Resolves: CVE-2016-7167 - reject negative string lengths in curl_easy_[un]escape()
This commit is contained in:
parent
36b153054a
commit
13ec13d953
|
@ -0,0 +1,94 @@
|
||||||
|
From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 8 Sep 2016 22:59:54 +0200
|
||||||
|
Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input
|
||||||
|
|
||||||
|
CVE-2016-7167
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_20160914.html
|
||||||
|
|
||||||
|
Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/escape.c | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/escape.c b/lib/escape.c
|
||||||
|
index 40338a9..c6aa3b9 100644
|
||||||
|
--- a/lib/escape.c
|
||||||
|
+++ b/lib/escape.c
|
||||||
|
@@ -78,15 +78,21 @@ char *curl_unescape(const char *string, int length)
|
||||||
|
|
||||||
|
char *curl_easy_escape(CURL *handle, const char *string, int inlength)
|
||||||
|
{
|
||||||
|
- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
|
||||||
|
+ size_t alloc;
|
||||||
|
char *ns;
|
||||||
|
char *testing_ptr = NULL;
|
||||||
|
unsigned char in; /* we need to treat the characters unsigned */
|
||||||
|
- size_t newlen = alloc;
|
||||||
|
+ size_t newlen;
|
||||||
|
size_t strindex=0;
|
||||||
|
size_t length;
|
||||||
|
CURLcode result;
|
||||||
|
|
||||||
|
+ if(inlength < 0)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ alloc = (inlength?(size_t)inlength:strlen(string))+1;
|
||||||
|
+ newlen = alloc;
|
||||||
|
+
|
||||||
|
ns = malloc(alloc);
|
||||||
|
if(!ns)
|
||||||
|
return NULL;
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
||||||
|
|
||||||
|
From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 13 Sep 2016 23:00:50 +0200
|
||||||
|
Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input
|
||||||
|
|
||||||
|
CVE-2016-7167
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_20160914.html
|
||||||
|
|
||||||
|
Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/escape.c | 18 ++++++++++--------
|
||||||
|
1 file changed, 10 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/escape.c b/lib/escape.c
|
||||||
|
index c6aa3b9..808ac6c 100644
|
||||||
|
--- a/lib/escape.c
|
||||||
|
+++ b/lib/escape.c
|
||||||
|
@@ -217,14 +217,16 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
|
||||||
|
int *olen)
|
||||||
|
{
|
||||||
|
char *str = NULL;
|
||||||
|
- size_t inputlen = length;
|
||||||
|
- size_t outputlen;
|
||||||
|
- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
|
||||||
|
- FALSE);
|
||||||
|
- if(res)
|
||||||
|
- return NULL;
|
||||||
|
- if(olen)
|
||||||
|
- *olen = curlx_uztosi(outputlen);
|
||||||
|
+ if(length >= 0) {
|
||||||
|
+ size_t inputlen = length;
|
||||||
|
+ size_t outputlen;
|
||||||
|
+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
|
||||||
|
+ FALSE);
|
||||||
|
+ if(res)
|
||||||
|
+ return NULL;
|
||||||
|
+ if(olen)
|
||||||
|
+ *olen = curlx_uztosi(outputlen);
|
||||||
|
+ }
|
||||||
|
return str;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.43.0
|
Version: 7.43.0
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||||
|
@ -40,6 +40,9 @@ Patch10: 0010-curl-7.47.1-CVE-2016-5420.patch
|
||||||
# work around race condition in PK11_FindSlotByName()
|
# work around race condition in PK11_FindSlotByName()
|
||||||
Patch11: 0011-curl-7.47.1-find-slot-race.patch
|
Patch11: 0011-curl-7.47.1-find-slot-race.patch
|
||||||
|
|
||||||
|
# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
|
||||||
|
Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
|
@ -161,6 +164,7 @@ documentation of the library, too.
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
|
@ -280,6 +284,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_datadir}/aclocal/libcurl.m4
|
%{_datadir}/aclocal/libcurl.m4
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-10
|
||||||
|
- reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
|
||||||
|
|
||||||
* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-9
|
* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-9
|
||||||
- work around race condition in PK11_FindSlotByName()
|
- work around race condition in PK11_FindSlotByName()
|
||||||
- fix incorrect use of a previously loaded certificate from file
|
- fix incorrect use of a previously loaded certificate from file
|
||||||
|
|
Loading…
Reference in New Issue