diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2018-08-10 21:39:06 +0200 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2018-08-10 22:56:31 +0200 |
commit | 9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9 (patch) | |
tree | 6c855135e0208b15092012d4c86363d19de846f6 /package/network/utils/curl/patches/105-CVE-2017-1000254.patch | |
parent | b3983323a1f25c936ddfcc129c454b282e90eeed (diff) | |
download | upstream-9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9.tar.gz upstream-9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9.tar.bz2 upstream-9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9.zip |
curl: fix some security problems
This fixes the following security problems:
* CVE-2017-1000254: FTP PWD response parser out of bounds read
* CVE-2017-1000257: IMAP FETCH response out of bounds read
* CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
* CVE-2018-1000007: HTTP authentication leak in redirects
* CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
* CVE-2018-1000121: LDAP NULL pointer dereference
* CVE-2018-1000122: RTSP RTP buffer over-read
* CVE-2018-1000301: RTSP bad headers buffer over-read
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/network/utils/curl/patches/105-CVE-2017-1000254.patch')
-rw-r--r-- | package/network/utils/curl/patches/105-CVE-2017-1000254.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/105-CVE-2017-1000254.patch b/package/network/utils/curl/patches/105-CVE-2017-1000254.patch new file mode 100644 index 0000000000..56b0235583 --- /dev/null +++ b/package/network/utils/curl/patches/105-CVE-2017-1000254.patch @@ -0,0 +1,49 @@ +From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Sep 2017 00:35:22 +0200 +Subject: [PATCH] FTP: zero terminate the entry path even on bad input + +... a single double quote could leave the entry path buffer without a zero +terminating byte. CVE-2017-1000254 + +Test 1152 added to verify. + +Reported-by: Max Dymond +Bug: https://curl.haxx.se/docs/adv_20171004.html +--- + lib/ftp.c | 7 ++++-- + tests/data/Makefile.inc | 1 + + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1152 + +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct + char *ptr=&data->state.buffer[4]; /* start on the first letter */ + char *dir; + char *store; ++ bool entry_extracted = FALSE; + + dir = malloc(nread + 1); + if(!dir) +@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct + } + else { + /* end of path */ +- *store = '\0'; /* zero terminate */ ++ entry_extracted = TRUE; + break; /* get out of this loop */ + } + } +@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct + store++; + ptr++; + } +- ++ *store = '\0'; /* zero terminate */ ++ } ++ if(entry_extracted) { + /* If the path name does not look like an absolute path (i.e.: it + does not start with a '/'), we probably need some server-dependent + adjustments. For example, this is the case when connecting to |