Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
curl: apply CVE 2017-8816 and 2017-8817 security patches
This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org>
- Loading branch information
Showing
3 changed files
with
209 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
package/network/utils/curl/patches/105-CVE-2017-8816.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 | ||
From: Daniel Stenberg <daniel@haxx.se> | ||
Date: Mon, 6 Nov 2017 23:51:52 +0100 | ||
Subject: [PATCH] ntlm: avoid integer overflow for malloc size | ||
|
||
Reported-by: Alex Nichols | ||
Assisted-by: Kamil Dudka and Max Dymond | ||
|
||
CVE-2017-8816 | ||
|
||
Bug: https://curl.haxx.se/docs/adv_2017-11e7.html | ||
--- | ||
lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- | ||
1 file changed, 21 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c | ||
index 1309bf0d9..e8962769c 100644 | ||
--- a/lib/curl_ntlm_core.c | ||
+++ b/lib/curl_ntlm_core.c | ||
@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, | ||
Curl_HMAC_final(ctxt, output); | ||
|
||
return CURLE_OK; | ||
} | ||
|
||
+#ifndef SIZE_T_MAX | ||
+/* some limits.h headers have this defined, some don't */ | ||
+#if defined(_LP64) || defined(_I32LPx) | ||
+#define SIZE_T_MAX 18446744073709551615U | ||
+#else | ||
+#define SIZE_T_MAX 4294967295U | ||
+#endif | ||
+#endif | ||
+ | ||
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode | ||
* (uppercase UserName + Domain) as the data | ||
*/ | ||
CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, | ||
const char *domain, size_t domlen, | ||
unsigned char *ntlmhash, | ||
unsigned char *ntlmv2hash) | ||
{ | ||
/* Unicode representation */ | ||
- size_t identity_len = (userlen + domlen) * 2; | ||
- unsigned char *identity = malloc(identity_len); | ||
+ size_t identity_len; | ||
+ unsigned char *identity; | ||
CURLcode result = CURLE_OK; | ||
|
||
+ /* we do the length checks below separately to avoid integer overflow risk | ||
+ on extreme data lengths */ | ||
+ if((userlen > SIZE_T_MAX/2) || | ||
+ (domlen > SIZE_T_MAX/2) || | ||
+ ((userlen + domlen) > SIZE_T_MAX/2)) | ||
+ return CURLE_OUT_OF_MEMORY; | ||
+ | ||
+ identity_len = (userlen + domlen) * 2; | ||
+ identity = malloc(identity_len); | ||
+ | ||
if(!identity) | ||
return CURLE_OUT_OF_MEMORY; | ||
|
||
ascii_uppercase_to_unicode_le(identity, user, userlen); | ||
ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); | ||
-- | ||
2.15.0 | ||
|
141 changes: 141 additions & 0 deletions
141
package/network/utils/curl/patches/106-CVE-2017-8817.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001 | ||
From: Daniel Stenberg <daniel@haxx.se> | ||
Date: Fri, 10 Nov 2017 08:52:45 +0100 | ||
Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset | ||
|
||
The code would previous read beyond the end of the pattern string if the | ||
match pattern ends with an open bracket when the default pattern | ||
matching function is used. | ||
|
||
Detected by OSS-Fuzz: | ||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 | ||
|
||
CVE-2017-8817 | ||
|
||
Bug: https://curl.haxx.se/docs/adv_2017-ae72.html | ||
--- | ||
lib/curl_fnmatch.c | 9 +++------ | ||
tests/data/Makefile.inc | 2 +- | ||
tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ | ||
3 files changed, 56 insertions(+), 7 deletions(-) | ||
create mode 100644 tests/data/test1163 | ||
|
||
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c | ||
index da83393b4..8a1e106c4 100644 | ||
--- a/lib/curl_fnmatch.c | ||
+++ b/lib/curl_fnmatch.c | ||
@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
unsigned char lastchar = 0; | ||
bool something_found = FALSE; | ||
unsigned char c; | ||
for(;;) { | ||
c = **p; | ||
+ if(!c) | ||
+ return SETCHARSET_FAIL; | ||
+ | ||
switch(state) { | ||
case CURLFNM_SCHS_DEFAULT: | ||
if(ISALNUM(c)) { /* ASCII value */ | ||
rangestart = c; | ||
charset[c] = 1; | ||
@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
(*p)++; | ||
} | ||
else | ||
return SETCHARSET_FAIL; | ||
} | ||
- else if(c == '\0') { | ||
- return SETCHARSET_FAIL; | ||
- } | ||
else { | ||
charset[c] = 1; | ||
(*p)++; | ||
something_found = TRUE; | ||
} | ||
@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
(*p)++; | ||
} | ||
else if(c == ']') { | ||
return SETCHARSET_OK; | ||
} | ||
- else if(c == '\0') { | ||
- return SETCHARSET_FAIL; | ||
- } | ||
else if(ISPRINT(c)) { | ||
charset[c] = 1; | ||
(*p)++; | ||
state = CURLFNM_SCHS_DEFAULT; | ||
} | ||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
index dc1cc03bc..6eb37d81d 100644 | ||
--- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000 | ||
+++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000 | ||
@@ -121,6 +121,7 @@ | ||
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ | ||
test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ | ||
test1144 \ | ||
+test1163 \ | ||
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ | ||
test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ | ||
test1216 test1217 test1218 test1219 \ | ||
diff --git a/tests/data/test1163 b/tests/data/test1163 | ||
new file mode 100644 | ||
index 000000000..a109b511b | ||
--- /dev/null | ||
+++ b/tests/data/test1163 | ||
@@ -0,0 +1,52 @@ | ||
+<testcase> | ||
+<info> | ||
+<keywords> | ||
+FTP | ||
+RETR | ||
+LIST | ||
+wildcardmatch | ||
+ftplistparser | ||
+flaky | ||
+</keywords> | ||
+</info> | ||
+ | ||
+# | ||
+# Server-side | ||
+<reply> | ||
+<data> | ||
+</data> | ||
+</reply> | ||
+ | ||
+# Client-side | ||
+<client> | ||
+<server> | ||
+ftp | ||
+</server> | ||
+<tool> | ||
+lib576 | ||
+</tool> | ||
+<name> | ||
+FTP wildcard with pattern ending with an open-bracket | ||
+</name> | ||
+<command> | ||
+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" | ||
+</command> | ||
+</client> | ||
+<verify> | ||
+<protocol> | ||
+USER anonymous | ||
+PASS ftp@example.com | ||
+PWD | ||
+CWD fully_simulated | ||
+CWD DOS | ||
+EPSV | ||
+TYPE A | ||
+LIST | ||
+QUIT | ||
+</protocol> | ||
+# 78 == CURLE_REMOTE_FILE_NOT_FOUND | ||
+<errorcode> | ||
+78 | ||
+</errorcode> | ||
+</verify> | ||
+</testcase> | ||
-- | ||
2.15.0 | ||
|