Resolves: #1436158 - nss: fix a possible use-after-free in SelectClientCert()
This commit is contained in:
parent
f7a237e96a
commit
b2b5c8f5f1
104
0007-curl-7.54.1-nss-cc-use-after-free.patch
Normal file
104
0007-curl-7.54.1-nss-cc-use-after-free.patch
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
From fe9bc87820bd2afa72d014d5316b0287e70587e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Thu, 20 Jul 2017 08:05:59 +0200
|
||||||
|
Subject: [PATCH 1/2] nss: unify the coding style of nss_send() and nss_recv()
|
||||||
|
|
||||||
|
No changes in behavior intended by this commit.
|
||||||
|
|
||||||
|
Upstream-commit: c89eb6d0f87a3620074bc04a6af255e5dc3a523e
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/nss.c | 17 +++++++++++------
|
||||||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||||
|
index 4e5f4b3..ab4ddff 100644
|
||||||
|
--- a/lib/vtls/nss.c
|
||||||
|
+++ b/lib/vtls/nss.c
|
||||||
|
@@ -2013,8 +2013,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
|
||||||
|
size_t len, /* amount to write */
|
||||||
|
CURLcode *curlcode)
|
||||||
|
{
|
||||||
|
- ssize_t rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0,
|
||||||
|
- PR_INTERVAL_NO_WAIT);
|
||||||
|
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
|
+ ssize_t rc;
|
||||||
|
+
|
||||||
|
+ rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
|
||||||
|
if(rc < 0) {
|
||||||
|
PRInt32 err = PR_GetError();
|
||||||
|
if(err == PR_WOULD_BLOCK_ERROR)
|
||||||
|
@@ -2038,14 +2040,17 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
|
||||||
|
return rc; /* number of bytes */
|
||||||
|
}
|
||||||
|
|
||||||
|
-static ssize_t nss_recv(struct connectdata * conn, /* connection data */
|
||||||
|
- int num, /* socketindex */
|
||||||
|
+static ssize_t nss_recv(struct connectdata *conn, /* connection data */
|
||||||
|
+ int sockindex, /* socketindex */
|
||||||
|
char *buf, /* store read data here */
|
||||||
|
size_t buffersize, /* max amount to read */
|
||||||
|
CURLcode *curlcode)
|
||||||
|
{
|
||||||
|
- ssize_t nread = PR_Recv(conn->ssl[num].handle, buf, (int)buffersize, 0,
|
||||||
|
- PR_INTERVAL_NO_WAIT);
|
||||||
|
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
|
+ ssize_t nread;
|
||||||
|
+
|
||||||
|
+ nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
|
||||||
|
+ PR_INTERVAL_NO_WAIT);
|
||||||
|
if(nread < 0) {
|
||||||
|
/* failed SSL read */
|
||||||
|
PRInt32 err = PR_GetError();
|
||||||
|
--
|
||||||
|
2.9.4
|
||||||
|
|
||||||
|
|
||||||
|
From f6c464a55a2319901c4f22d0d65cc437f691f55c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Wed, 19 Jul 2017 18:02:26 +0200
|
||||||
|
Subject: [PATCH 2/2] nss: fix a possible use-after-free in SelectClientCert()
|
||||||
|
|
||||||
|
... causing a SIGSEGV in showit() in case the handle used to initiate
|
||||||
|
the connection has already been freed.
|
||||||
|
|
||||||
|
This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
|
||||||
|
|
||||||
|
Reported-by: Rob Sanders
|
||||||
|
Bug: https://bugzilla.redhat.com/1436158
|
||||||
|
|
||||||
|
Upstream-commit: 42a4cd4c78b3feb5ca07286479129116e125a730
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/nss.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||||
|
index ab4ddff..4c90400 100644
|
||||||
|
--- a/lib/vtls/nss.c
|
||||||
|
+++ b/lib/vtls/nss.c
|
||||||
|
@@ -2016,6 +2016,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
|
||||||
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
|
ssize_t rc;
|
||||||
|
|
||||||
|
+ /* The SelectClientCert() hook uses this for infof() and failf() but the
|
||||||
|
+ handle stored in nss_setup_connect() could have already been freed. */
|
||||||
|
+ connssl->data = conn->data;
|
||||||
|
+
|
||||||
|
rc = PR_Send(connssl->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT);
|
||||||
|
if(rc < 0) {
|
||||||
|
PRInt32 err = PR_GetError();
|
||||||
|
@@ -2049,6 +2053,10 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */
|
||||||
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
|
ssize_t nread;
|
||||||
|
|
||||||
|
+ /* The SelectClientCert() hook uses this for infof() and failf() but the
|
||||||
|
+ handle stored in nss_setup_connect() could have already been freed. */
|
||||||
|
+ connssl->data = conn->data;
|
||||||
|
+
|
||||||
|
nread = PR_Recv(connssl->handle, buf, (int)buffersize, 0,
|
||||||
|
PR_INTERVAL_NO_WAIT);
|
||||||
|
if(nread < 0) {
|
||||||
|
--
|
||||||
|
2.9.4
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.51.0
|
Version: 7.51.0
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||||
@ -24,6 +24,9 @@ Patch5: 0005-curl-7.51.0-CVE-2017-7407.patch
|
|||||||
# fix links to documentation of TLS cipher-suites (#1463532)
|
# fix links to documentation of TLS cipher-suites (#1463532)
|
||||||
Patch6: 0006-curl-7.51.0-ciphers-man-page.patch
|
Patch6: 0006-curl-7.51.0-ciphers-man-page.patch
|
||||||
|
|
||||||
|
# nss: fix a possible use-after-free in SelectClientCert() (#1436158)
|
||||||
|
Patch7: 0007-curl-7.54.1-nss-cc-use-after-free.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -147,6 +150,7 @@ documentation of the library, too.
|
|||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -258,6 +262,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_datadir}/aclocal/libcurl.m4
|
%{_datadir}/aclocal/libcurl.m4
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 20 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-8
|
||||||
|
- nss: fix a possible use-after-free in SelectClientCert() (#1436158)
|
||||||
|
|
||||||
* Wed Jun 21 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-7
|
* Wed Jun 21 2017 Kamil Dudka <kdudka@redhat.com> 7.51.0-7
|
||||||
- fix links to documentation of TLS cipher-suites (#1463532)
|
- fix links to documentation of TLS cipher-suites (#1463532)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user