From 70c740ceefedb82d008f584106b6cd7b2a6b75ce Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sat, 22 Jun 2013 23:05:15 +0200 Subject: [PATCH] fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174) --- 0012-curl-7.24.0-192c4f78.patch | 43 +++++++++++++++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 0012-curl-7.24.0-192c4f78.patch diff --git a/0012-curl-7.24.0-192c4f78.patch b/0012-curl-7.24.0-192c4f78.patch new file mode 100644 index 0000000..299f386 --- /dev/null +++ b/0012-curl-7.24.0-192c4f78.patch @@ -0,0 +1,43 @@ +From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 19 May 2013 23:24:29 +0200 +Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer + +Security problem: CVE-2013-2174 + +If a program would give a string like "%FF" to curl_easy_unescape() but +ask for it to decode only the first byte, it would still parse and +decode the full hex sequence. The function then not only read beyond the +allowed buffer but it would also deduct the *unsigned* counter variable +for how many more bytes there's left to read in the buffer by two, +making the counter wrap. Continuing this, the function would go on +reading beyond the buffer and soon writing beyond the allocated target +buffer... + +Bug: http://curl.haxx.se/docs/adv_20130622.html +Reported-by: Timo Sirainen + +[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737] + +Signed-off-by: Kamil Dudka +--- + lib/escape.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index 6a26cf8..a567edb 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data, + + while(--alloc > 0) { + in = *string; +- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { ++ if(('%' == in) && (alloc > 2) && ++ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { + /* this is two hexadecimal digits following a '%' */ + char hexstr[3]; + char *ptr; +-- +1.7.1 + diff --git a/curl.spec b/curl.spec index 6922763..3fbd87f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.24.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -41,6 +41,9 @@ Patch10: 0010-curl-7.24.0-b37b5233.patch # switch SSL socket into non-blocking mode after handshake (#960765) Patch11: 0011-curl-7.24.0-9d0af301.patch +# fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174) +Patch12: 0012-curl-7.24.0-192c4f78.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.21.1-multilib.patch @@ -151,6 +154,7 @@ done %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -264,6 +268,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Sat Jun 22 2013 Kamil Dudka 7.24.0-10 +- fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174) + * Thu May 09 2013 Kamil Dudka 7.24.0-9 - switch SSL socket into non-blocking mode after handshake (#960765)