diff --git a/0010-curl-7.61.1-CVE-2019-3822.patch b/0010-curl-7.61.1-CVE-2019-3822.patch new file mode 100644 index 0000000..c860817 --- /dev/null +++ b/0010-curl-7.61.1-CVE-2019-3822.patch @@ -0,0 +1,41 @@ +From ab22e3a00f04b458039c21111cfa448051e5777d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 3 Jan 2019 12:59:28 +0100 +Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow + +Bug: https://curl.haxx.se/docs/CVE-2019-3822.html +Reported-by: Wenxiang Qian +CVE-2019-3822 + +Upstream-commit: 50c9484278c63b958655a717844f0721263939cc +Signed-off-by: Kamil Dudka +--- + lib/vauth/ntlm.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c +index b614cda..a3a55d9 100644 +--- a/lib/vauth/ntlm.c ++++ b/lib/vauth/ntlm.c +@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, + }); + + #ifdef USE_NTRESPONSES +- if(size < (NTLM_BUFSIZE - ntresplen)) { +- DEBUGASSERT(size == (size_t)ntrespoff); +- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); +- size += ntresplen; ++ /* ntresplen + size should not be risking an integer overflow here */ ++ if(ntresplen + size > sizeof(ntlmbuf)) { ++ failf(data, "incoming NTLM message too big"); ++ return CURLE_OUT_OF_MEMORY; + } ++ DEBUGASSERT(size == (size_t)ntrespoff); ++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); ++ size += ntresplen; + + DEBUG_OUT({ + fprintf(stderr, "\n ntresp="); +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 4d895d9..3fd58c9 100644 --- a/curl.spec +++ b/curl.spec @@ -34,6 +34,9 @@ Patch8: 0008-curl-7.61.1-CVE-2018-20483.patch # fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890) Patch9: 0009-curl-7.61.1-CVE-2018-16890.patch +# fix NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822) +Patch10: 0010-curl-7.61.1-CVE-2019-3822.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -202,6 +205,7 @@ git apply %{PATCH4} %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # Fedora patches %patch101 -p1 @@ -369,6 +373,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Feb 06 2019 Kamil Dudka - 7.61.1-8 +- fix NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822) - fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890) * Mon Jan 21 2019 Kamil Dudka - 7.61.1-7