Resolves: CVE-2018-16839 - SASL password overflow via integer overflow

0012-curl-7.59.0-CVE-2018-16839.patch

@@ -0,0 +1,136 @@
+From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Mar 2018 15:15:14 +0100
+Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check
+
+Make the integer overflow check not rely on the undefined behavior that
+a size_t wraps around on overflow.
+
+Detected by lgtm.com
+Closes #2408
+
+Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_ntlm_core.c  | 11 +----------
+ lib/curl_setup.h      |  9 +++++++++
+ lib/vauth/cleartext.c | 14 ++++----------
+ 3 files changed, 14 insertions(+), 20 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index e5c785d..b69c293 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -143,15 +143,6 @@
+ #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
+ #define NTLMv2_BLOB_LEN       (44 -16 + ntlm->target_info_len + 4)
+ 
+-#ifndef SIZE_T_MAX
+-/* some limits.h headers have this defined, some don't */
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+-#define SIZE_T_MAX 18446744073709551615U
+-#else
+-#define SIZE_T_MAX 4294967295U
+-#endif
+-#endif
+-
+ /*
+ * Turns a 56-bit key into being 64-bit wide.
+ */
+diff --git a/lib/curl_setup.h b/lib/curl_setup.h
+index f128696..e4503c6 100644
+--- a/lib/curl_setup.h
++++ b/lib/curl_setup.h
+@@ -447,6 +447,15 @@
+ #  endif
+ #endif
+ 
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /*
+  * Arg 2 type for gethostname in case it hasn't been defined in config file.
+  */
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index a761ae7..5d61ce6 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   ulen = strlen(userp);
+   plen = strlen(passwdp);
+ 
+-  /* Compute binary message length, checking for overflows. */
+-  plainlen = 2 * ulen;
+-  if(plainlen < ulen)
+-    return CURLE_OUT_OF_MEMORY;
+-  plainlen += plen;
+-  if(plainlen < plen)
+-    return CURLE_OUT_OF_MEMORY;
+-  plainlen += 2;
+-  if(plainlen < 2)
++  /* Compute binary message length. Check for overflows. */
++  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
++  plainlen = 2 * ulen + plen + 2;
+ 
+   plainauth = malloc(plainlen);
+   if(!plainauth)
+-- 
+2.17.2
+
+
+From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 28 Sep 2018 16:08:16 +0200
+Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+
+Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.17.2
+

curl.spec

@@ -40,6 +40,9 @@ BuildRequires: git
 # fix use-after-free in handle close (CVE-2018-16840)
 Patch11:  0011-curl-7.59.0-CVE-2018-16840.patch
 
+# SASL password overflow via integer overflow (CVE-2018-16839)
+Patch12:  0012-curl-7.59.0-CVE-2018-16839.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -201,6 +204,7 @@ be installed.
 %patch9 -p1
 git apply %{PATCH10}
 %patch11 -p1
+%patch12 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -348,6 +352,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %changelog
 * Thu Nov 01 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-8
+- SASL password overflow via integer overflow (CVE-2018-16839)
 - fix use-after-free in handle close (CVE-2018-16840)
 - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
 - test320: update expected output for gnutls-3.6.4