From 2fc0fbf615b9b084d7e2259280f3de3e08ab7cd5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 9 Aug 2017 15:35:28 +0200 Subject: [PATCH] Resolves: CVE-2017-1000100 - tftp: reject file name lengths that do not fit buffer --- 0010-curl-7.54.1-CVE-2017-1000100.patch | 49 +++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 54 insertions(+) create mode 100644 0010-curl-7.54.1-CVE-2017-1000100.patch diff --git a/0010-curl-7.54.1-CVE-2017-1000100.patch b/0010-curl-7.54.1-CVE-2017-1000100.patch new file mode 100644 index 0000000..ce344b5 --- /dev/null +++ b/0010-curl-7.54.1-CVE-2017-1000100.patch @@ -0,0 +1,49 @@ +From d30858296331b3ab1dc57043eef66fddf87637c3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:46 +0200 +Subject: [PATCH] tftp: reject file name lengths that don't fit + +... and thereby avoid telling send() to send off more bytes than the +size of the buffer! + +CVE-2017-1000100 + +Bug: https://curl.haxx.se/docs/adv_20170809B.html +Reported-by: Even Rouault + +Credit to OSS-Fuzz for the discovery + +Upstream-commit: 358b2b131ad6c095696f20dcfa62b8305263f898 +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index f2f8347..92b3edf 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) + if(result) + return result; + ++ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { ++ failf(data, "TFTP file name too long\n"); ++ return CURLE_TFTP_ILLEGAL; /* too long file name field */ ++ } ++ + snprintf((char *)state->spacket.data+2, + state->blksize, + "%s%c%s%c", filename, '\0', mode, '\0'); +-- +2.9.4 + diff --git a/curl.spec b/curl.spec index b57d825..4d68028 100644 --- a/curl.spec +++ b/curl.spec @@ -30,6 +30,9 @@ Patch7: 0007-curl-7.54.1-nss-cc-use-after-free.patch # do not continue parsing of glob after range overflow (CVE-2017-1000101) Patch9: 0009-curl-7.54.1-CVE-2017-1000101.patch +# tftp: reject file name lengths that do not fit buffer (CVE-2017-1000100) +Patch10: 0010-curl-7.54.1-CVE-2017-1000100.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -155,6 +158,7 @@ documentation of the library, too. %patch6 -p1 %patch7 -p1 %patch9 -p1 +%patch10 -p1 # Fedora patches %patch101 -p1 @@ -267,6 +271,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Aug 09 2017 Kamil Dudka 7.51.0-9 +- tftp: reject file name lengths that do not fit buffer (CVE-2017-1000100) - do not continue parsing of glob after range overflow (CVE-2017-1000101) * Thu Jul 20 2017 Kamil Dudka 7.51.0-8