Resolves: CVE-2018-14618 - fix NTLM password overflow via integer overflow
This commit is contained in:
parent
503408095b
commit
5f4e92def3
|
@ -0,0 +1,72 @@
|
|||
From 114b31ab5b7e6965b629697020a7ce4b6cea340e Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 13 Aug 2018 10:35:52 +0200
|
||||
Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
|
||||
|
||||
... since it would cause an integer overflow if longer than (max size_t
|
||||
/ 2).
|
||||
|
||||
This is CVE-2018-14618
|
||||
|
||||
Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
|
||||
Closes #2756
|
||||
Reported-by: Zhaoyang Wu
|
||||
|
||||
Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/curl_ntlm_core.c | 23 +++++++++++++----------
|
||||
1 file changed, 13 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
|
||||
index e896276..e5c785d 100644
|
||||
--- a/lib/curl_ntlm_core.c
|
||||
+++ b/lib/curl_ntlm_core.c
|
||||
@@ -143,6 +143,15 @@
|
||||
#define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
|
||||
#define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4)
|
||||
|
||||
+#ifndef SIZE_T_MAX
|
||||
+/* some limits.h headers have this defined, some don't */
|
||||
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||||
+#define SIZE_T_MAX 18446744073709551615U
|
||||
+#else
|
||||
+#define SIZE_T_MAX 4294967295U
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Turns a 56-bit key into being 64-bit wide.
|
||||
*/
|
||||
@@ -557,8 +566,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
|
||||
unsigned char *ntbuffer /* 21 bytes */)
|
||||
{
|
||||
size_t len = strlen(password);
|
||||
- unsigned char *pw = len ? malloc(len * 2) : strdup("");
|
||||
+ unsigned char *pw;
|
||||
CURLcode result;
|
||||
+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ pw = len ? malloc(len * 2) : strdup("");
|
||||
if(!pw)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
@@ -646,15 +658,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
|
||||
return CURLE_OK;
|
||||
}
|
||||
|
||||
-#ifndef SIZE_T_MAX
|
||||
-/* some limits.h headers have this defined, some don't */
|
||||
-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||||
-#define SIZE_T_MAX 18446744073709551615U
|
||||
-#else
|
||||
-#define SIZE_T_MAX 4294967295U
|
||||
-#endif
|
||||
-#endif
|
||||
-
|
||||
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
|
||||
* (uppercase UserName + Domain) as the data
|
||||
*/
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -26,6 +26,9 @@ Patch6: 0006-curl-7.59.0-pkcs11.patch
|
|||
# scp/sftp: fix infinite connect loop on invalid private key (#1595135)
|
||||
Patch7: 0007-curl-7.61.0-libssh.patch
|
||||
|
||||
# fix NTLM password overflow via integer overflow (CVE-2018-14618)
|
||||
Patch8: 0008-curl-7.59.0-CVE-2018-14618.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
@ -183,6 +186,7 @@ be installed.
|
|||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
@ -330,6 +334,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||
|
||||
%changelog
|
||||
* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-7
|
||||
- fix NTLM password overflow via integer overflow (CVE-2018-14618)
|
||||
- tests: make ssh-keygen always produce PEM format (#1622594)
|
||||
- scp/sftp: fix infinite connect loop on invalid private key (#1595135)
|
||||
|
||||
|
|
Loading…
Reference in New Issue