Resolves: CVE-2019-5435 - fix integer overflows in curl_url_set()
This commit is contained in:
parent
0ed971f14f
commit
7924399c12
267
0016-curl-7.64.0-CVE-2019-5435.patch
Normal file
267
0016-curl-7.64.0-CVE-2019-5435.patch
Normal file
@ -0,0 +1,267 @@
|
||||
From 1202a02142791b453110c8b922cb57c0b11380ce Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 29 Apr 2019 08:00:49 +0200
|
||||
Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size
|
||||
|
||||
This limits all accepted input strings passed to libcurl to be less than
|
||||
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
|
||||
curl_easy_setopt() and curl_url_set().
|
||||
|
||||
The 8000000 number is arbitrary picked and is meant to detect mistakes
|
||||
or abuse, not to limit actual practical use cases. By limiting the
|
||||
acceptable string lengths we also reduce the risk of integer overflows
|
||||
all over.
|
||||
|
||||
NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
|
||||
|
||||
Test 1559 verifies.
|
||||
|
||||
Closes #3805
|
||||
|
||||
Upstream-commit: 5fc28510a4664f46459d9a40187d81cc08571e60
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/setopt.c | 7 ++++
|
||||
lib/urlapi.c | 8 ++++
|
||||
lib/urldata.h | 4 ++
|
||||
tests/data/Makefile.inc | 2 +-
|
||||
tests/data/test1559 | 44 +++++++++++++++++++++
|
||||
tests/libtest/Makefile.inc | 6 ++-
|
||||
tests/libtest/lib1559.c | 78 ++++++++++++++++++++++++++++++++++++++
|
||||
7 files changed, 146 insertions(+), 3 deletions(-)
|
||||
create mode 100644 tests/data/test1559
|
||||
create mode 100644 tests/libtest/lib1559.c
|
||||
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index d98ca66..95e9fcb 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, const char *s)
|
||||
if(s) {
|
||||
char *str = strdup(s);
|
||||
|
||||
+ if(str) {
|
||||
+ size_t len = strlen(str);
|
||||
+ if(len > CURL_MAX_INPUT_LENGTH) {
|
||||
+ free(str);
|
||||
+ return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
+ }
|
||||
+ }
|
||||
if(!str)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
diff --git a/lib/urlapi.c b/lib/urlapi.c
|
||||
index 3af8e93..39af964 100644
|
||||
--- a/lib/urlapi.c
|
||||
+++ b/lib/urlapi.c
|
||||
@@ -648,6 +648,10 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
|
||||
************************************************************/
|
||||
/* allocate scratch area */
|
||||
urllen = strlen(url);
|
||||
+ if(urllen > CURL_MAX_INPUT_LENGTH)
|
||||
+ /* excessive input length */
|
||||
+ return CURLUE_MALFORMED_INPUT;
|
||||
+
|
||||
path = u->scratch = malloc(urllen * 2 + 2);
|
||||
if(!path)
|
||||
return CURLUE_OUT_OF_MEMORY;
|
||||
@@ -1278,6 +1282,10 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what,
|
||||
const char *newp = part;
|
||||
size_t nalloc = strlen(part);
|
||||
|
||||
+ if(nalloc > CURL_MAX_INPUT_LENGTH)
|
||||
+ /* excessive input length */
|
||||
+ return CURLUE_MALFORMED_INPUT;
|
||||
+
|
||||
if(urlencode) {
|
||||
const char *i;
|
||||
char *o;
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index ff3cc9a..d4a5ad8 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -79,6 +79,10 @@
|
||||
*/
|
||||
#define RESP_TIMEOUT (120*1000)
|
||||
|
||||
+/* Max string intput length is a precaution against abuse and to detect junk
|
||||
+ input easier and better. */
|
||||
+#define CURL_MAX_INPUT_LENGTH 8000000
|
||||
+
|
||||
#include "cookie.h"
|
||||
#include "psl.h"
|
||||
#include "formdata.h"
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index 3d13e3a..9ae1c6b 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -176,7 +176,7 @@ test1525 test1526 test1527 test1528 test1529 test1530 test1531 test1532 \
|
||||
test1533 test1534 test1535 test1536 test1537 test1538 \
|
||||
test1540 \
|
||||
test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
|
||||
-test1558 test1560 test1561 test1562 \
|
||||
+test1558 test1559 test1560 test1561 test1562 \
|
||||
\
|
||||
test1590 test1591 test1592 \
|
||||
\
|
||||
diff --git a/tests/data/test1559 b/tests/data/test1559
|
||||
new file mode 100644
|
||||
index 0000000..cbed6fb
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test1559
|
||||
@@ -0,0 +1,44 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+CURLOPT_URL
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+<reply>
|
||||
+</reply>
|
||||
+
|
||||
+<client>
|
||||
+<server>
|
||||
+none
|
||||
+</server>
|
||||
+
|
||||
+# require HTTP so that CURLOPT_POSTFIELDS works as assumed
|
||||
+<features>
|
||||
+http
|
||||
+</features>
|
||||
+<tool>
|
||||
+lib1559
|
||||
+</tool>
|
||||
+
|
||||
+<name>
|
||||
+Set excessive URL lengths
|
||||
+</name>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify that the test runs to completion without crashing
|
||||
+<verify>
|
||||
+<errorcode>
|
||||
+0
|
||||
+</errorcode>
|
||||
+<stdout>
|
||||
+CURLOPT_URL 10000000 bytes URL == 43
|
||||
+CURLOPT_POSTFIELDS 10000000 bytes data == 0
|
||||
