Resolves: CVE-2016-8621 - fix out-of-bounds read in curl_getdate()
This commit is contained in:
parent
7c7cf92ea9
commit
f4a6154810
|
@ -0,0 +1,104 @@
|
|||
From 97c3fb871f3284bb0063e531f17e12dea14bfda8 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 4 Oct 2016 16:59:38 +0200
|
||||
Subject: [PATCH] parsedate: handle cut off numbers better
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
... and don't read outside of the given buffer!
|
||||
|
||||
CVE-2016-8621
|
||||
|
||||
bug: https://curl.haxx.se/docs/adv_20161102G.html
|
||||
Reported-by: Luật Nguyễn
|
||||
|
||||
Upstream-commit: 96a80b5a262fb6dd2ddcea7987296f3b9a405618
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/parsedate.c | 12 +++++++-----
|
||||
tests/data/test517 | 6 ++++++
|
||||
tests/libtest/lib517.c | 8 +++++++-
|
||||
3 files changed, 20 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/parsedate.c b/lib/parsedate.c
|
||||
index dfcf855..8e932f4 100644
|
||||
--- a/lib/parsedate.c
|
||||
+++ b/lib/parsedate.c
|
||||
@@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@@ -386,15 +386,17 @@ static int parsedate(const char *date, time_t *output)
|
||||
/* a digit */
|
||||
int val;
|
||||
char *end;
|
||||
+ int len=0;
|
||||
if((secnum == -1) &&
|
||||
- (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {
|
||||
+ (3 == sscanf(date, "%02d:%02d:%02d%n",
|
||||
+ &hournum, &minnum, &secnum, &len))) {
|
||||
/* time stamp! */
|
||||
- date += 8;
|
||||
+ date += len;
|
||||
}
|
||||
else if((secnum == -1) &&
|
||||
- (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {
|
||||
+ (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {
|
||||
/* time stamp without seconds */
|
||||
- date += 5;
|
||||
+ date += len;
|
||||
secnum = 0;
|
||||
}
|
||||
else {
|
||||
diff --git a/tests/data/test517 b/tests/data/test517
|
||||
index c81a45e..513634f 100644
|
||||
--- a/tests/data/test517
|
||||
+++ b/tests/data/test517
|
||||
@@ -116,6 +116,12 @@ nothing
|
||||
81: 20111323 12:34:56 => -1
|
||||
82: 20110623 12:34:79 => -1
|
||||
83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
|
||||
+84: 20110623 12:3 => 1308830580
|
||||
+85: 20110623 1:3 => 1308790980
|
||||
+86: 20110623 1:30 => 1308792600
|
||||
+87: 20110623 12:12:3 => 1308831123
|
||||
+88: 20110623 01:12:3 => 1308791523
|
||||
+89: 20110623 01:99:30 => -1
|
||||
</stdout>
|
||||
|
||||
# This test case previously tested an overflow case ("2094 Nov 6 =>
|
||||
diff --git a/tests/libtest/lib517.c b/tests/libtest/lib517.c
|
||||
index 2f68ebd..22162ff 100644
|
||||
--- a/tests/libtest/lib517.c
|
||||
+++ b/tests/libtest/lib517.c
|
||||
@@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@@ -116,6 +116,12 @@ static const char * const dates[]={
|
||||
"20111323 12:34:56",
|
||||
"20110623 12:34:79",
|
||||
"Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
|
||||
+ "20110623 12:3",
|
||||
+ "20110623 1:3",
|
||||
+ "20110623 1:30",
|
||||
+ "20110623 12:12:3",
|
||||
+ "20110623 01:12:3",
|
||||
+ "20110623 01:99:30",
|
||||
NULL
|
||||
};
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -37,6 +37,9 @@ Patch14: 0014-curl-7.47.1-CVE-2016-8623.patch
|
|||
# fix URL unescape heap overflow via integer truncation (CVE-2016-8622)
|
||||
Patch15: 0015-curl-7.47.1-CVE-2016-8622.patch
|
||||
|
||||
# fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
|
||||
Patch16: 0016-curl-7.47.1-CVE-2016-8621.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
@ -160,6 +163,7 @@ documentation of the library, too.
|
|||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
@ -276,6 +280,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
|
||||
%changelog
|
||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
||||
- fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
|
||||
- fix URL unescape heap overflow via integer truncation (CVE-2016-8622)
|
||||
- fix use-after-free via shared cookies (CVE-2016-8623)
|
||||
- urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||
|
|
Loading…
Reference in New Issue