Resolves: CVE-2016-7167 - reject negative string lengths in curl_easy_[un]escape()

0012-curl-7.47.1-CVE-2016-7167.patch

@@ -0,0 +1,94 @@
+From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 8 Sep 2016 22:59:54 +0200
+Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input
+
+CVE-2016-7167
+
+Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/escape.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index 40338a9..c6aa3b9 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -78,15 +78,21 @@ char *curl_unescape(const char *string, int length)
+ 
+ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+ {
+-  size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
++  size_t alloc;
+   char *ns;
+   char *testing_ptr = NULL;
+   unsigned char in; /* we need to treat the characters unsigned */
+-  size_t newlen = alloc;
++  size_t newlen;
+   size_t strindex=0;
+   size_t length;
+   CURLcode result;
+ 
++  if(inlength < 0)
++    return NULL;
++
++  alloc = (inlength?(size_t)inlength:strlen(string))+1;
++  newlen = alloc;
++
+   ns = malloc(alloc);
+   if(!ns)
+     return NULL;
+-- 
+2.7.4
+
+
+From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 13 Sep 2016 23:00:50 +0200
+Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input
+
+CVE-2016-7167
+
+Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/escape.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index c6aa3b9..808ac6c 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -217,14 +217,16 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
+                          int *olen)
+ {
+   char *str = NULL;
+-  size_t inputlen = length;
+-  size_t outputlen;
+-  CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
+-                                FALSE);
+-  if(res)
+-    return NULL;
+-  if(olen)
+-    *olen = curlx_uztosi(outputlen);
++  if(length >= 0) {
++    size_t inputlen = length;
++    size_t outputlen;
++    CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
++                                  FALSE);
++    if(res)
++      return NULL;
++    if(olen)
++      *olen = curlx_uztosi(outputlen);
++  }
+   return str;
+ }
+ 
+-- 
+2.7.4
+

curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.43.0
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -40,6 +40,9 @@ Patch10:  0010-curl-7.47.1-CVE-2016-5420.patch
 # work around race condition in PK11_FindSlotByName()
 Patch11:  0011-curl-7.47.1-find-slot-race.patch
 
+# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
+Patch12:  0012-curl-7.47.1-CVE-2016-7167.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -161,6 +164,7 @@ documentation of the library, too.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -280,6 +284,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-10
+- reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
+
 * Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-9
 - work around race condition in PK11_FindSlotByName()
 - fix incorrect use of a previously loaded certificate from file