From: Hauke Mehrtens Date: Sat, 30 Sep 2017 13:23:07 +0000 (+0200) Subject: curl: fix security problems X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=f483a35f08741ff0ca373236e6ad1d93edb1ba75;p=openwrt%2Fstaging%2Fwigyori.git curl: fix security problems This fixes the following security problems: * CVE-2017-1000100 TFTP sends more than buffer size * CVE-2017-1000101 URL globbing out of bounds read Signed-off-by: Hauke Mehrtens --- diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 9b357a0aa5..758532e30a 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=curl PKG_VERSION:=7.52.1 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \ diff --git a/package/network/utils/curl/patches/103-CVE-2017-1000100.patch b/package/network/utils/curl/patches/103-CVE-2017-1000100.patch new file mode 100644 index 0000000000..93ab97bd14 --- /dev/null +++ b/package/network/utils/curl/patches/103-CVE-2017-1000100.patch @@ -0,0 +1,41 @@ +From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:46 +0200 +Subject: [PATCH] tftp: reject file name lengths that don't fit + +... and thereby avoid telling send() to send off more bytes than the +size of the buffer! + +CVE-2017-1000100 + +Bug: https://curl.haxx.se/docs/adv_20170809B.html +Reported-by: Even Rouault + +Credit to OSS-Fuzz for the discovery +--- + lib/tftp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_sta + if(result) + return result; + ++ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { ++ failf(data, "TFTP file name too long\n"); ++ return CURLE_TFTP_ILLEGAL; /* too long file name field */ ++ } ++ + snprintf((char *)state->spacket.data+2, + state->blksize, + "%s%c%s%c", filename, '\0', mode, '\0'); diff --git a/package/network/utils/curl/patches/104-CVE-2017-1000101.patch b/package/network/utils/curl/patches/104-CVE-2017-1000101.patch new file mode 100644 index 0000000000..835b73eef9 --- /dev/null +++ b/package/network/utils/curl/patches/104-CVE-2017-1000101.patch @@ -0,0 +1,33 @@ +From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:07 +0200 +Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow + range + +Added test 1289 to verify. + +CVE-2017-1000101 + +Bug: https://curl.haxx.se/docs/adv_20170809A.html +Reported-by: Brian Carpenter +--- + src/tool_urlglob.c | 5 ++++- + tests/data/Makefile.inc | 2 +- + tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1289 + +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob + } + errno = 0; + max_n = strtoul(pattern, &endp, 10); +- if(errno || (*endp == ':')) { ++ if(errno) ++ /* overflow */ ++ endp = NULL; ++ else if(*endp == ':') { + pattern = endp+1; + errno = 0; + step_n = strtoul(pattern, &endp, 10);