.58.0-1 |