Resolves: CVE-2019-5435 - fix integer overflows in curl_url_set()
This commit is contained in:
parent
0ed971f14f
commit
7924399c12
267
0016-curl-7.64.0-CVE-2019-5435.patch
Normal file
267
0016-curl-7.64.0-CVE-2019-5435.patch
Normal file
@ -0,0 +1,267 @@
|
|||||||
|
From 1202a02142791b453110c8b922cb57c0b11380ce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 29 Apr 2019 08:00:49 +0200
|
||||||
|
Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size
|
||||||
|
|
||||||
|
This limits all accepted input strings passed to libcurl to be less than
|
||||||
|
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
|
||||||
|
curl_easy_setopt() and curl_url_set().
|
||||||
|
|
||||||
|
The 8000000 number is arbitrary picked and is meant to detect mistakes
|
||||||
|
or abuse, not to limit actual practical use cases. By limiting the
|
||||||
|
acceptable string lengths we also reduce the risk of integer overflows
|
||||||
|
all over.
|
||||||
|
|
||||||
|
NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
|
||||||
|
|
||||||
|
Test 1559 verifies.
|
||||||
|
|
||||||
|
Closes #3805
|
||||||
|
|
||||||
|
Upstream-commit: 5fc28510a4664f46459d9a40187d81cc08571e60
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/setopt.c | 7 ++++
|
||||||
|
lib/urlapi.c | 8 ++++
|
||||||
|
lib/urldata.h | 4 ++
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test1559 | 44 +++++++++++++++++++++
|
||||||
|
tests/libtest/Makefile.inc | 6 ++-
|
||||||
|
tests/libtest/lib1559.c | 78 ++++++++++++++++++++++++++++++++++++++
|
||||||
|
7 files changed, 146 insertions(+), 3 deletions(-)
|
||||||
|
create mode 100644 tests/data/test1559
|
||||||
|
create mode 100644 tests/libtest/lib1559.c
|
||||||
|
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index d98ca66..95e9fcb 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, const char *s)
|
||||||
|
if(s) {
|
||||||
|
char *str = strdup(s);
|
||||||
|
|
||||||
|
+ if(str) {
|
||||||
|
+ size_t len = strlen(str);
|
||||||
|
+ if(len > CURL_MAX_INPUT_LENGTH) {
|
||||||
|
+ free(str);
|
||||||
|
+ return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
if(!str)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
diff --git a/lib/urlapi.c b/lib/urlapi.c
|
||||||
|
index 3af8e93..39af964 100644
|
||||||
|
--- a/lib/urlapi.c
|
||||||
|
+++ b/lib/urlapi.c
|
||||||
|
@@ -648,6 +648,10 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
|
||||||
|
************************************************************/
|
||||||
|
/* allocate scratch area */
|
||||||
|
urllen = strlen(url);
|
||||||
|
+ if(urllen > CURL_MAX_INPUT_LENGTH)
|
||||||
|
+ /* excessive input length */
|
||||||
|
+ return CURLUE_MALFORMED_INPUT;
|
||||||
|
+
|
||||||
|
path = u->scratch = malloc(urllen * 2 + 2);
|
||||||
|
if(!path)
|
||||||
|
return CURLUE_OUT_OF_MEMORY;
|
||||||
|
@@ -1278,6 +1282,10 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what,
|
||||||
|
const char *newp = part;
|
||||||
|
size_t nalloc = strlen(part);
|
||||||
|
|
||||||
|
+ if(nalloc > CURL_MAX_INPUT_LENGTH)
|
||||||
|
+ /* excessive input length */
|
||||||
|
+ return CURLUE_MALFORMED_INPUT;
|
||||||
|
+
|
||||||
|
if(urlencode) {
|
||||||
|
const char *i;
|
||||||
|
char *o;
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index ff3cc9a..d4a5ad8 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -79,6 +79,10 @@
|
||||||
|
*/
|
||||||
|
#define RESP_TIMEOUT (120*1000)
|
||||||
|
|
||||||
|
+/* Max string intput length is a precaution against abuse and to detect junk
|
||||||
|
+ input easier and better. */
|
||||||
|
+#define CURL_MAX_INPUT_LENGTH 8000000
|
||||||
|
+
|
||||||
|
#include "cookie.h"
|
||||||
|
#include "psl.h"
|
||||||
|
#include "formdata.h"
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 3d13e3a..9ae1c6b 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -176,7 +176,7 @@ test1525 test1526 test1527 test1528 test1529 test1530 test1531 test1532 \
