This change is to fix chunked decoding buffer overrun for [CVE-2017-2885]
Change-Id: Id917b2c7c41ae1502436b925a261846540d6c4d4
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5274
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,57 @@ |
0 |
+From 34d361188adc4b4a81457bcffb14588d84078e79 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Dan Winship <danw@gnome.org> |
|
2 |
+Date: Thu, 3 Aug 2017 09:56:43 -0400 |
|
3 |
+Subject: [PATCH] Fix chunked decoding buffer overrun (CVE-2017-2885) |
|
4 |
+ |
|
5 |
+https://bugzilla.gnome.org/show_bug.cgi?id=785774 |
|
6 |
+--- |
|
7 |
+ libsoup/soup-filter-input-stream.c | 22 +++++++++++----------- |
|
8 |
+ 1 file changed, 11 insertions(+), 11 deletions(-) |
|
9 |
+ |
|
10 |
+diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c |
|
11 |
+index cde4d12..2c30bf9 100644 |
|
12 |
+--- a/libsoup/soup-filter-input-stream.c |
|
13 |
+@@ -198,7 +198,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, |
|
14 |
+ GCancellable *cancellable, |
|
15 |
+ GError **error) |
|
16 |
+ { |
|
17 |
+- gssize nread; |
|
18 |
++ gssize nread, read_length; |
|
19 |
+ guint8 *p, *buf, *end; |
|
20 |
+ gboolean eof = FALSE; |
|
21 |
+ GError *my_error = NULL; |
|
22 |
+@@ -251,10 +251,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, |
|
23 |
+ } else |
|
24 |
+ buf = fstream->priv->buf->data; |
|
25 |
+ |
|
26 |
+- /* Scan for the boundary */ |
|
27 |
+- end = buf + fstream->priv->buf->len; |
|
28 |
+- if (!eof) |
|
29 |
+- end -= boundary_length; |
|
30 |
++ /* Scan for the boundary within the range we can possibly return. */ |
|
31 |
++ if (include_boundary) |
|
32 |
++ end = buf + MIN (fstream->priv->buf->len, length) - boundary_length; |
|
33 |
++ else |
|
34 |
++ end = buf + MIN (fstream->priv->buf->len - boundary_length, length); |
|
35 |
+ for (p = buf; p <= end; p++) { |
|
36 |
+ if (*p == *(guint8*)boundary && |
|
37 |
+ !memcmp (p, boundary, boundary_length)) { |
|
38 |
+@@ -268,10 +269,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, |
|
39 |
+ if (!*got_boundary && fstream->priv->buf->len < length && !eof) |
|
40 |
+ goto fill_buffer; |
|
41 |
+ |
|
42 |
+- /* Return everything up to 'p' (which is either just after the boundary if |
|
43 |
+- * include_boundary is TRUE, just before the boundary if include_boundary is |
|
44 |
+- * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of- |
|
45 |
+- * file). |
|
46 |
+- */ |
|
47 |
+- return read_from_buf (fstream, buffer, p - buf); |
|
48 |
++ if (eof && !*got_boundary) |
|
49 |
++ read_length = MIN (fstream->priv->buf->len, length); |
|
50 |
++ else |
|
51 |
++ read_length = p - buf; |
|
52 |
++ return read_from_buf (fstream, buffer, read_length); |
|
53 |
+ } |
|
54 |
+-- |
|
55 |
+2.9.4 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: libsoup HTTP client/server library |
2 | 2 |
Name: libsoup |
3 | 3 |
Version: 2.57.1 |
4 |
-Release: 2%{?dist} |
|
4 |
+Release: 3%{?dist} |
|
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://wiki.gnome.org/LibSoup |
7 | 7 |
Group: System Environment/Development |
... | ... |
@@ -9,6 +9,7 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://ftp.gnome.org/pub/GNOME/sources/libsoup/2.57/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 libsoup=a855a98c1d002a4e2bfb7562135265a8df4dad65 |
12 |
+Patch0: CVE-2017-2885.patch |
|
12 | 13 |
BuildRequires: glib |
13 | 14 |
BuildRequires: glib-devel |
14 | 15 |
BuildRequires: gobject-introspection |
... | ... |
@@ -54,6 +55,7 @@ These are the additional language files of libsoup. |
54 | 54 |
|
55 | 55 |
%prep |
56 | 56 |
%setup -q |
57 |
+%patch0 -p1 |
|
57 | 58 |
|
58 | 59 |
%build |
59 | 60 |
export CFLAGS="%{optflags}" |
... | ... |
@@ -91,6 +93,8 @@ make check |
91 | 91 |
%defattr(-,root,root) |
92 | 92 |
|
93 | 93 |
%changelog |
94 |
+* Mon Jun 18 2018 Tapas Kundu <tkundu@vmware.com> 2.57.1-3 |
|
95 |
+- CVE-2017-2885 |
|
94 | 96 |
* Fri Aug 11 2017 Chang Lee <changlee@vmware.com> 2.57.1-2 |
95 | 97 |
- Added krb5-devel to BuildRequires for %check |
96 | 98 |
* Tue Apr 04 2017 Kumar Kaushik <kaushikk@vmware.com> 2.57.1-1 |