From 41c348c5d6c572d206078c21add58b67605e05d6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 22 May 2019 14:02:54 +0200 Subject: [PATCH] Resolves: CVE-2019-5436 - TFTP receive buffer overflow --- 0017-curl-7.64.0-CVE-2019-5436.patch | 31 ++++++++++++++++++++++++++++ curl.spec | 5 +++++ 2 files changed, 36 insertions(+) create mode 100644 0017-curl-7.64.0-CVE-2019-5436.patch diff --git a/0017-curl-7.64.0-CVE-2019-5436.patch b/0017-curl-7.64.0-CVE-2019-5436.patch new file mode 100644 index 0000000..8b0e453 --- /dev/null +++ b/0017-curl-7.64.0-CVE-2019-5436.patch @@ -0,0 +1,31 @@ +From 55a27027d5f024a0ecc2c23c81ed99de6192c9f3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 3 May 2019 22:20:37 +0200 +Subject: [PATCH] tftp: use the current blksize for recvfrom() + +bug: https://curl.haxx.se/docs/CVE-2019-5436.html +Reported-by: l00p3r on hackerone +CVE-2019-5436 + +Upstream-commit: 2576003415625d7b5f0e390902f8097830b82275 +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index 269b3cd..4f2a131 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + state->sockfd = state->conn->sock[FIRSTSOCKET]; + state->state = TFTP_STATE_START; + state->error = TFTP_ERR_NONE; +- state->blksize = TFTP_BLKSIZE_DEFAULT; ++ state->blksize = blksize; + state->requested_blksize = blksize; + + ((struct sockaddr *)&state->local_addr)->sa_family = +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index 878cf37..dcff94b 100644 --- a/curl.spec +++ b/curl.spec @@ -49,6 +49,9 @@ Patch14: 0014-curl-7.61.1-libssh-socket.patch # fix integer overflows in curl_url_set() (CVE-2019-5435) Patch16: 0016-curl-7.64.0-CVE-2019-5435.patch +# TFTP receive buffer overflow (CVE-2019-5436) +Patch17: 0017-curl-7.64.0-CVE-2019-5436.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -230,6 +233,7 @@ git apply %{PATCH4} # upstream patches %patch16 -p1 +%patch17 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -391,6 +395,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 22 2019 Kamil Dudka - 7.61.1-11 +- TFTP receive buffer overflow (CVE-2019-5436) - fix integer overflows in curl_url_set() (CVE-2019-5435) * Mon Feb 18 2019 Kamil Dudka - 7.61.1-10