+CURLUPART_URL 10000000 bytes URL == 3
|
||||
+CURLUPART_SCHEME 10000000 bytes scheme == 3
|
||||
+CURLUPART_USER 10000000 bytes user == 3
|
||||
+</stdout>
|
||||
+</verify>
|
||||
+
|
||||
+</testcase>
|
||||
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||
index 9270822..62e6c20 100644
|
||||
--- a/tests/libtest/Makefile.inc
|
||||
+++ b/tests/libtest/Makefile.inc
|
||||
@@ -30,8 +30,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
|
||||
lib1534 lib1535 lib1536 lib1537 lib1538 \
|
||||
lib1540 \
|
||||
lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \
|
||||
- lib1558 \
|
||||
- lib1560 \
|
||||
+ lib1558 lib1559 lib1560 \
|
||||
lib1591 lib1592 \
|
||||
lib1900 \
|
||||
lib2033
|
||||
@@ -520,6 +519,9 @@ lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557
|
||||
lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1558_LDADD = $(TESTUTIL_LIBS)
|
||||
|
||||
+lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
+lib1559_LDADD = $(TESTUTIL_LIBS)
|
||||
+
|
||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
||||
lib1560_LDADD = $(TESTUTIL_LIBS)
|
||||
diff --git a/tests/libtest/lib1559.c b/tests/libtest/lib1559.c
|
||||
new file mode 100644
|
||||
index 0000000..2aa3615
|
||||
--- /dev/null
|
||||
+++ b/tests/libtest/lib1559.c
|
||||
@@ -0,0 +1,78 @@
|
||||
+/***************************************************************************
|
||||
+ * _ _ ____ _
|
||||
+ * Project ___| | | | _ \| |
|
||||
+ * / __| | | | |_) | |
|
||||
+ * | (__| |_| | _ <| |___
|
||||
+ * \___|\___/|_| \_\_____|
|
||||
+ *
|
||||
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+ *
|
||||
+ * This software is licensed as described in the file COPYING, which
|
||||
+ * you should have received as part of this distribution. The terms
|
||||
+ * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||
+ *
|
||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||
+ * copies of the Software, and permit persons to whom the Software is
|
||||
+ * furnished to do so, under the terms of the COPYING file.
|
||||
+ *
|
||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||
+ * KIND, either express or implied.
|
||||
+ *
|
||||
+ ***************************************************************************/
|
||||
+#include "test.h"
|
||||
+
|
||||
+#include "testutil.h"
|
||||
+#include "warnless.h"
|
||||
+#include "memdebug.h"
|
||||
+
|
||||
+#define EXCESSIVE 10*1000*1000
|
||||
+int test(char *URL)
|
||||
+{
|
||||
+ CURLcode res = 0;
|
||||
+ CURL *curl = NULL;
|
||||
+ char *longurl = malloc(EXCESSIVE);
|
||||
+ CURLU *u;
|
||||
+ (void)URL;
|
||||
+
|
||||
+ memset(longurl, 'a', EXCESSIVE);
|
||||
+ longurl[EXCESSIVE-1] = 0;
|
||||
+
|
||||
+ global_init(CURL_GLOBAL_ALL);
|
||||
+ easy_init(curl);
|
||||
+
|
||||
+ res = curl_easy_setopt(curl, CURLOPT_URL, longurl);
|
||||
+ printf("CURLOPT_URL %d bytes URL == %d\n",
|
||||
+ EXCESSIVE, (int)res);
|
||||
+
|
||||
+ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl);
|
||||
+ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n",
|
||||
+ EXCESSIVE, (int)res);
|
||||
+
|
||||
+ u = curl_url();
|
||||
+ if(u) {
|
||||
+ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0);
|
||||
+ printf("CURLUPART_URL %d bytes URL == %d\n",
|
||||
+ EXCESSIVE, (int)uc);
|
||||
+ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME);
|
||||
+ printf("CURLUPART_SCHEME %d bytes scheme == %d\n",
|
||||
+ EXCESSIVE, (int)uc);
|
||||
+ uc = curl_url_set(u, CURLUPART_USER, longurl, 0);
|
||||
+ printf("CURLUPART_USER %d bytes user == %d\n",
|
||||
+ EXCESSIVE, (int)uc);
|
||||
+ curl_url_cleanup(u);
|
||||
+ }
|
||||
+
|
||||
+ free(longurl);
|
||||
+
|
||||
+ curl_easy_cleanup(curl);
|
||||
+ curl_global_cleanup();
|
||||
+
|
||||
+ return 0;
|
||||
+
|
||||
+test_cleanup:
|
||||
+
|
||||
+ curl_easy_cleanup(curl);
|
||||
+ curl_global_cleanup();
|
||||
+
|
||||
+ return res; /* return the final return code */
|
||||
+}
|
||||
--
|
||||
2.20.1
|
||||
|
11
curl.spec
11
curl.spec
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.64.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -20,6 +20,9 @@ Patch4: 0004-curl-7.64.0-spurious-resolver-error.patch
|
||||
# remove verbose "Expire in" ... messages (#1690971)
|
||||
Patch5: 0005-curl-7.64.0-expire-in-verbose-msgs.patch
|
||||
|
||||
# fix integer overflows in curl_url_set() (CVE-2019-5435)
|
||||
Patch16: 0016-curl-7.64.0-CVE-2019-5435.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -194,6 +197,9 @@ be installed.
|
||||
%patch104 -p1
|
||||
%patch105 -p1
|
||||
|
||||
# upstream patches
|
||||
%patch16 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
|
||||
@ -353,6 +359,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-7
|
||||
- fix integer overflows in curl_url_set() (CVE-2019-5435)
|
||||
|
||||
* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
|
||||
- remove verbose "Expire in" ... messages (#1690971)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user