From 48891bfbadc872c1088b69170ca041ba876ac854 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 2 Nov 2016 17:31:58 +0100
Subject: [PATCH] Resolves: CVE-2016-8619 - fix double-free in krb5 code

---
 0019-curl-7.47.1-CVE-2016-8619.patch | 49 ++++++++++++++++++++++++++++
 curl.spec                            |  5 +++
 2 files changed, 54 insertions(+)
 create mode 100644 0019-curl-7.47.1-CVE-2016-8619.patch

diff --git a/0019-curl-7.47.1-CVE-2016-8619.patch b/0019-curl-7.47.1-CVE-2016-8619.patch
new file mode 100644
index 0000000..e8476ce
--- /dev/null
+++ b/0019-curl-7.47.1-CVE-2016-8619.patch
@@ -0,0 +1,49 @@
+From 47736feee3eb92b3527237316f60c880421bbce4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 28 Sep 2016 12:56:02 +0200
+Subject: [PATCH] krb5: avoid realloc(0)
+
+If the requested size is zero, bail out with error instead of doing a
+realloc() that would cause a double-free: realloc(0) acts as a free()
+and then there's a second free in the cleanup path.
+
+CVE-2016-8619
+
+Bug: https://curl.haxx.se/docs/adv_20161102E.html
+Reported-by: Cure53
+
+Upstream-commit: 3d6460edeee21d7d790ec570d0887bed1f4366dd
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/security.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 014bbf1..74d924c 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -192,15 +192,18 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void* tmp;
++  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+     return result;
+ 
+-  len = ntohl(len);
+-  tmp = realloc(buf->data, len);
++  if(len) {
++    /* only realloc if there was a length */
++    len = ntohl(len);
++    tmp = realloc(buf->data, len);
++  }
+   if(tmp == NULL)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-- 
+2.7.4
+
diff --git a/curl.spec b/curl.spec
index b48308e..1cb040f 100644
--- a/curl.spec
+++ b/curl.spec
@@ -46,6 +46,9 @@ Patch17:  0017-curl-7.47.1-CVE-2016-8620.patch
 # fix double-free in curl_maprintf() (CVE-2016-8618)
 Patch18:  0018-curl-7.47.1-CVE-2016-8618.patch
 
+# fix double-free in krb5 code (CVE-2016-8619)
+Patch19:  0019-curl-7.47.1-CVE-2016-8619.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -172,6 +175,7 @@ documentation of the library, too.
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -288,6 +292,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %changelog
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
+- fix double-free in krb5 code (CVE-2016-8619)
 - fix double-free in curl_maprintf() (CVE-2016-8618)
 - fix glob parser write/read out of bounds (CVE-2016-8620)
 - fix out-of-bounds read in curl_getdate() (CVE-2016-8621)