diff --git a/0020-curl-7.47.1-CVE-2016-8617.patch b/0020-curl-7.47.1-CVE-2016-8617.patch new file mode 100644 index 0000000..0093335 --- /dev/null +++ b/0020-curl-7.47.1-CVE-2016-8617.patch @@ -0,0 +1,35 @@ +From f4145e2024d0785d6e72f5963585e7a43cace9cd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 28 Sep 2016 00:05:12 +0200 +Subject: [PATCH] base64: check for integer overflow on large input + +CVE-2016-8617 + +Bug: https://curl.haxx.se/docs/adv_20161102C.html +Reported-by: Cure53 + +Upstream-commit: efd24d57426bd77c9b5860e6b297904703750412 +Signed-off-by: Kamil Dudka +--- + lib/base64.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/base64.c b/lib/base64.c +index 2212115..8db578c 100644 +--- a/lib/base64.c ++++ b/lib/base64.c +@@ -190,6 +190,11 @@ static CURLcode base64_encode(const char *table64, + if(0 == insize) + insize = strlen(indata); + ++#if SIZEOF_SIZE_T == 4 ++ if(insize > UINT_MAX/4) ++ return CURLE_OUT_OF_MEMORY; ++#endif ++ + base64data = output = malloc(insize*4/3+4); + if(NULL == output) + return CURLE_OUT_OF_MEMORY; +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index 1cb040f..d86e73b 100644 --- a/curl.spec +++ b/curl.spec @@ -49,6 +49,9 @@ Patch18: 0018-curl-7.47.1-CVE-2016-8618.patch # fix double-free in krb5 code (CVE-2016-8619) Patch19: 0019-curl-7.47.1-CVE-2016-8619.patch +# base64: check for integer overflow on large input (CVE-2016-8617) +Patch20: 0020-curl-7.47.1-CVE-2016-8617.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -176,6 +179,7 @@ documentation of the library, too. %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 # Fedora patches %patch101 -p1 @@ -292,6 +296,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Nov 02 2016 Kamil Dudka 7.47.1-9 +- base64: check for integer overflow on large input (CVE-2016-8617) - fix double-free in krb5 code (CVE-2016-8619) - fix double-free in curl_maprintf() (CVE-2016-8618) - fix glob parser write/read out of bounds (CVE-2016-8620)