Resolves: CVE-2016-8620 - fix glob parser write/read out of bounds
This commit is contained in:
parent
f4a6154810
commit
b8f34f331c
192
0017-curl-7.47.1-CVE-2016-8620.patch
Normal file
192
0017-curl-7.47.1-CVE-2016-8620.patch
Normal file
@ -0,0 +1,192 @@
|
||||
From 899d4f898f2b1b2cc910ca994e23e2d55347c22d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 3 Oct 2016 17:27:16 +0200
|
||||
Subject: [PATCH 1/3] range: prevent negative end number in a glob range
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
CVE-2016-8620
|
||||
|
||||
Bug: https://curl.haxx.se/docs/adv_20161102F.html
|
||||
Reported-by: Luật Nguyễn
|
||||
|
||||
Upstream-commit: fbb5f1aa0326d485d5a7ac643b48481897ca667f
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/tool_urlglob.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
|
||||
index 6a4ff76..49bbe4b 100644
|
||||
--- a/src/tool_urlglob.c
|
||||
+++ b/src/tool_urlglob.c
|
||||
@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
|
||||
endp = NULL;
|
||||
else {
|
||||
pattern = endp+1;
|
||||
+ while(*pattern && ISBLANK(*pattern))
|
||||
+ pattern++;
|
||||
+ if(!ISDIGIT(*pattern)) {
|
||||
+ endp = NULL;
|
||||
+ goto fail;
|
||||
+ }
|
||||
errno = 0;
|
||||
max_n = strtoul(pattern, &endp, 10);
|
||||
if(errno || (*endp == ':')) {
|
||||
@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
|
||||
}
|
||||
}
|
||||
|
||||
+ fail:
|
||||
*posp += (pattern - *patternp);
|
||||
|
||||
if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) ||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
||||
From 2897ecbeaf174a4f665e4b7ff9aea7fdd85f3d80 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 3 Oct 2016 18:23:22 +0200
|
||||
Subject: [PATCH 2/3] glob_next_url: make sure to stay within the given output
|
||||
buffer
|
||||
|
||||
Upstream-commit: 269a88910436d730ac212f4dc01cbe6961338061
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/tool_urlglob.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
|
||||
index 49bbe4b..3a3aba9 100644
|
||||
--- a/src/tool_urlglob.c
|
||||
+++ b/src/tool_urlglob.c
|
||||
@@ -432,6 +432,7 @@ CURLcode glob_url(URLGlob** glob, char* url, unsigned long *urlnum,
|
||||
glob_buffer = malloc(strlen(url) + 1);
|
||||
if(!glob_buffer)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
+ glob_buffer[0]=0;
|
||||
|
||||
glob_expand = calloc(1, sizeof(URLGlob));
|
||||
if(!glob_expand) {
|
||||
@@ -549,20 +550,25 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob)
|
||||
switch(pat->type) {
|
||||
case UPTSet:
|
||||
if(pat->content.Set.elements) {
|
||||
- len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]);
|
||||
snprintf(buf, buflen, "%s",
|
||||
pat->content.Set.elements[pat->content.Set.ptr_s]);
|
||||
+ len = strlen(buf);
|
||||
buf += len;
|
||||
buflen -= len;
|
||||
}
|
||||
break;
|
||||
case UPTCharRange:
|
||||
- *buf++ = pat->content.CharRange.ptr_c;
|
||||
+ if(buflen) {
|
||||
+ *buf++ = pat->content.CharRange.ptr_c;
|
||||
+ *buf = '\0';
|
||||
+ buflen--;
|
||||
+ }
|
||||
break;
|
||||
case UPTNumRange:
|
||||
- len = snprintf(buf, buflen, "%0*ld",
|
||||
- pat->content.NumRange.padlength,
|
||||
- pat->content.NumRange.ptr_n);
|
||||
+ snprintf(buf, buflen, "%0*ld",
|
||||
+ pat->content.NumRange.padlength,
|
||||
+ pat->content.NumRange.ptr_n);
|
||||
+ len = strlen(buf);
|
||||
buf += len;
|
||||
buflen -= len;
|
||||
break;
|
||||
@@ -571,7 +577,6 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob)
|
||||
return CURLE_FAILED_INIT;
|
||||
}
|
||||
}
|
||||
- *buf = '\0';
|
||||
|
||||
*globbed = strdup(glob->glob_buffer);
|
||||
if(!*globbed)
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
||||
From 46475c97a6970a644239c542bc6a2a653020c87b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 4 Oct 2016 17:25:09 +0200
|
||||
Subject: [PATCH 3/3] range: reject char globs with missing end like '[L-]'
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
... which previously would lead to out of boundary reads.
