GitList

Browse code

curl: Fix for CVE-2019-3823

curl is vulnerable for out of band reads in end of SMTP responses, if the buffer passed to smtp_endofresp() is not NULL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller.

Change-Id: Ibfc3ad9f2f163ea711c3593673f2de7a8bf30a60
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6712
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

dweepadvani authored on 2019/02/15 00:08:38
Showing 2 changed files

SPECS/curl/curl-CVE-2019-3823.patch index 0000000..a47bb2e
SPECS/curl/curl.spec index 5dee11b..0435fc6 100644

SPECS/curl/curl-CVE-2019-3823.patch

History View file @ fbf59c1

                     new file mode 100644
@@ -0,0 +1,44 @@
                     +From 39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484 Mon Sep 17 00:00:00 2001
                     +From: Daniel Gustafsson <daniel@yesql.se>
                     +Date: Sat, 19 Jan 2019 00:42:47 +0100
                     +Subject: [PATCH] smtp: avoid risk of buffer overflow in strtol
+                    +
                     +If the incoming len 5, but the buffer does not have a termination
                     +after 5 bytes, the strtol() call may keep reading through the line
                     +buffer until is exceeds its boundary. Fix by ensuring that we are
                     +using a bounded read with a temporary buffer on the stack.
+                    +
                     +Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
                     +Reported-by: Brian Carpenter (Geeknik Labs)
                     +CVE-2019-3823
                     +---
                     + lib/smtp.c | 8 ++++++--
                     + 1 file changed, 6 insertions(+), 2 deletions(-)
+                    +
                     +diff --git a/lib/smtp.c b/lib/smtp.c
                     +index 84fc68e418..d55647b12e 100644
                     +--- a/lib/smtp.c
                     +@@ -5,7 +5,7 @@
                     +  *                            | (__| |_| |  _ <| |___
                     +  *                             \___|\___/|_| \_\_____|
                     +  *
                     +- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
                     ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
                     +  *
                     +  * This software is licensed as described in the file COPYING, which
                     +  * you should have received as part of this distribution. The terms
                     +@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len,
                     +      Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
                     +      only send the response code instead as per Section 4.2. */
                     +   if(line[3] == ' ' || len == 5) {
                     ++    char tmpline[6];
                     ++
                     +     result = TRUE;
                     +-    *resp = curlx_sltosi(strtol(line, NULL, 10));
                     ++    memset(tmpline, '\0', sizeof(tmpline));
                     ++    memcpy(tmpline, line, (len == 5 ? 5 : 3));
                     ++    *resp = curlx_sltosi(strtol(tmpline, NULL, 10));
+                    +
                     +     /* Make sure real server never sends internal value */
                     +     if(*resp == 1)

SPECS/curl/curl.spec

History View file @ fbf59c1

@@ -1,7 +1,7 @@
                      Summary:        An URL retrieval utility and library
                      Name:           curl
                      Version:        7.59.0
                     -Release:        4%{?dist}
                     +Release:        5%{?dist}
                      License:        MIT
                      URL:            http://curl.haxx.se
                      Group:          System Environment/NetworkingLibraries
@@ -16,6 +16,7 @@ Patch3:         curl-CVE-2018-16839.patch
                      Patch4:         curl-CVE-2018-16840.patch
                      Patch5:         curl-CVE-2018-16842.patch
                      Patch6:         curl-CVE-2018-14618.patch
                     +Patch7:         curl-CVE-2019-3823.patch
                      BuildRequires:  ca-certificates
                      BuildRequires:  openssl-devel
                      BuildRequires:  krb5-devel
@@ -55,6 +56,7 @@ This package contains minimal set of shared curl libraries.
                      %patch4 -p1
                      %patch5 -p1
                      %patch6 -p1
                     +%patch7 -p1
                      %build
                      ./configure \
@@ -107,6 +109,8 @@ rm -rf %{buildroot}/*
                      %{_libdir}/libcurl.so.*
                      %changelog
                     +*   Thu Feb 14 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-5
                     +-   Fix for CVE-2019-3823
                      *   Tue Jan 29 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-4
                      -   Fix for CVE-2018-16839, CVE-2018-16840, CVE-2018-16842 and CVE-2018-14618
                      *   Tue Sep 18 2018 Keerthana K <keerthanak@vmware.com> 7.59.0-3