From 8d903be35ad063977768aee7e0f4b959717ebc96 Mon Sep 17 00:00:00 2001
From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Wed, 8 Aug 2018 21:57:18 +0200
Subject: curl: Fix CVE-2018-0500

This backports a fix for:
* CVE-2018-0500 SMTP send heap buffer overflow
See here for details: https://curl.haxx.se/docs/adv_2018-70a2.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
 package/network/utils/curl/Makefile                |  2 +-
 .../utils/curl/patches/400-CVE-2018-0500.patch     | 32 ++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 package/network/utils/curl/patches/400-CVE-2018-0500.patch

diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile
index 92b3cab7dd..db726407b9 100644
--- a/package/network/utils/curl/Makefile
+++ b/package/network/utils/curl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.60.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://dl.uxnr.de/mirror/curl/ \
diff --git a/package/network/utils/curl/patches/400-CVE-2018-0500.patch b/package/network/utils/curl/patches/400-CVE-2018-0500.patch
new file mode 100644
index 0000000000..9ef4111aea
--- /dev/null
+++ b/package/network/utils/curl/patches/400-CVE-2018-0500.patch
@@ -0,0 +1,32 @@
+From ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 13 Jun 2018 12:24:40 +0200
+Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc
+
+... not the read buffer size, as that can be set smaller and thus cause
+a buffer overflow! CVE-2018-0500
+
+Reported-by: Peter Wu
+Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
+---
+ lib/smtp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct con
+   if(!scratch || data->set.crlf) {
+     oldscratch = scratch;
+ 
+-    scratch = newscratch = malloc(2 * data->set.buffer_size);
++    scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE);
+     if(!newscratch) {
+       failf(data, "Failed to alloc scratch buffer!");
+ 
+       return CURLE_OUT_OF_MEMORY;
+     }
+   }
++  DEBUGASSERT(UPLOAD_BUFSIZE >= nread);
+ 
+   /* Have we already sent part of the EOB? */
+   eob_sent = smtp->eob;
-- 
cgit v1.2.3