|
||||||
|
test1533 test1534 test1535 test1536 test1537 test1538 \
|
||||||
|
test1540 \
|
||||||
|
test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
|
||||||
|
-test1558 test1560 test1561 test1562 \
|
||||||
|
+test1558 test1559 test1560 test1561 test1562 \
|
||||||
|
\
|
||||||
|
test1590 test1591 test1592 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test1559 b/tests/data/test1559
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..cbed6fb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test1559
|
||||||
|
@@ -0,0 +1,44 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+CURLOPT_URL
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+<reply>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+none
|
||||||
|
+</server>
|
||||||
|
+
|
||||||
|
+# require HTTP so that CURLOPT_POSTFIELDS works as assumed
|
||||||
|
+<features>
|
||||||
|
+http
|
||||||
|
+</features>
|
||||||
|
+<tool>
|
||||||
|
+lib1559
|
||||||
|
+</tool>
|
||||||
|
+
|
||||||
|
+<name>
|
||||||
|
+Set excessive URL lengths
|
||||||
|
+</name>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify that the test runs to completion without crashing
|
||||||
|
+<verify>
|
||||||
|
+<errorcode>
|
||||||
|
+0
|
||||||
|
+</errorcode>
|
||||||
|
+<stdout>
|
||||||
|
+CURLOPT_URL 10000000 bytes URL == 43
|
||||||
|
+CURLOPT_POSTFIELDS 10000000 bytes data == 0
|
||||||
|
+CURLUPART_URL 10000000 bytes URL == 3
|
||||||
|
+CURLUPART_SCHEME 10000000 bytes scheme == 3
|
||||||
|
+CURLUPART_USER 10000000 bytes user == 3
|
||||||
|
+</stdout>
|
||||||
|
+</verify>
|
||||||
|
+
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||||
|
index 9270822..62e6c20 100644
|
||||||
|
--- a/tests/libtest/Makefile.inc
|
||||||
|
+++ b/tests/libtest/Makefile.inc
|
||||||
|
@@ -30,8 +30,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
|
||||||
|
lib1534 lib1535 lib1536 lib1537 lib1538 \
|
||||||
|
lib1540 \
|
||||||
|
lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \
|
||||||
|
- lib1558 \
|
||||||
|
- lib1560 \
|
||||||
|
+ lib1558 lib1559 lib1560 \
|
||||||
|
lib1591 lib1592 \
|
||||||
|
lib1900 \
|
||||||
|
lib2033
|
||||||
|
@@ -520,6 +519,9 @@ lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557
|
||||||
|
lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
|
lib1558_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
|
||||||
|
+lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
|
+lib1559_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
+
|
||||||
|
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
|
lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
||||||
|
lib1560_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
diff --git a/tests/libtest/lib1559.c b/tests/libtest/lib1559.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..2aa3615
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/libtest/lib1559.c
|
||||||
|
@@ -0,0 +1,78 @@
|
||||||
|
+/***************************************************************************
|
||||||
|
+ * _ _ ____ _
|
||||||
|
+ * Project ___| | | | _ \| |
|
||||||
|
+ * / __| | | | |_) | |
|
||||||
|
+ * | (__| |_| | _ <| |___
|
||||||
|
+ * \___|\___/|_| \_\_____|
|
||||||
|
+ *
|
||||||
|
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ *
|
||||||
|
+ * This software is licensed as described in the file COPYING, which
|
||||||
|
+ * you should have received as part of this distribution. The terms
|
||||||
|
+ * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||||
|
+ *
|
||||||
|
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||||
|
+ * copies of the Software, and permit persons to whom the Software is
|
||||||
|
+ * furnished to do so, under the terms of the COPYING file.
|
||||||
|
+ *
|
||||||
|
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||||
|
+ * KIND, either express or implied.