|
||||
|
||||
Reported-by: Luật Nguyễn
|
||||
|
||||
Upstream-commit: ee4f76606cfa4ee068bf28edd37c8dae7e8db317
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/tool_urlglob.c | 34 +++++++++++++++++++---------------
|
||||
1 file changed, 19 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
|
||||
index 3a3aba9..3b17a68 100644
|
||||
--- a/src/tool_urlglob.c
|
||||
+++ b/src/tool_urlglob.c
|
||||
@@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
|
||||
/* character range detected */
|
||||
char min_c;
|
||||
char max_c;
|
||||
+ char end_c;
|
||||
int step=1;
|
||||
|
||||
pat->type = UPTCharRange;
|
||||
|
||||
- rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
|
||||
+ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
|
||||
|
||||
- if((rc == 2) && (pattern[3] == ':')) {
|
||||
- char *endp;
|
||||
- unsigned long lstep;
|
||||
- errno = 0;
|
||||
- lstep = strtoul(&pattern[4], &endp, 10);
|
||||
- if(errno || (*endp != ']'))
|
||||
- step = -1;
|
||||
- else {
|
||||
- pattern = endp+1;
|
||||
- step = (int)lstep;
|
||||
- if(step > (max_c - min_c))
|
||||
+ if(rc == 3) {
|
||||
+ if(end_c == ':') {
|
||||
+ char *endp;
|
||||
+ unsigned long lstep;
|
||||
+ errno = 0;
|
||||
+ lstep = strtoul(&pattern[4], &endp, 10);
|
||||
+ if(errno || (*endp != ']'))
|
||||
step = -1;
|
||||
+ else {
|
||||
+ pattern = endp+1;
|
||||
+ step = (int)lstep;
|
||||
+ if(step > (max_c - min_c))
|
||||
+ step = -1;
|
||||
+ }
|
||||
}
|
||||
+ else if(end_c != ']')
|
||||
+ /* then this is wrong */
|
||||
+ rc = 0;
|
||||
}
|
||||
- else
|
||||
- pattern += 4;
|
||||
|
||||
*posp += (pattern - *patternp);
|
||||
|
||||
- if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
|
||||
+ if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
|
||||
(step <= 0) )
|
||||
/* the pattern is not well-formed */
|
||||
return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
|
||||
--
|
||||
2.7.4
|
||||
|
@ -40,6 +40,9 @@ Patch15: 0015-curl-7.47.1-CVE-2016-8622.patch
|
||||
# fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
|
||||
Patch16: 0016-curl-7.47.1-CVE-2016-8621.patch
|
||||
|
||||
# fix glob parser write/read out of bounds (CVE-2016-8620)
|
||||
Patch17: 0017-curl-7.47.1-CVE-2016-8620.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -164,6 +167,7 @@ documentation of the library, too.
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -280,6 +284,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%changelog
|
||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
||||
- fix glob parser write/read out of bounds (CVE-2016-8620)
|
||||
- fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
|
||||
- fix URL unescape heap overflow via integer truncation (CVE-2016-8622)
|
||||
- fix use-after-free via shared cookies (CVE-2016-8623)
|
||||
|
Loading…
Reference in New Issue
Block a user