diff --git a/0012-curl-7.47.1-CVE-2016-7167.patch b/0012-curl-7.47.1-CVE-2016-7167.patch new file mode 100644 index 0000000..3e185b5 --- /dev/null +++ b/0012-curl-7.47.1-CVE-2016-7167.patch @@ -0,0 +1,94 @@ +From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 8 Sep 2016 22:59:54 +0200 +Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input + +CVE-2016-7167 + +Bug: https://curl.haxx.se/docs/adv_20160914.html + +Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e +Signed-off-by: Kamil Dudka +--- + lib/escape.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index 40338a9..c6aa3b9 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -78,15 +78,21 @@ char *curl_unescape(const char *string, int length) + + char *curl_easy_escape(CURL *handle, const char *string, int inlength) + { +- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; ++ size_t alloc; + char *ns; + char *testing_ptr = NULL; + unsigned char in; /* we need to treat the characters unsigned */ +- size_t newlen = alloc; ++ size_t newlen; + size_t strindex=0; + size_t length; + CURLcode result; + ++ if(inlength < 0) ++ return NULL; ++ ++ alloc = (inlength?(size_t)inlength:strlen(string))+1; ++ newlen = alloc; ++ + ns = malloc(alloc); + if(!ns) + return NULL; +-- +2.7.4 + + +From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 13 Sep 2016 23:00:50 +0200 +Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input + +CVE-2016-7167 + +Bug: https://curl.haxx.se/docs/adv_20160914.html + +Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae +Signed-off-by: Kamil Dudka +--- + lib/escape.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index c6aa3b9..808ac6c 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -217,14 +217,16 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) + { + char *str = NULL; +- size_t inputlen = length; +- size_t outputlen; +- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, +- FALSE); +- if(res) +- return NULL; +- if(olen) +- *olen = curlx_uztosi(outputlen); ++ if(length >= 0) { ++ size_t inputlen = length; ++ size_t outputlen; ++ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, ++ FALSE); ++ if(res) ++ return NULL; ++ if(olen) ++ *olen = curlx_uztosi(outputlen); ++ } + return str; + } + +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index 4f087ac..1a00427 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.43.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -40,6 +40,9 @@ Patch10: 0010-curl-7.47.1-CVE-2016-5420.patch # work around race condition in PK11_FindSlotByName() Patch11: 0011-curl-7.47.1-find-slot-race.patch +# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167) +Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -161,6 +164,7 @@ documentation of the library, too. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -280,6 +284,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Sep 14 2016 Kamil Dudka 7.43.0-10 +- reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167) + * Fri Aug 26 2016 Kamil Dudka 7.43.0-9 - work around race condition in PK11_FindSlotByName() - fix incorrect use of a previously loaded certificate from file