Resolves: CVE-2018-16839 - SASL password overflow via integer overflow
This commit is contained in:
parent
00c5d944d9
commit
a1bd4f84de
136
0012-curl-7.59.0-CVE-2018-16839.patch
Normal file
136
0012-curl-7.59.0-CVE-2018-16839.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 20 Mar 2018 15:15:14 +0100
|
||||||
|
Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check
|
||||||
|
|
||||||
|
Make the integer overflow check not rely on the undefined behavior that
|
||||||
|
a size_t wraps around on overflow.
|
||||||
|
|
||||||
|
Detected by lgtm.com
|
||||||
|
Closes #2408
|
||||||
|
|
||||||
|
Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/curl_ntlm_core.c | 11 +----------
|
||||||
|
lib/curl_setup.h | 9 +++++++++
|
||||||
|
lib/vauth/cleartext.c | 14 ++++----------
|
||||||
|
3 files changed, 14 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
|
||||||
|
index e5c785d..b69c293 100644
|
||||||
|
--- a/lib/curl_ntlm_core.c
|
||||||
|
+++ b/lib/curl_ntlm_core.c
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -143,15 +143,6 @@
|
||||||
|
#define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
|
||||||
|
#define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4)
|
||||||
|
|
||||||
|
-#ifndef SIZE_T_MAX
|
||||||
|
-/* some limits.h headers have this defined, some don't */
|
||||||
|
-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||||||
|
-#define SIZE_T_MAX 18446744073709551615U
|
||||||
|
-#else
|
||||||
|
-#define SIZE_T_MAX 4294967295U
|
||||||
|
-#endif
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Turns a 56-bit key into being 64-bit wide.
|
||||||
|
*/
|
||||||
|
diff --git a/lib/curl_setup.h b/lib/curl_setup.h
|
||||||
|
index f128696..e4503c6 100644
|
||||||
|
--- a/lib/curl_setup.h
|
||||||
|
+++ b/lib/curl_setup.h
|
||||||
|
@@ -447,6 +447,15 @@
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifndef SIZE_T_MAX
|
||||||
|
+/* some limits.h headers have this defined, some don't */
|
||||||
|
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||||||
|
+#define SIZE_T_MAX 18446744073709551615U
|
||||||
|
+#else
|
||||||
|
+#define SIZE_T_MAX 4294967295U
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Arg 2 type for gethostname in case it hasn't been defined in config file.
|
||||||
|
*/
|
||||||
|
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
|
||||||
|
index a761ae7..5d61ce6 100644
|
||||||
|
--- a/lib/vauth/cleartext.c
|
||||||
|
+++ b/lib/vauth/cleartext.c
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
||||||
|
ulen = strlen(userp);
|
||||||
|
plen = strlen(passwdp);
|
||||||
|
|
||||||
|
- /* Compute binary message length, checking for overflows. */
|
||||||
|
- plainlen = 2 * ulen;
|
||||||
|
- if(plainlen < ulen)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
- plainlen += plen;
|
||||||
|
- if(plainlen < plen)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
- plainlen += 2;
|
||||||
|
- if(plainlen < 2)
|
||||||
|
+ /* Compute binary message length. Check for overflows. */
|
||||||
|
+ if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ plainlen = 2 * ulen + plen + 2;
|
||||||
|
|
||||||
|
plainauth = malloc(plainlen);
|
||||||
|
if(!plainauth)
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
||||||
|
|
||||||
|
From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 28 Sep 2018 16:08:16 +0200
|
||||||
|
Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check
|
||||||
|
|
||||||
|
CVE-2018-16839
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
|
||||||
|
|
||||||
|
Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vauth/cleartext.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
|
||||||
|
index 5d61ce6..1367143 100644
|
||||||
|
--- a/lib/vauth/cleartext.c
|
||||||
|
+++ b/lib/vauth/cleartext.c
|
||||||
|
@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
||||||
|
plen = strlen(passwdp);
|
||||||
|
|
||||||
|
/* Compute binary message length. Check for overflows. */
|
||||||
|
- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
|
||||||
|
+ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
plainlen = 2 * ulen + plen + 2;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -40,6 +40,9 @@ BuildRequires: git
|
|||||||
# fix use-after-free in handle close (CVE-2018-16840)
|
# fix use-after-free in handle close (CVE-2018-16840)
|
||||||
Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch
|
Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch
|
||||||
|
|
||||||
|
# SASL password overflow via integer overflow (CVE-2018-16839)
|
||||||
|
Patch12: 0012-curl-7.59.0-CVE-2018-16839.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -201,6 +204,7 @@ be installed.
|
|||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
git apply %{PATCH10}
|
git apply %{PATCH10}
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -348,6 +352,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Nov 01 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-8
|
* Thu Nov 01 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-8
|
||||||
|
- SASL password overflow via integer overflow (CVE-2018-16839)
|
||||||
- fix use-after-free in handle close (CVE-2018-16840)
|
- fix use-after-free in handle close (CVE-2018-16840)
|
||||||
- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
|
- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
|
||||||
- test320: update expected output for gnutls-3.6.4
|
- test320: update expected output for gnutls-3.6.4
|
||||||
|
Loading…
Reference in New Issue
Block a user