Resolves: CVE-2018-1000301 - http: restore buffer ptr when bad response-line is parsed
This commit is contained in:
Kamil Dudka
parent
6402b496fc
commit
5dee6fb8b3
|
|
@ -0,0 +1,48 @@
|
|||
From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sat, 24 Mar 2018 23:47:41 +0100
|
||||
Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is
|
||||
parsed
|
||||
|
||||
... leaving the k->str could lead to buffer over-reads later on.
|
||||
|
||||
CVE: CVE-2018-1000301
|
||||
Assisted-by: Max Dymond
|
||||
|
||||
Detected by OSS-Fuzz.
|
||||
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
|
||||
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
|
||||
|
||||
Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/http.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/http.c b/lib/http.c
|
||||
index 841f6cc..dc10f5f 100644
|
||||
--- a/lib/http.c
|
||||
+++ b/lib/http.c
|
||||
@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
|
||||
{
|
||||
CURLcode result;
|
||||
struct SingleRequest *k = &data->req;
|
||||
+ ssize_t onread = *nread;
|
||||
+ char *ostr = k->str;
|
||||
|
||||
/* header line within buffer loop */
|
||||
do {
|
||||
@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
|
||||
else {
|
||||
/* this was all we read so it's all a bad header */
|
||||
k->badheader = HEADER_ALLBAD;
|
||||
- *nread = (ssize_t)rest_length;
|
||||
+ *nread = onread;
|
||||
+ k->str = ostr;
|
||||
+ return CURLE_OK;
|
||||
}
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
||||
|
|
@ -1,13 +1,16 @@
|
|||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.59.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
# ftp: fix typo in recursive callback detection for seeking
|
||||
Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
|
||||
|
||||
# fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
||||
Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
|
@ -155,6 +158,7 @@ be installed.
|
|||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
|
@ -300,6 +304,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Fri May 18 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
|
||||
- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
||||
|
||||
* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
|
||||
- ftp: fix typo in recursive callback detection for seeking
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue