Resolves: CVE-2018-1000301 - http: restore buffer ptr when bad response-line is parsed

2018-05-18 16:17:51 +02:00 · 2018-05-18 16:17:51 +02:00 · 5dee6fb8b3
commit 5dee6fb8b3
parent 6402b496fc
2 changed files with 56 additions and 1 deletions
--- a/0002-curl-7.59.0-CVE-2018-1000301.patch
+++ b/0002-curl-7.59.0-CVE-2018-1000301.patch
@ -0,0 +1,48 @@
+From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is
+ parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+
+Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 841f6cc..dc10f5f 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ {
+   CURLcode result;
+   struct SingleRequest *k = &data->req;
+  ssize_t onread = *nread;
+  char *ostr = k->str;
+ 
+   /* header line within buffer loop */
+   do {
+@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+         else {
+           /* this was all we read so it's all a bad header */
+           k->badheader = HEADER_ALLBAD;
+-          *nread = (ssize_t)rest_length;
+          *nread = onread;
+          k->str = ostr;
+          return CURLE_OK;
+         }
+         break;
+       }
+-- 
+2.14.3
+
--- a/curl.spec
+++ b/curl.spec
@ -1,13 +1,16 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.59.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

 # ftp: fix typo in recursive callback detection for seeking
 Patch1:   0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch

+# fix RTSP bad headers buffer over-read (CVE-2018-1000301)
+Patch2:   0002-curl-7.59.0-CVE-2018-1000301.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -155,6 +158,7 @@ be installed.

 # upstream patches
 %patch1 -p1
+%patch2 -p1

 # Fedora patches
 %patch101 -p1
@ -300,6 +304,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Fri May 18 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
+- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
+
 * Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
 - ftp: fix typo in recursive callback detection for seeking