1. photon
  2. Commit f3664bf64df04a6ecd093876219c379724dcc839
Browse code

curl : Fix CVE-2017-1000100

Change-Id: I78d3829553916f475429c5709bdf8f90330397de
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4191
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

xiaolin-vmware authored on 2017/11/03 03:38:43
Showing 2 changed files
SPECS/curl/curl-CVE-2017-1000100.patch
History View file @ f3664bf
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,54 @@
0 
+From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001
1 
+From: Daniel Stenberg <daniel@haxx.se>
2 
+Date: Tue, 1 Aug 2017 17:16:46 +0200
3 
+Subject: [PATCH] tftp: reject file name lengths that don't fit
4 
+
5 
+... and thereby avoid telling send() to send off more bytes than the
6 
+size of the buffer!
7 
+
8 
+CVE-2017-1000100
9 
+
10 
+Bug: https://curl.haxx.se/docs/adv_20170809B.html
11 
+Reported-by: Even Rouault
12 
+
13 
+Credit to OSS-Fuzz for the discovery
14 
+---
15 
+ lib/tftp.c | 7 ++++++-
16 
+ 1 file changed, 6 insertions(+), 1 deletion(-)
17 
+
18 
+diff --git a/lib/tftp.c b/lib/tftp.c
19 
+index 02bd84242..f6f4bce5b 100644
20 
+--- a/lib/tftp.c
21 
+@@ -3,11 +3,11 @@
22 
+  *  Project                     ___| | | |  _ \| |
23 
+  *                             / __| | | | |_) | |
24 
+  *                            | (__| |_| |  _ <| |___
25 
+  *                             \___|\___/|_| \_\_____|
26 
+  *
27 
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
28 
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
29 
+  *
30 
+  * This software is licensed as described in the file COPYING, which
31 
+  * you should have received as part of this distribution. The terms
32 
+  * are also available at https://curl.haxx.se/docs/copyright.html.
33 
+  *
34 
+@@ -489,10 +489,15 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
35 
+     result = Curl_urldecode(data, &state->conn->data->state.path[1], 0,
36 
+                             &filename, NULL, FALSE);
37 
+     if(result)
38 
+       return result;
39 
+
40 
++    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
41 
++      failf(data, "TFTP file name too long\n");
42 
++      return CURLE_TFTP_ILLEGAL; /* too long file name field */
43 
++    }
44 
++
45 
+     snprintf((char *)state->spacket.data+2,
46 
+              state->blksize,
47 
+              "%s%c%s%c", filename, '\0',  mode, '\0');
48 
+     sbytes = 4 + strlen(filename) + strlen(mode);
49 
+
50 
+--
51 
+2.13.3
52 
+
SPECS/curl/curl.spec
History View file @ f3664bf
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        An URL retrieval utility and library
2 2 
 Name:           curl
3 3 
 Version:        7.54.0
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        MIT
6 6 
 URL:            http://curl.haxx.se
7 7 
 Group:          System Environment/NetworkingLibraries
... ... 
@@ -10,6 +10,7 @@ Distribution:   Photon
10 10 
 Source0:        http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
11 11 
 %define sha1    curl=a77da3cd2a9876bde3982976245ef2da9ad27847
12 12 
 Patch0:         curl-CVE-2017-1000101.patch
13 
+Patch1:         curl-CVE-2017-1000100.patch
13 14 
 Requires:       ca-certificates
14 15 
 BuildRequires:  ca-certificates
15 16 
 Requires:       openssl
... ... 
@@ -26,6 +27,7 @@ functions like streaming media.
26 26 
 %prep
27 27 
 %setup -q
28 28 
 %patch0 -p1
29 
+%patch1 -p1
29 30 
 sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
30 31 
 %build
31 32 
 ./configure \
... ... 
@@ -65,6 +67,8 @@ rm -rf %{buildroot}/*
65 65 
 %{_datarootdir}/aclocal/libcurl.m4
66 66 
 %{_docdir}/%{name}-%{version}
67 67 
 %changelog
68 
+*   Thu Nov 02 2017 Xiaolin Li <xiaolinl@vmware.com> 7.54.0-3
69 
+-   Fix CVE-2017-1000100
68 70 
 *   Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 7.54.0-2
69 71 
 -   Fix CVE-2017-1000101
70 72 
 *   Wed May 24 2017 Divya Thaluru <dthaluru@vmware.com> 7.54.0-1