fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)
This commit is contained in:
Kamil Dudka
parent
69ef39f2c9
commit
70c740ceef
43
0012-curl-7.24.0-192c4f78.patch
Normal file
43
0012-curl-7.24.0-192c4f78.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 19 May 2013 23:24:29 +0200
|
||||
Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
|
||||
|
||||
Security problem: CVE-2013-2174
|
||||
|
||||
If a program would give a string like "%FF" to curl_easy_unescape() but
|
||||
ask for it to decode only the first byte, it would still parse and
|
||||
decode the full hex sequence. The function then not only read beyond the
|
||||
allowed buffer but it would also deduct the *unsigned* counter variable
|
||||
for how many more bytes there's left to read in the buffer by two,
|
||||
making the counter wrap. Continuing this, the function would go on
|
||||
reading beyond the buffer and soon writing beyond the allocated target
|
||||
buffer...
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20130622.html
|
||||
Reported-by: Timo Sirainen
|
||||
|
||||
[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737]
|
||||
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/escape.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/lib/escape.c b/lib/escape.c
|
||||
index 6a26cf8..a567edb 100644
|
||||
--- a/lib/escape.c
|
||||
+++ b/lib/escape.c
|
||||
@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
|
||||
|
||||
while(--alloc > 0) {
|
||||
in = *string;
|
||||
- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
|
||||
+ if(('%' == in) && (alloc > 2) &&
|
||||
+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
|
||||
/* this is two hexadecimal digits following a '%' */
|
||||
char hexstr[3];
|
||||
char *ptr;
|
||||
--
|
||||
1.7.1
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.24.0
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: MIT
|
||||
Group: Applications/Internet
|
||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||
@ -41,6 +41,9 @@ Patch10: 0010-curl-7.24.0-b37b5233.patch
|
||||
# switch SSL socket into non-blocking mode after handshake (#960765)
|
||||
Patch11: 0011-curl-7.24.0-9d0af301.patch
|
||||
|
||||
# fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)
|
||||
Patch12: 0012-curl-7.24.0-192c4f78.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.21.1-multilib.patch
|
||||
|
||||
@ -151,6 +154,7 @@ done
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -264,6 +268,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_datadir}/aclocal/libcurl.m4
|
||||
|
||||
%changelog
|
||||
* Sat Jun 22 2013 Kamil Dudka <kdudka@redhat.com> 7.24.0-10
|
||||
- fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)
|
||||
|
||||
* Thu May 09 2013 Kamil Dudka <kdudka@redhat.com> 7.24.0-9
|
||||
- switch SSL socket into non-blocking mode after handshake (#960765)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user