1. photon
  2. Commit 414b1a625910e0199ba0e4b173e6d70bc0ee3092
Browse code

curl: Fix for CVE-2018-14618 and CVE-2018-16839

Patched for multiple vulnerabilities -

1) CVE-2018-16839
- Integer overflow causing heap based buffer overflow

2) CVE-2018-14618
- Buffer overrun in NTLM authentication

Change-Id: Ie9ff120651913ba640fe503331e024882c504562
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6624
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

dweepadvani authored on 2019/01/31 02:27:33
Showing 3 changed files
SPECS/curl/curl-CVE-2018-14618.patch
History View file @ 414b1a6
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,34 @@
0 
+From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
1 
+From: Daniel Stenberg <daniel@haxx.se>
2 
+Date: Mon, 13 Aug 2018 10:35:52 +0200
3 
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
4 
+
5 
+... since it would cause an integer overflow if longer than (max size_t
6 
+/ 2).
7 
+
8 
+This is CVE-2018-14618
9 
+
10 
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
11 
+Closes #2756
12 
+Reported-by: Zhaoyang Wu
13 
+---
14 
+ lib/curl_ntlm_core.c | 5 ++++-
15 
+ 1 file changed, 4 insertions(+), 1 deletion(-)
16 
+
17 
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
18 
+index e27cab353c..922e85a926 100644
19 
+--- a/lib/curl_ntlm_core.c
20 
+@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
21 
+                                    unsigned char *ntbuffer /* 21 bytes */)
22 
+ {
23 
+   size_t len = strlen(password);
24 
+-  unsigned char *pw = len ? malloc(len * 2) : strdup("");
25 
++  unsigned char *pw;
26 
+   CURLcode result;
27 
++  if(len > SIZE_T_MAX/2) /* avoid integer overflow */
28 
++    return CURLE_OUT_OF_MEMORY;
29 
++  pw = len ? malloc(len * 2) : strdup("");
30 
+   if(!pw)
31 
+     return CURLE_OUT_OF_MEMORY;
32 
+
SPECS/curl/curl-CVE-2018-16839.patch
History View file @ 414b1a6
0 33 
new file mode 100644
... ... 
@@ -0,0 +1,123 @@
0 
+From c1366571b609407cf0d4d9f4a2769d29e1313151 Mon Sep 17 00:00:00 2001
1 
+From: Daniel Stenberg <daniel@haxx.se>
2 
+Date: Tue, 20 Mar 2018 15:15:14 +0100
3 
+Subject: [PATCH] vauth/cleartext: fix integer overflow check
4 
+
5 
+Make the integer overflow check not rely on the undefined behavior that
6 
+a size_t wraps around on overflow.
7 
+
8 
+Detected by lgtm.com
9 
+Closes #2408
10 
+---
11 
+ lib/curl_ntlm_core.c  | 11 +----------
12 
+ lib/curl_setup.h      |  9 +++++++++
13 
+ lib/vauth/cleartext.c | 14 ++++----------
14 
+ 3 files changed, 14 insertions(+), 20 deletions(-)
15 
+
16 
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
17 
+index e8962769ca..72eda34ad1 100644
18 
+--- a/lib/curl_ntlm_core.c
19 
+@@ -5,7 +5,7 @@
20 
+  *                            | (__| |_| |  _ <| |___
21 
+  *                             \___|\___/|_| \_\_____|
22 
+  *
23 
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
24 
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
25 
+  *
26 
+  * This software is licensed as described in the file COPYING, which
27 
+  * you should have received as part of this distribution. The terms
28 
+@@ -646,15 +646,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
29 
+   return CURLE_OK;
30 
+ }
31 
+
32 
+-#ifndef SIZE_T_MAX
33 
+-/* some limits.h headers have this defined, some don't */
34 
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
35 
+-#define SIZE_T_MAX 18446744073709551615U
36 
+-#else
37 
+-#define SIZE_T_MAX 4294967295U
38 
+-#endif
39 
+-#endif
40 
+-
41 
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
42 
+  * (uppercase UserName + Domain) as the data
43 
+  */
44 
+diff --git a/lib/curl_setup.h b/lib/curl_setup.h
45 
+index f128696e9d..e4503c64ca 100644
46 
+--- a/lib/curl_setup.h
47 
+@@ -447,6 +447,15 @@
48 
+ #  endif
49 
+ #endif
50 
+
51 
++#ifndef SIZE_T_MAX
52 
++/* some limits.h headers have this defined, some don't */
53 
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
54 
++#define SIZE_T_MAX 18446744073709551615U
55 
++#else
56 
++#define SIZE_T_MAX 4294967295U
57 
++#endif
58 
++#endif
59 
++
60 
+ /*
61 
+  * Arg 2 type for gethostname in case it hasn't been defined in config file.
62 
+  */
63 
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
64 
+index a761ae7846..5d61ce6dc2 100644
65 
+--- a/lib/vauth/cleartext.c
66 
+@@ -5,7 +5,7 @@
67 
+  *                            | (__| |_| |  _ <| |___
68 
+  *                             \___|\___/|_| \_\_____|
69 
+  *
70 
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
71 
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
72 
+  *
73 
+  * This software is licensed as described in the file COPYING, which
74 
+  * you should have received as part of this distribution. The terms
75 
+@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
