Resolves: CVE-2018-1000301 - http: restore buffer ptr when bad response-line is parsed
This commit is contained in:
parent
6402b496fc
commit
5dee6fb8b3
48
0002-curl-7.59.0-CVE-2018-1000301.patch
Normal file
48
0002-curl-7.59.0-CVE-2018-1000301.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sat, 24 Mar 2018 23:47:41 +0100
|
||||||
|
Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is
|
||||||
|
parsed
|
||||||
|
|
||||||
|
... leaving the k->str could lead to buffer over-reads later on.
|
||||||
|
|
||||||
|
CVE: CVE-2018-1000301
|
||||||
|
Assisted-by: Max Dymond
|
||||||
|
|
||||||
|
Detected by OSS-Fuzz.
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
|
||||||
|
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
|
||||||
|
|
||||||
|
Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 841f6cc..dc10f5f 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
|
||||||
|
{
|
||||||
|
CURLcode result;
|
||||||
|
struct SingleRequest *k = &data->req;
|
||||||
|
+ ssize_t onread = *nread;
|
||||||
|
+ char *ostr = k->str;
|
||||||
|
|
||||||
|
/* header line within buffer loop */
|
||||||
|
do {
|
||||||
|
@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
|
||||||
|
else {
|
||||||
|
/* this was all we read so it's all a bad header */
|
||||||
|
k->badheader = HEADER_ALLBAD;
|
||||||
|
- *nread = (ssize_t)rest_length;
|
||||||
|
+ *nread = onread;
|
||||||
|
+ k->str = ostr;
|
||||||
|
+ return CURLE_OK;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
@ -1,13 +1,16 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.59.0
|
Version: 7.59.0
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
# ftp: fix typo in recursive callback detection for seeking
|
# ftp: fix typo in recursive callback detection for seeking
|
||||||
Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
|
Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
|
||||||
|
|
||||||
|
# fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
||||||
|
Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -155,6 +158,7 @@ be installed.
|
|||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -300,6 +304,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 18 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
|
||||||
|
- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
||||||
|
|
||||||
* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
|
* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
|
||||||
- ftp: fix typo in recursive callback detection for seeking
|
- ftp: fix typo in recursive callback detection for seeking
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user