From 5dee6fb8b33f1ef9ea84f54394da4aaee390ed25 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 18 May 2018 16:17:51 +0200
Subject: [PATCH] Resolves: CVE-2018-1000301 - http: restore buffer ptr when
 bad response-line is parsed

---
 0002-curl-7.59.0-CVE-2018-1000301.patch | 48 +++++++++++++++++++++++++
 curl.spec                               |  9 ++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 0002-curl-7.59.0-CVE-2018-1000301.patch

diff --git a/0002-curl-7.59.0-CVE-2018-1000301.patch b/0002-curl-7.59.0-CVE-2018-1000301.patch
new file mode 100644
index 0000000..b733979
--- /dev/null
+++ b/0002-curl-7.59.0-CVE-2018-1000301.patch
@@ -0,0 +1,48 @@
+From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is
+ parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+
+Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 841f6cc..dc10f5f 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ {
+   CURLcode result;
+   struct SingleRequest *k = &data->req;
++  ssize_t onread = *nread;
++  char *ostr = k->str;
+ 
+   /* header line within buffer loop */
+   do {
+@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+         else {
+           /* this was all we read so it's all a bad header */
+           k->badheader = HEADER_ALLBAD;
+-          *nread = (ssize_t)rest_length;
++          *nread = onread;
++          k->str = ostr;
++          return CURLE_OK;
+         }
+         break;
+       }
+-- 
+2.14.3
+
diff --git a/curl.spec b/curl.spec
index d722f07..4bdc523 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,13 +1,16 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.59.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
 # ftp: fix typo in recursive callback detection for seeking
 Patch1:   0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
 
+# fix RTSP bad headers buffer over-read (CVE-2018-1000301)
+Patch2:   0002-curl-7.59.0-CVE-2018-1000301.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -155,6 +158,7 @@ be installed.
 
 # upstream patches
 %patch1 -p1
+%patch2 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -300,6 +304,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Fri May 18 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
+- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
+
 * Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
 - ftp: fix typo in recursive callback detection for seeking