Browse code
Fix for CVEs in curl
Fix for the following CVEs:
1. curl-CVE-2018-1000300
2. curl-CVE-2018-1000301
Change-Id: Iebb08dc8d8bab2083e79aeddecba4758b738b034
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5324
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Keerthana K authored on 2018/07/05 22:00:07Showing 3 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,39 @@ |
| 0 |
+From 583b42cb3b809b1bf597af160468ccba728c2248 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Fri, 23 Mar 2018 23:30:04 +0100 |
|
| 3 |
+Subject: [PATCH] pingpong: fix response cache memcpy overflow |
|
| 4 |
+ |
|
| 5 |
+Response data for a handle with a large buffer might be cached and then |
|
| 6 |
+used with the "closure" handle when it has a smaller buffer and then the |
|
| 7 |
+larger cache will be copied and overflow the new smaller heap based |
|
| 8 |
+buffer. |
|
| 9 |
+ |
|
| 10 |
+Reported-by: Dario Weisser |
|
| 11 |
+CVE: CVE-2018-1000300 |
|
| 12 |
+Bug: https://curl.haxx.se/docs/adv_2018-82c2.html |
|
| 13 |
+--- |
|
| 14 |
+ lib/pingpong.c | 5 ++++- |
|
| 15 |
+ 1 file changed, 4 insertions(+), 1 deletion(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/lib/pingpong.c b/lib/pingpong.c |
|
| 18 |
+index 438856a99..ad370ee82 100644 |
|
| 19 |
+--- a/lib/pingpong.c |
|
| 20 |
+@@ -302,11 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, |
|
| 21 |
+ * |
|
| 22 |
+ * pp->cache_size is cast to ssize_t here. This should be safe, because |
|
| 23 |
+ * it would have been populated with something of size int to begin |
|
| 24 |
+ * with, even though its datatype may be larger than an int. |
|
| 25 |
+ */ |
|
| 26 |
+- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); |
|
| 27 |
++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
|
|
| 28 |
++ failf(data, "cached response data too big to handle"); |
|
| 29 |
++ return CURLE_RECV_ERROR; |
|
| 30 |
++ } |
|
| 31 |
+ memcpy(ptr, pp->cache, pp->cache_size); |
|
| 32 |
+ gotbytes = (ssize_t)pp->cache_size; |
|
| 33 |
+ free(pp->cache); /* free the cache */ |
|
| 34 |
+ pp->cache = NULL; /* clear the pointer */ |
|
| 35 |
+ pp->cache_size = 0; /* zero the size just in case */ |
|
| 36 |
+-- |
|
| 37 |
+2.17.0 |
| 0 | 38 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,51 @@ |
| 0 |
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Sat, 24 Mar 2018 23:47:41 +0100 |
|
| 3 |
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed |
|
| 4 |
+ |
|
| 5 |
+... leaving the k->str could lead to buffer over-reads later on. |
|
| 6 |
+ |
|
| 7 |
+CVE: CVE-2018-1000301 |
|
| 8 |
+Assisted-by: Max Dymond |
|
| 9 |
+ |
|
| 10 |
+Detected by OSS-Fuzz. |
|
| 11 |
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html |
|
| 12 |
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 |
|
| 13 |
+--- |
|
| 14 |
+ lib/http.c | 6 +++++- |
|
| 15 |
+ 1 file changed, 5 insertions(+), 1 deletion(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/lib/http.c b/lib/http.c |
|
| 18 |
+index 1a313b4fb..e080ae513 100644 |
|
| 19 |
+--- a/lib/http.c |
|
| 20 |
+@@ -3012,10 +3012,12 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, |
|
| 21 |
+ ssize_t *nread, |
|
| 22 |
+ bool *stop_reading) |
|
| 23 |
+ {
|
|
| 24 |
+ CURLcode result; |
|
| 25 |
+ struct SingleRequest *k = &data->req; |
|
| 26 |
++ ssize_t onread = *nread; |
|
| 27 |
++ char *ostr = k->str; |
|
| 28 |
+ |
|
| 29 |
+ /* header line within buffer loop */ |
|
| 30 |
+ do {
|
|
| 31 |
+ size_t rest_length; |
|
| 32 |
+ size_t full_length; |
|
| 33 |
+@@ -3076,11 +3078,13 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, |
|
| 34 |
+ /* since there's more, this is a partial bad header */ |
|
| 35 |
+ k->badheader = HEADER_PARTHEADER; |
|
| 36 |
+ else {
|
|
| 37 |
+ /* this was all we read so it's all a bad header */ |
|
| 38 |
+ k->badheader = HEADER_ALLBAD; |
|
| 39 |
+- *nread = (ssize_t)rest_length; |
|
| 40 |
++ *nread = onread; |
|
| 41 |
++ k->str = ostr; |
|
| 42 |
++ return CURLE_OK; |
|
| 43 |
+ } |
|
| 44 |
+ break; |
|
| 45 |
+ } |
|
| 46 |
+ } |
|
| 47 |
+ |
|
| 48 |
+-- |
|
| 49 |
+2.17.0 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: An URL retrieval utility and library |
| 2 | 2 |
Name: curl |
| 3 | 3 |
Version: 7.59.0 |
| 4 |
-Release: 1%{?dist}
|
|
| 4 |
+Release: 2%{?dist}
|
|
| 5 | 5 |
License: MIT |
| 6 | 6 |
URL: http://curl.haxx.se |
| 7 | 7 |
Group: System Environment/NetworkingLibraries |
| ... | ... |
@@ -9,6 +9,8 @@ Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.gz
|
| 11 | 11 |
%define sha1 curl=1a9bd7e201e645207b23a4b4dc38a32cc494a638 |
| 12 |
+Patch0: curl-CVE-2018-1000300.patch |
|
| 13 |
+Patch1: curl-CVE-2018-1000301.patch |
|
| 12 | 14 |
Requires: ca-certificates |
| 13 | 15 |
BuildRequires: ca-certificates |
| 14 | 16 |
Requires: openssl |
| ... | ... |
@@ -25,6 +27,8 @@ functions like streaming media. |
| 25 | 25 |
%prep |
| 26 | 26 |
%setup -q |
| 27 | 27 |
sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
|
| 28 |
+%patch0 -p1 |
|
| 29 |
+%patch1 -p1 |
|
| 28 | 30 |
%build |
| 29 | 31 |
./configure \ |
| 30 | 32 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -63,6 +67,8 @@ rm -rf %{buildroot}/*
|
| 63 | 63 |
%{_datarootdir}/aclocal/libcurl.m4
|
| 64 | 64 |
%{_docdir}/%{name}-%{version}
|
| 65 | 65 |
%changelog |
| 66 |
+* Thu Jul 05 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-2 |
|
| 67 |
+- Fix for CVE-2018-1000300, CVE-2018-1000301. |
|
| 66 | 68 |
* Wed Apr 04 2018 Dheeraj Shetty <dheerajs@vmware.com> 7.59.0-1 |
| 67 | 69 |
- Update to version 7.59.0 |
| 68 | 70 |
* Mon Feb 12 2018 Xiaolin Li <xiaolinl@vmware.com> 7.58.0-1 |