new file mode 100644

@@ -0,0 +1,133 @@

+From 9d9157bb0c230c769fdf902ed3a62edf642d424b Mon Sep 17 00:00:00 2001

+From: Daniel Stenberg <daniel@haxx.se>

+Date: Mon, 25 Sep 2017 00:35:22 +0200

+Subject: [PATCH v2] FTP: zero terminate the entry path even on bad input

+

+... a single double quote could leave the entry path buffer without a zero

+terminating byte.

+

+Test 1152 added to verify.

+

+Reported-by: Max Dymond

+---

+ lib/ftp.c               |  7 ++++--

+ tests/data/Makefile.inc |  1 +

+ tests/data/test1152     | 61 +++++++++++++++++++++++++++++++++++++++++++++++++

+ 3 files changed, 67 insertions(+), 2 deletions(-)

+ create mode 100644 tests/data/test1152

+

+diff --git a/lib/ftp.c b/lib/ftp.c

+index 4860509f3..54ba4057f 100644

+--- a/lib/ftp.c

+@@ -2826,7 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)

+         const size_t buf_size = data->set.buffer_size;

+         char *dir;

+         char *store;

+-

++        bool entry_extracted = FALSE;

+         dir = malloc(nread + 1);

+         if(!dir)

+           return CURLE_OUT_OF_MEMORY;

+@@ -2857,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)

+               }

+               else {

+                 /* end of path */

+-                *store = '\0'; /* zero terminate */

++                entry_extracted = TRUE;

+                 break; /* get out of this loop */

+               }

+             }

+@@ -2866,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)

+             store++;

+             ptr++;

+           }

+-

++          *store = '\0'; /* zero terminate */

++        }

++        if(entry_extracted) {

+           /* If the path name does not look like an absolute path (i.e.: it

+              does not start with a '/'), we probably need some server-dependent

+              adjustments. For example, this is the case when connecting to

+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc

+index 1bfd75eca..268f5e29e 100644

+--- a/tests/data/Makefile.inc

+@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \

+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \

+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \

+ test1144 test1145 test1146 \

++test1152 \

+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \

+ test1216 test1217 test1218 test1219 \

+diff --git a/tests/data/test1152 b/tests/data/test1152

+new file mode 100644

+index 000000000..aa8c0a7e4

+--- /dev/null

+@@ -0,0 +1,61 @@

++<testcase>

++<info>

++<keywords>

++FTP

++PASV

++LIST

++</keywords>

++</info>

++#

++# Server-side

++<reply>

++<servercmd>

++REPLY PWD 257 "just one

++</servercmd>

++

++# When doing LIST, we get the default list output hard-coded in the test

++# FTP server

++<data mode="text">

++total 20

++drwxr-xr-x   8 98       98           512 Oct 22 13:06 .

++drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..

++drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases

++-r--r--r--   1 0        1             35 Jul 16  1996 README

++lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin

++dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev

++drwxrwxrwx   2 98       98           512 May 29 16:04 download.html

++dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc

++drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub

++dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr

++</data>

++</reply>

++

++#

++# Client-side

++<client>

++<server>

++ftp

++</server>

++ <name>

++FTP with uneven quote in PWD response

++ </name>

++ <command>

++ftp://%HOSTIP:%FTPPORT/test-1152/

++</command>

++</client>

++

++#

++# Verify data after the test has been "shot"

++<verify>

++<protocol>

++USER anonymous

++PASS ftp@example.com

++PWD

++CWD test-1152

++EPSV

++TYPE A

++LIST

++QUIT

++</protocol>

++</verify>

++</testcase>

+-- 

+2.14.1

+

@@ -1,7 +1,7 @@

 Summary:        An URL retrieval utility and library

 Name:           curl

 Version:        7.54.1

-Release:        2%{?dist}

+Release:        3%{?dist}

 License:        MIT

 URL:            http://curl.haxx.se

 Group:          System Environment/NetworkingLibraries

@@ -12,6 +12,7 @@ Source0:        http://curl.haxx.se/download/%{name}-%{version}.tar.lzma

 Patch0:         curl-CVE-2017-1000099.patch

 Patch1:         curl-CVE-2017-1000100.patch

 Patch2:         curl-CVE-2017-1000101.patch

+Patch3:         curl-CVE-2017-1000254.patch

 BuildRequires:  ca-certificates

 BuildRequires:  openssl-devel

 BuildRequires:  krb5-devel

@@ -47,6 +48,7 @@ This package contains minimal set of shared curl libraries.

 %patch0 -p1

 %patch1 -p1

 %patch2 -p1

+%patch3 -p1

 %build

 ./configure \

     CFLAGS="%{optflags}" \

@@ -94,6 +96,8 @@ rm -rf %{buildroot}/*

 %{_libdir}/libcurl.so.*

 %changelog

+*   Mon Nov 06 2017 Xiaolin Li <xiaolinl@vmware.com> 7.54.1-3

+-   Fix CVE-2017-1000254

 *   Thu Nov 02 2017 Xiaolin Li <xiaolinl@vmware.com> 7.54.1-2

 -   Fix CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101

 *   Tue Jul 11 2017 Divya Thaluru <dthaluru@vmware.com> 7.54.1-1