Resolves: CVE-2018-16842 - fix bad arethmetic when outputting warnings to stderr

Use `git apply` to apply the patch because `patch` would fail with:

File tests/data/test2080: git binary diffs are not supported.
This commit is contained in:
Kamil Dudka 2018-11-01 09:45:48 +01:00
parent 9be316eea1
commit 7576775e08
2 changed files with 91 additions and 1 deletions

View File

@ -0,0 +1,81 @@
From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 28 Oct 2018 01:33:23 +0200
Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to
stderr
CVE-2018-16842
Reported-by: Brian Carpenter
Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/tool_msgs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tool_msgs.c b/src/tool_msgs.c
index 9cce806..05bec39 100644
--- a/src/tool_msgs.c
+++ b/src/tool_msgs.c
@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
(void)fwrite(ptr, cut + 1, 1, config->errors);
fputs("\n", config->errors);
ptr += cut + 1; /* skip the space too */
- len -= cut;
+ len -= cut + 1;
}
else {
fputs(ptr, config->errors);
--
2.17.2
From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 28 Oct 2018 10:43:57 +0100
Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842
Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 4 ++--
tests/data/test2080 | Bin 0 -> 20659 bytes
2 files changed, 2 insertions(+), 2 deletions(-)
create mode 100644 tests/data/test2080
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index e045748..aa5fff0 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -198,7 +198,7 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
test2064 test2065 test2066 test2067 test2068 test2069 \
\
-test2070 test2071 test2072 test2073 \
-test2074 test2075 \
+test2070 test2071 test2072 test2073 test2074 test2075 \
+test2080 \
\
test3000 test3001
diff --git a/tests/data/test2080 b/tests/data/test2080
new file mode 100644
index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a
GIT binary patch
literal 20659
zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef
zl6Ca+%<OZ|nCeRHZE>A4K8~q<UAgUD%0ubY=PwtZRG;GL*UIRJ-;Lfy)u}p_A1>dz
zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk
zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n!
z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{
z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb<b@2q1s}0tg`Rgaqum{m<+P&C93=Ab<b@
z2q1s}0tg_0z|jf3Ji3V(2mu5TK;StGoIK~3=iL!N0D=D{@VjlsoA=?(>-+Xw`j-8D
zzg+g?Rt8(G*s;1Sb>n1S94H%G<kGn)tFlRTrA%AW*RoyP3pi(fe!mc3WU^sQd2)l4
jB)+~1L0rx$OS-AbERTH}TH`mZ^*=|W_vMU!*i-li)g+9V
literal 0
HcmV?d00001
--
2.17.2

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
Release: 3%{?dist}
Release: 4%{?dist}
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -14,6 +14,11 @@ Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
# enable TLS 1.3 post-handshake auth in OpenSSL
Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch
# fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
Patch4: 0004-curl-7.61.1-CVE-2018-16842.patch
# we need `git apply` to apply this patch
BuildRequires: git
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -175,6 +180,7 @@ be installed.
%patch1 -p1
%patch2 -p1
%patch3 -p1
git apply %{PATCH4}
# Fedora patches
%patch101 -p1
@ -341,6 +347,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Thu Nov 01 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-4
- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
- enable TLS 1.3 post-handshake auth in OpenSSL
- update the documentation of --tlsv1.0 in curl(1) man page