diff --git a/0016-curl-7.47.1-CVE-2016-8621.patch b/0016-curl-7.47.1-CVE-2016-8621.patch new file mode 100644 index 0000000..a867b27 --- /dev/null +++ b/0016-curl-7.47.1-CVE-2016-8621.patch @@ -0,0 +1,104 @@ +From 97c3fb871f3284bb0063e531f17e12dea14bfda8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 16:59:38 +0200 +Subject: [PATCH] parsedate: handle cut off numbers better +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... and don't read outside of the given buffer! + +CVE-2016-8621 + +bug: https://curl.haxx.se/docs/adv_20161102G.html +Reported-by: Luật Nguyễn + +Upstream-commit: 96a80b5a262fb6dd2ddcea7987296f3b9a405618 +Signed-off-by: Kamil Dudka +--- + lib/parsedate.c | 12 +++++++----- + tests/data/test517 | 6 ++++++ + tests/libtest/lib517.c | 8 +++++++- + 3 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/lib/parsedate.c b/lib/parsedate.c +index dfcf855..8e932f4 100644 +--- a/lib/parsedate.c ++++ b/lib/parsedate.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -386,15 +386,17 @@ static int parsedate(const char *date, time_t *output) + /* a digit */ + int val; + char *end; ++ int len=0; + if((secnum == -1) && +- (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) { ++ (3 == sscanf(date, "%02d:%02d:%02d%n", ++ &hournum, &minnum, &secnum, &len))) { + /* time stamp! */ +- date += 8; ++ date += len; + } + else if((secnum == -1) && +- (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) { ++ (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) { + /* time stamp without seconds */ +- date += 5; ++ date += len; + secnum = 0; + } + else { +diff --git a/tests/data/test517 b/tests/data/test517 +index c81a45e..513634f 100644 +--- a/tests/data/test517 ++++ b/tests/data/test517 +@@ -116,6 +116,12 @@ nothing + 81: 20111323 12:34:56 => -1 + 82: 20110623 12:34:79 => -1 + 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000 ++84: 20110623 12:3 => 1308830580 ++85: 20110623 1:3 => 1308790980 ++86: 20110623 1:30 => 1308792600 ++87: 20110623 12:12:3 => 1308831123 ++88: 20110623 01:12:3 => 1308791523 ++89: 20110623 01:99:30 => -1 + + + # This test case previously tested an overflow case ("2094 Nov 6 => +diff --git a/tests/libtest/lib517.c b/tests/libtest/lib517.c +index 2f68ebd..22162ff 100644 +--- a/tests/libtest/lib517.c ++++ b/tests/libtest/lib517.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -116,6 +116,12 @@ static const char * const dates[]={ + "20111323 12:34:56", + "20110623 12:34:79", + "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */ ++ "20110623 12:3", ++ "20110623 1:3", ++ "20110623 1:30", ++ "20110623 12:12:3", ++ "20110623 01:12:3", ++ "20110623 01:99:30", + NULL + }; + +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index 46dca2c..e4a9f70 100644 --- a/curl.spec +++ b/curl.spec @@ -37,6 +37,9 @@ Patch14: 0014-curl-7.47.1-CVE-2016-8623.patch # fix URL unescape heap overflow via integer truncation (CVE-2016-8622) Patch15: 0015-curl-7.47.1-CVE-2016-8622.patch +# fix out-of-bounds read in curl_getdate() (CVE-2016-8621) +Patch16: 0016-curl-7.47.1-CVE-2016-8621.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -160,6 +163,7 @@ documentation of the library, too. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # Fedora patches %patch101 -p1 @@ -276,6 +280,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Nov 02 2016 Kamil Dudka 7.47.1-9 +- fix out-of-bounds read in curl_getdate() (CVE-2016-8621) - fix URL unescape heap overflow via integer truncation (CVE-2016-8622) - fix use-after-free via shared cookies (CVE-2016-8623) - urlparse: accept '#' as end of host name (CVE-2016-8624)