Resolves: CVE-2018-1000300 - fix FTP shutdown response buffer overflow
This commit is contained in:
parent
5dee6fb8b3
commit
73d6b73380
39
0003-curl-7.59.0-CVE-2018-1000300.patch
Normal file
39
0003-curl-7.59.0-CVE-2018-1000300.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 23 Mar 2018 23:30:04 +0100
|
||||||
|
Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow
|
||||||
|
|
||||||
|
Response data for a handle with a large buffer might be cached and then
|
||||||
|
used with the "closure" handle when it has a smaller buffer and then the
|
||||||
|
larger cache will be copied and overflow the new smaller heap based
|
||||||
|
buffer.
|
||||||
|
|
||||||
|
Reported-by: Dario Weisser
|
||||||
|
CVE: CVE-2018-1000300
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
|
||||||
|
|
||||||
|
Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/pingpong.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/pingpong.c b/lib/pingpong.c
|
||||||
|
index 438856a..ad370ee 100644
|
||||||
|
--- a/lib/pingpong.c
|
||||||
|
+++ b/lib/pingpong.c
|
||||||
|
@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
|
||||||
|
* it would have been populated with something of size int to begin
|
||||||
|
* with, even though its datatype may be larger than an int.
|
||||||
|
*/
|
||||||
|
- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
|
||||||
|
+ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
|
||||||
|
+ failf(data, "cached response data too big to handle");
|
||||||
|
+ return CURLE_RECV_ERROR;
|
||||||
|
+ }
|
||||||
|
memcpy(ptr, pp->cache, pp->cache_size);
|
||||||
|
gotbytes = (ssize_t)pp->cache_size;
|
||||||
|
free(pp->cache); /* free the cache */
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
@ -11,6 +11,9 @@ Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
|
|||||||
# fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
# fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
||||||
Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch
|
Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch
|
||||||
|
|
||||||
|
# fix FTP shutdown response buffer overflow (CVE-2018-1000300)
|
||||||
|
Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -159,6 +162,7 @@ be installed.
|
|||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -305,6 +309,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri May 18 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
|
* Fri May 18 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
|
||||||
|
- fix FTP shutdown response buffer overflow (CVE-2018-1000300)
|
||||||
- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
|
||||||
|
|
||||||
* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
|
* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
|
||||||
|
Loading…
Reference in New Issue
Block a user