Resolves: CVE-2018-14618 - fix NTLM password overflow via integer overflow
This commit is contained in:
parent
503408095b
commit
5f4e92def3
72
0008-curl-7.59.0-CVE-2018-14618.patch
Normal file
72
0008-curl-7.59.0-CVE-2018-14618.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
From 114b31ab5b7e6965b629697020a7ce4b6cea340e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 13 Aug 2018 10:35:52 +0200
|
||||||
|
Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
|
||||||
|
|
||||||
|
... since it would cause an integer overflow if longer than (max size_t
|
||||||
|
/ 2).
|
||||||
|
|
||||||
|
This is CVE-2018-14618
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
|
||||||
|
Closes #2756
|
||||||
|
Reported-by: Zhaoyang Wu
|
||||||
|
|
||||||
|
Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/curl_ntlm_core.c | 23 +++++++++++++----------
|
||||||
|
1 file changed, 13 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
|
||||||
|
index e896276..e5c785d 100644
|
||||||
|
--- a/lib/curl_ntlm_core.c
|
||||||
|
+++ b/lib/curl_ntlm_core.c
|
||||||
|
@@ -143,6 +143,15 @@
|
||||||
|
#define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
|
||||||
|
#define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4)
|
||||||
|
|
||||||
|
+#ifndef SIZE_T_MAX
|
||||||
|
+/* some limits.h headers have this defined, some don't */
|
||||||
|
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||||||
|
+#define SIZE_T_MAX 18446744073709551615U
|
||||||
|
+#else
|
||||||
|
+#define SIZE_T_MAX 4294967295U
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Turns a 56-bit key into being 64-bit wide.
|
||||||
|
*/
|
||||||
|
@@ -557,8 +566,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
|
||||||
|
unsigned char *ntbuffer /* 21 bytes */)
|
||||||
|
{
|
||||||
|
size_t len = strlen(password);
|
||||||
|
- unsigned char *pw = len ? malloc(len * 2) : strdup("");
|
||||||
|
+ unsigned char *pw;
|
||||||
|
CURLcode result;
|
||||||
|
+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ pw = len ? malloc(len * 2) : strdup("");
|
||||||
|
if(!pw)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
@@ -646,15 +658,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifndef SIZE_T_MAX
|
||||||
|
-/* some limits.h headers have this defined, some don't */
|
||||||
|
-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||||||
|
-#define SIZE_T_MAX 18446744073709551615U
|
||||||
|
-#else
|
||||||
|
-#define SIZE_T_MAX 4294967295U
|
||||||
|
-#endif
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
|
||||||
|
* (uppercase UserName + Domain) as the data
|
||||||
|
*/
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -26,6 +26,9 @@ Patch6: 0006-curl-7.59.0-pkcs11.patch
|
|||||||
# scp/sftp: fix infinite connect loop on invalid private key (#1595135)
|
# scp/sftp: fix infinite connect loop on invalid private key (#1595135)
|
||||||
Patch7: 0007-curl-7.61.0-libssh.patch
|
Patch7: 0007-curl-7.61.0-libssh.patch
|
||||||
|
|
||||||
|
# fix NTLM password overflow via integer overflow (CVE-2018-14618)
|
||||||
|
Patch8: 0008-curl-7.59.0-CVE-2018-14618.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -183,6 +186,7 @@ be installed.
|
|||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -330,6 +334,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-7
|
* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-7
|
||||||
|
- fix NTLM password overflow via integer overflow (CVE-2018-14618)
|
||||||
- tests: make ssh-keygen always produce PEM format (#1622594)
|
- tests: make ssh-keygen always produce PEM format (#1622594)
|
||||||
- scp/sftp: fix infinite connect loop on invalid private key (#1595135)
|
- scp/sftp: fix infinite connect loop on invalid private key (#1595135)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user