|
||||||
|
+ *
|
||||||
|
+ ***************************************************************************/
|
||||||
|
+#include "test.h"
|
||||||
|
+
|
||||||
|
+#include "testutil.h"
|
||||||
|
+#include "warnless.h"
|
||||||
|
+#include "memdebug.h"
|
||||||
|
+
|
||||||
|
+#define EXCESSIVE 10*1000*1000
|
||||||
|
+int test(char *URL)
|
||||||
|
+{
|
||||||
|
+ CURLcode res = 0;
|
||||||
|
+ CURL *curl = NULL;
|
||||||
|
+ char *longurl = malloc(EXCESSIVE);
|
||||||
|
+ CURLU *u;
|
||||||
|
+ (void)URL;
|
||||||
|
+
|
||||||
|
+ memset(longurl, 'a', EXCESSIVE);
|
||||||
|
+ longurl[EXCESSIVE-1] = 0;
|
||||||
|
+
|
||||||
|
+ global_init(CURL_GLOBAL_ALL);
|
||||||
|
+ easy_init(curl);
|
||||||
|
+
|
||||||
|
+ res = curl_easy_setopt(curl, CURLOPT_URL, longurl);
|
||||||
|
+ printf("CURLOPT_URL %d bytes URL == %d\n",
|
||||||
|
+ EXCESSIVE, (int)res);
|
||||||
|
+
|
||||||
|
+ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl);
|
||||||
|
+ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n",
|
||||||
|
+ EXCESSIVE, (int)res);
|
||||||
|
+
|
||||||
|
+ u = curl_url();
|
||||||
|
+ if(u) {
|
||||||
|
+ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0);
|
||||||
|
+ printf("CURLUPART_URL %d bytes URL == %d\n",
|
||||||
|
+ EXCESSIVE, (int)uc);
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME);
|
||||||
|
+ printf("CURLUPART_SCHEME %d bytes scheme == %d\n",
|
||||||
|
+ EXCESSIVE, (int)uc);
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_USER, longurl, 0);
|
||||||
|
+ printf("CURLUPART_USER %d bytes user == %d\n",
|
||||||
|
+ EXCESSIVE, (int)uc);
|
||||||
|
+ curl_url_cleanup(u);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(longurl);
|
||||||
|
+
|
||||||
|
+ curl_easy_cleanup(curl);
|
||||||
|
+ curl_global_cleanup();
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+test_cleanup:
|
||||||
|
+
|
||||||
|
+ curl_easy_cleanup(curl);
|
||||||
|
+ curl_global_cleanup();
|
||||||
|
+
|
||||||
|
+ return res; /* return the final return code */
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
11
curl.spec
11
curl.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.64.0
|
Version: 7.64.0
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
@ -20,6 +20,9 @@ Patch4: 0004-curl-7.64.0-spurious-resolver-error.patch
|
|||||||
# remove verbose "Expire in" ... messages (#1690971)
|
# remove verbose "Expire in" ... messages (#1690971)
|
||||||
Patch5: 0005-curl-7.64.0-expire-in-verbose-msgs.patch
|
Patch5: 0005-curl-7.64.0-expire-in-verbose-msgs.patch
|
||||||
|
|
||||||
|
# fix integer overflows in curl_url_set() (CVE-2019-5435)
|
||||||
|
Patch16: 0016-curl-7.64.0-CVE-2019-5435.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -194,6 +197,9 @@ be installed.
|
|||||||
%patch104 -p1
|
%patch104 -p1
|
||||||
%patch105 -p1
|
%patch105 -p1
|
||||||
|
|
||||||
|
# upstream patches
|
||||||
|
%patch16 -p1
|
||||||
|
|
||||||
# make tests/*.py use Python 3
|
# make tests/*.py use Python 3
|
||||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||||
|
|
||||||
@ -353,6 +359,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-7
|
||||||
|
- fix integer overflows in curl_url_set() (CVE-2019-5435)
|
||||||
|
|
||||||
* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
|
* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
|
||||||
- remove verbose "Expire in" ... messages (#1690971)
|
- remove verbose "Expire in" ... messages (#1690971)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user