Resolves: CVE-2018-16839 - SASL password overflow via integer overflow

0006-curl-7.61.1-CVE-2018-16839.patch

@@ -0,0 +1,31 @@
+From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 28 Sep 2018 16:08:16 +0200
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+
+Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.17.2
+

curl.spec

@@ -22,6 +22,9 @@ BuildRequires: git
 # fix use-after-free in handle close (CVE-2018-16840)
 Patch5:   0005-curl-7.61.1-CVE-2018-16840.patch
 
+# SASL password overflow via integer overflow (CVE-2018-16839)
+Patch6:   0006-curl-7.61.1-CVE-2018-16839.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -185,6 +188,7 @@ be installed.
 %patch3 -p1
 git apply %{PATCH4}
 %patch5 -p1
+%patch6 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -352,6 +356,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %changelog
 * Thu Nov 01 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-4
+- SASL password overflow via integer overflow (CVE-2018-16839)
 - fix use-after-free in handle close (CVE-2018-16840)
 - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)