Resolves: CVE-2019-5481 - double free due to subsequent call of realloc()
This commit is contained in:
Kamil Dudka
parent
b57697f5e7
commit
b989ec64dd
46
0019-curl-7.65.3-CVE-2019-5481.patch
Normal file
46
0019-curl-7.65.3-CVE-2019-5481.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 3 Sep 2019 22:59:32 +0200
|
||||
Subject: [PATCH] security:read_data fix bad realloc()
|
||||
|
||||
... that could end up a double-free
|
||||
|
||||
CVE-2019-5481
|
||||
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
|
||||
|
||||
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/security.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/security.c b/lib/security.c
|
||||
index 550ea2d..c5e4e13 100644
|
||||
--- a/lib/security.c
|
||||
+++ b/lib/security.c
|
||||
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
struct krb5buffer *buf)
|
||||
{
|
||||
int len;
|
||||
- void *tmp = NULL;
|
||||
CURLcode result;
|
||||
|
||||
result = socket_read(fd, &len, sizeof(len));
|
||||
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
if(len) {
|
||||
/* only realloc if there was a length */
|
||||
len = ntohl(len);
|
||||
- tmp = Curl_saferealloc(buf->data, len);
|
||||
+ buf->data = Curl_saferealloc(buf->data, len);
|
||||
}
|
||||
- if(tmp == NULL)
|
||||
+ if(!len || !buf->data)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
- buf->data = tmp;
|
||||
result = socket_read(fd, buf->data, len);
|
||||
if(result)
|
||||
return result;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
@ -55,6 +55,9 @@ Patch17: 0017-curl-7.64.0-CVE-2019-5436.patch
|
||||
# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
|
||||
Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch
|
||||
|
||||
# double free due to subsequent call of realloc() (CVE-2019-5481)
|
||||
Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -238,6 +241,7 @@ git apply %{PATCH4}
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
@ -399,6 +403,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
|
||||
%changelog
|
||||
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12
|
||||
- double free due to subsequent call of realloc() (CVE-2019-5481)
|
||||
- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
|
||||
|
||||
* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11
|
||||
|
||||
Loading…
Reference in New Issue
Block a user