Resolves: CVE-2019-5436 - TFTP receive buffer overflow

0017-curl-7.64.0-CVE-2019-5436.patch

@@ -0,0 +1,31 @@
+From 55a27027d5f024a0ecc2c23c81ed99de6192c9f3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 3 May 2019 22:20:37 +0200
+Subject: [PATCH] tftp: use the current blksize for recvfrom()
+
+bug: https://curl.haxx.se/docs/CVE-2019-5436.html
+Reported-by: l00p3r on hackerone
+CVE-2019-5436
+
+Upstream-commit: 2576003415625d7b5f0e390902f8097830b82275
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/tftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 269b3cd..4f2a131 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = TFTP_BLKSIZE_DEFAULT;
++  state->blksize = blksize;
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
+-- 
+2.20.1
+

curl.spec

@@ -49,6 +49,9 @@ Patch14:  0014-curl-7.61.1-libssh-socket.patch
 # fix integer overflows in curl_url_set() (CVE-2019-5435)
 Patch16:  0016-curl-7.64.0-CVE-2019-5435.patch
 
+# TFTP receive buffer overflow (CVE-2019-5436)
+Patch17:  0017-curl-7.64.0-CVE-2019-5436.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -230,6 +233,7 @@ git apply %{PATCH4}
 
 # upstream patches
 %patch16 -p1
+%patch17 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -391,6 +395,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %changelog
 * Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11
+- TFTP receive buffer overflow (CVE-2019-5436)
 - fix integer overflows in curl_url_set() (CVE-2019-5435)
 
 * Mon Feb 18 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-10