Resolves: CVE-2019-5481 - double free due to subsequent call of realloc()

This commit is contained in:
Kamil Dudka 2019-09-12 15:37:58 +02:00
parent b57697f5e7
commit b989ec64dd
2 changed files with 51 additions and 0 deletions

View File

@ -0,0 +1,46 @@
From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 Sep 2019 22:59:32 +0200
Subject: [PATCH] security:read_data fix bad realloc()
... that could end up a double-free
CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/security.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/security.c b/lib/security.c
index 550ea2d..c5e4e13 100644
--- a/lib/security.c
+++ b/lib/security.c
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
struct krb5buffer *buf)
{
int len;
- void *tmp = NULL;
CURLcode result;
result = socket_read(fd, &len, sizeof(len));
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
- tmp = Curl_saferealloc(buf->data, len);
+ buf->data = Curl_saferealloc(buf->data, len);
}
- if(tmp == NULL)
+ if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
- buf->data = tmp;
result = socket_read(fd, buf->data, len);
if(result)
return result;
--
2.20.1

View File

@ -55,6 +55,9 @@ Patch17: 0017-curl-7.64.0-CVE-2019-5436.patch
# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) # fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch
# double free due to subsequent call of realloc() (CVE-2019-5481)
Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -238,6 +241,7 @@ git apply %{PATCH4}
%patch16 -p1 %patch16 -p1
%patch17 -p1 %patch17 -p1
%patch18 -p1 %patch18 -p1
%patch19 -p1
# make tests/*.py use Python 3 # make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -399,6 +403,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%changelog %changelog
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12
- double free due to subsequent call of realloc() (CVE-2019-5481)
- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) - fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11 * Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11