diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2018-08-10 21:39:06 +0200 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2018-08-10 22:56:31 +0200 |
commit | 9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9 (patch) | |
tree | 6c855135e0208b15092012d4c86363d19de846f6 /package/network/utils/curl/patches/113-CVE-2018-1000122.patch | |
parent | b3983323a1f25c936ddfcc129c454b282e90eeed (diff) | |
download | upstream-9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9.tar.gz upstream-9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9.tar.bz2 upstream-9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9.zip |
curl: fix some security problems
This fixes the following security problems:
* CVE-2017-1000254: FTP PWD response parser out of bounds read
* CVE-2017-1000257: IMAP FETCH response out of bounds read
* CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
* CVE-2018-1000007: HTTP authentication leak in redirects
* CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
* CVE-2018-1000121: LDAP NULL pointer dereference
* CVE-2018-1000122: RTSP RTP buffer over-read
* CVE-2018-1000301: RTSP bad headers buffer over-read
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/network/utils/curl/patches/113-CVE-2018-1000122.patch')
-rw-r--r-- | package/network/utils/curl/patches/113-CVE-2018-1000122.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/113-CVE-2018-1000122.patch b/package/network/utils/curl/patches/113-CVE-2018-1000122.patch new file mode 100644 index 0000000000..68a81aef8a --- /dev/null +++ b/package/network/utils/curl/patches/113-CVE-2018-1000122.patch @@ -0,0 +1,33 @@ +From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 8 Mar 2018 10:33:16 +0100 +Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end + +CVE-2018-1000122 +Bug: https://curl.haxx.se/docs/adv_2018-b047.html + +Detected by OSS-fuzz +--- + lib/transfer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu + + } /* if(!header and data to read) */ + +- if(conn->handler->readwrite && +- (excess > 0 && !conn->bits.stream_was_rewound)) { ++ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { + /* Parse the excess data */ + k->str += nread; ++ ++ if(&k->str[excess] > &k->buf[data->set.buffer_size]) { ++ /* the excess amount was too excessive(!), make sure ++ it doesn't read out of buffer */ ++ excess = &k->buf[data->set.buffer_size] - k->str; ++ } + nread = (ssize_t)excess; + + result = conn->handler->readwrite(data, conn, &nread, &readmore); |