76 
+   ulen = strlen(userp);
77 
+   plen = strlen(passwdp);
78 
+
79 
+-  /* Compute binary message length, checking for overflows. */
80 
+-  plainlen = 2 * ulen;
81 
+-  if(plainlen < ulen)
82 
+-    return CURLE_OUT_OF_MEMORY;
83 
+-  plainlen += plen;
84 
+-  if(plainlen < plen)
85 
+-    return CURLE_OUT_OF_MEMORY;
86 
+-  plainlen += 2;
87 
+-  if(plainlen < 2)
88 
++  /* Compute binary message length. Check for overflows. */
89 
++  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
90 
+     return CURLE_OUT_OF_MEMORY;
91 
++  plainlen = 2 * ulen + plen + 2;
92 
+
93 
+   plainauth = malloc(plainlen);
94 
+   if(!plainauth)
95 
+From f3a24d7916b9173c69a3e0ee790102993833d6c5 Mon Sep 17 00:00:00 2001
96 
+From: Daniel Stenberg <daniel@haxx.se>
97 
+Date: Fri, 28 Sep 2018 16:08:16 +0200
98 
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
99 
+
100 
+CVE-2018-16839
101 
+Reported-by: Harry Sintonen
102 
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
103 
+---
104 
+ lib/vauth/cleartext.c | 2 +-
105 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
106 
+
107 
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
108 
+index a10edbdc74..be6d6111e2 100644
109 
+--- a/lib/vauth/cleartext.c
110 
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
111 
+   plen = strlen(passwdp);
112 
+
113 
+   /* Compute binary message length. Check for overflows. */
114 
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
115 
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
116 
+     return CURLE_OUT_OF_MEMORY;
117 
+   plainlen = 2 * ulen + plen + 2;
118 
+
SPECS/curl/curl.spec
History View file @ 414b1a6
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        An URL retrieval utility and library
2 2 
 Name:           curl
3 3 
 Version:        7.59.0
4 
-Release:        4%{?dist}
4 
+Release:        5%{?dist}
5 5 
 License:        MIT
6 6 
 URL:            http://curl.haxx.se
7 7 
 Group:          System Environment/NetworkingLibraries
... ... 
@@ -12,14 +12,17 @@ Source0:        http://curl.haxx.se/download/%{name}-%{version}.tar.gz
12 12 
 Patch0:         curl-CVE-2018-1000300.patch
13 13 
 Patch1:         curl-CVE-2018-1000301.patch
14 14 
 Patch2:         curl-CVE-2018-0500.patch
15 
-Patch3:		curl-CVE-2018-16840.patch
16 
-Patch4:		curl-CVE-2018-16842.patch
15 
+Patch3:         curl-CVE-2018-16839.patch
16 
+Patch4:         curl-CVE-2018-16840.patch
17 
+Patch5:         curl-CVE-2018-16842.patch
18 
+Patch6:         curl-CVE-2018-14618.patch
17 19 
 Requires:       ca-certificates
18 20 
 BuildRequires:  ca-certificates
19 21 
 Requires:       openssl
20 22 
 BuildRequires:  openssl-devel
21 23 
 Requires:       libssh2
22 24 
 BuildRequires:  libssh2-devel
25 
+
23 26 
 %description
24 27 
 The cURL package contains an utility and a library used for
25 28 
 transferring files with URL syntax to any of the following
... ... 
@@ -27,6 +30,7 @@ protocols: FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET,
27 27 
 DICT, LDAP, LDAPS and FILE. Its ability to both download and
28 28 
 upload files can be incorporated into other programs to support
29 29 
 functions like streaming media.
30 
+
30 31 
 %prep
31 32 
 %setup -q
32 33 
 sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
... ... 
@@ -35,6 +39,9 @@ sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
35 35 
 %patch2 -p1
36 36 
 %patch3 -p1
37 37 
 %patch4 -p1
38 
+%patch5 -p1
39 
+%patch6 -p1
40 
+
38 41 
 %build
39 42 
 ./configure \
40 43 
     CFLAGS="%{optflags}" \
... ... 
@@ -49,6 +56,7 @@ sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
49 49 
     --with-libssh2 \
50 50 
     --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt
51 51 
 make %{?_smp_mflags}
52 
+
52 53 
 %install
53 54 
 [ %{buildroot} != "/"] && rm -rf %{buildroot}/*
54 55 
 make DESTDIR=%{buildroot} install
... ... 
@@ -57,10 +65,14 @@ find %{buildroot}/%{_libdir} -name '*.la' -delete
57 57 
 %{_fixperms} %{buildroot}/*
58 58 
 %check
59 59 
 make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
60 
+
60 61 
 %post   -p /sbin/ldconfig
62 
+
61 63 
 %postun -p /sbin/ldconfig
64 
+
62 65 
 %clean
63 66 
 rm -rf %{buildroot}/*
67 
+
64 68 
 %files
65 69 
 %defattr(-,root,root)
66 70 
 %{_bindir}/*
... ... 
@@ -72,7 +84,10 @@ rm -rf %{buildroot}/*
72 72
73 73 
 %{_datarootdir}/aclocal/libcurl.m4
74 74 
 %{_docdir}/%{name}-%{version}
75 
+
75 76 
 %changelog
77 
+*   Wed Jan 30 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-5
78 
+-   Fixed CVE-2018-14618 and CVE-2018-16839
76 79 
 *   Thu Jan 03 2019 Siju Maliakkal <smaliakkal@vmware.com> 7.59.0-4
77 80 
 -   Apply patches for CVE-2018-16840, CVE-2018-16842
78 81 
 *   Tue Sep 18 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-3