diff --git a/0017-curl-7.47.1-CVE-2016-8620.patch b/0017-curl-7.47.1-CVE-2016-8620.patch new file mode 100644 index 0000000..3b9edff --- /dev/null +++ b/0017-curl-7.47.1-CVE-2016-8620.patch @@ -0,0 +1,192 @@ +From 899d4f898f2b1b2cc910ca994e23e2d55347c22d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 3 Oct 2016 17:27:16 +0200 +Subject: [PATCH 1/3] range: prevent negative end number in a glob range +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2016-8620 + +Bug: https://curl.haxx.se/docs/adv_20161102F.html +Reported-by: Luật Nguyễn + +Upstream-commit: fbb5f1aa0326d485d5a7ac643b48481897ca667f +Signed-off-by: Kamil Dudka +--- + src/tool_urlglob.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c +index 6a4ff76..49bbe4b 100644 +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + endp = NULL; + else { + pattern = endp+1; ++ while(*pattern && ISBLANK(*pattern)) ++ pattern++; ++ if(!ISDIGIT(*pattern)) { ++ endp = NULL; ++ goto fail; ++ } + errno = 0; + max_n = strtoul(pattern, &endp, 10); + if(errno || (*endp == ':')) { +@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + } + } + ++ fail: + *posp += (pattern - *patternp); + + if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || +-- +2.7.4 + + +From 2897ecbeaf174a4f665e4b7ff9aea7fdd85f3d80 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 3 Oct 2016 18:23:22 +0200 +Subject: [PATCH 2/3] glob_next_url: make sure to stay within the given output + buffer + +Upstream-commit: 269a88910436d730ac212f4dc01cbe6961338061 +Signed-off-by: Kamil Dudka +--- + src/tool_urlglob.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c +index 49bbe4b..3a3aba9 100644 +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -432,6 +432,7 @@ CURLcode glob_url(URLGlob** glob, char* url, unsigned long *urlnum, + glob_buffer = malloc(strlen(url) + 1); + if(!glob_buffer) + return CURLE_OUT_OF_MEMORY; ++ glob_buffer[0]=0; + + glob_expand = calloc(1, sizeof(URLGlob)); + if(!glob_expand) { +@@ -549,20 +550,25 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob) + switch(pat->type) { + case UPTSet: + if(pat->content.Set.elements) { +- len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]); + snprintf(buf, buflen, "%s", + pat->content.Set.elements[pat->content.Set.ptr_s]); ++ len = strlen(buf); + buf += len; + buflen -= len; + } + break; + case UPTCharRange: +- *buf++ = pat->content.CharRange.ptr_c; ++ if(buflen) { ++ *buf++ = pat->content.CharRange.ptr_c; ++ *buf = '\0'; ++ buflen--; ++ } + break; + case UPTNumRange: +- len = snprintf(buf, buflen, "%0*ld", +- pat->content.NumRange.padlength, +- pat->content.NumRange.ptr_n); ++ snprintf(buf, buflen, "%0*ld", ++ pat->content.NumRange.padlength, ++ pat->content.NumRange.ptr_n); ++ len = strlen(buf); + buf += len; + buflen -= len; + break; +@@ -571,7 +577,6 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob) + return CURLE_FAILED_INIT; + } + } +- *buf = '\0'; + + *globbed = strdup(glob->glob_buffer); + if(!*globbed) +-- +2.7.4 + + +From 46475c97a6970a644239c542bc6a2a653020c87b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 17:25:09 +0200 +Subject: [PATCH 3/3] range: reject char globs with missing end like '[L-]' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... which previously would lead to out of boundary reads. + +Reported-by: Luật Nguyễn + +Upstream-commit: ee4f76606cfa4ee068bf28edd37c8dae7e8db317 +Signed-off-by: Kamil Dudka +--- + src/tool_urlglob.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c +index 3a3aba9..3b17a68 100644 +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + /* character range detected */ + char min_c; + char max_c; ++ char end_c; + int step=1; + + pat->type = UPTCharRange; + +- rc = sscanf(pattern, "%c-%c", &min_c, &max_c); ++ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c); + +- if((rc == 2) && (pattern[3] == ':')) { +- char *endp; +- unsigned long lstep; +- errno = 0; +- lstep = strtoul(&pattern[4], &endp, 10); +- if(errno || (*endp != ']')) +- step = -1; +- else { +- pattern = endp+1; +- step = (int)lstep; +- if(step > (max_c - min_c)) ++ if(rc == 3) { ++ if(end_c == ':') { ++ char *endp; ++ unsigned long lstep; ++ errno = 0; ++ lstep = strtoul(&pattern[4], &endp, 10); ++ if(errno || (*endp != ']')) + step = -1; ++ else { ++ pattern = endp+1; ++ step = (int)lstep; ++ if(step > (max_c - min_c)) ++ step = -1; ++ } + } ++ else if(end_c != ']') ++ /* then this is wrong */ ++ rc = 0; + } +- else +- pattern += 4; + + *posp += (pattern - *patternp); + +- if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || ++ if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || + (step <= 0) ) + /* the pattern is not well-formed */ + return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT); +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index e4a9f70..71b9252 100644 --- a/curl.spec +++ b/curl.spec @@ -40,6 +40,9 @@ Patch15: 0015-curl-7.47.1-CVE-2016-8622.patch # fix out-of-bounds read in curl_getdate() (CVE-2016-8621) Patch16: 0016-curl-7.47.1-CVE-2016-8621.patch +# fix glob parser write/read out of bounds (CVE-2016-8620) +Patch17: 0017-curl-7.47.1-CVE-2016-8620.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -164,6 +167,7 @@ documentation of the library, too. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 # Fedora patches %patch101 -p1 @@ -280,6 +284,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Nov 02 2016 Kamil Dudka 7.47.1-9 +- fix glob parser write/read out of bounds (CVE-2016-8620) - fix out-of-bounds read in curl_getdate() (CVE-2016-8621) - fix URL unescape heap overflow via integer truncation (CVE-2016-8622) - fix use-after-free via shared cookies (CVE-2016-8623)