From 73d6b73380f22edd6565e870ac6aa169c74b6e3f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 May 2018 16:20:36 +0200 Subject: [PATCH] Resolves: CVE-2018-1000300 - fix FTP shutdown response buffer overflow --- 0003-curl-7.59.0-CVE-2018-1000300.patch | 39 +++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 44 insertions(+) create mode 100644 0003-curl-7.59.0-CVE-2018-1000300.patch diff --git a/0003-curl-7.59.0-CVE-2018-1000300.patch b/0003-curl-7.59.0-CVE-2018-1000300.patch new file mode 100644 index 0000000..fb4d15b --- /dev/null +++ b/0003-curl-7.59.0-CVE-2018-1000300.patch @@ -0,0 +1,39 @@ +From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 23 Mar 2018 23:30:04 +0100 +Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow + +Response data for a handle with a large buffer might be cached and then +used with the "closure" handle when it has a smaller buffer and then the +larger cache will be copied and overflow the new smaller heap based +buffer. + +Reported-by: Dario Weisser +CVE: CVE-2018-1000300 +Bug: https://curl.haxx.se/docs/adv_2018-82c2.html + +Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248 +Signed-off-by: Kamil Dudka +--- + lib/pingpong.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 438856a..ad370ee 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, + * it would have been populated with something of size int to begin + * with, even though its datatype may be larger than an int. + */ +- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); ++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { ++ failf(data, "cached response data too big to handle"); ++ return CURLE_RECV_ERROR; ++ } + memcpy(ptr, pp->cache, pp->cache_size); + gotbytes = (ssize_t)pp->cache_size; + free(pp->cache); /* free the cache */ +-- +2.14.3 + diff --git a/curl.spec b/curl.spec index 4bdc523..904ba10 100644 --- a/curl.spec +++ b/curl.spec @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch # fix RTSP bad headers buffer over-read (CVE-2018-1000301) Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch +# fix FTP shutdown response buffer overflow (CVE-2018-1000300) +Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -159,6 +162,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -305,6 +309,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri May 18 2018 Kamil Dudka - 7.59.0-3 +- fix FTP shutdown response buffer overflow (CVE-2018-1000300) - fix RTSP bad headers buffer over-read (CVE-2018-1000301) * Wed Mar 14 2018 Kamil Dudka - 7.59.0-2