Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This fixes the following security problems: * CVE-2017-1000100 TFTP sends more than buffer size * CVE-2017-1000101 URL globbing out of bounds read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- Loading branch information
Showing
3 changed files
with
75 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
package/network/utils/curl/patches/103-CVE-2017-1000100.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 | ||
From: Daniel Stenberg <daniel@haxx.se> | ||
Date: Tue, 1 Aug 2017 17:16:46 +0200 | ||
Subject: [PATCH] tftp: reject file name lengths that don't fit | ||
|
||
... and thereby avoid telling send() to send off more bytes than the | ||
size of the buffer! | ||
|
||
CVE-2017-1000100 | ||
|
||
Bug: https://curl.haxx.se/docs/adv_20170809B.html | ||
Reported-by: Even Rouault | ||
|
||
Credit to OSS-Fuzz for the discovery | ||
--- | ||
lib/tftp.c | 7 ++++++- | ||
1 file changed, 6 insertions(+), 1 deletion(-) | ||
|
||
--- a/lib/tftp.c | ||
+++ b/lib/tftp.c | ||
@@ -5,7 +5,7 @@ | ||
* | (__| |_| | _ <| |___ | ||
* \___|\___/|_| \_\_____| | ||
* | ||
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
* | ||
* This software is licensed as described in the file COPYING, which | ||
* you should have received as part of this distribution. The terms | ||
@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_sta | ||
if(result) | ||
return result; | ||
|
||
+ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { | ||
+ failf(data, "TFTP file name too long\n"); | ||
+ return CURLE_TFTP_ILLEGAL; /* too long file name field */ | ||
+ } | ||
+ | ||
snprintf((char *)state->spacket.data+2, | ||
state->blksize, | ||
"%s%c%s%c", filename, '\0', mode, '\0'); |
33 changes: 33 additions & 0 deletions
33
package/network/utils/curl/patches/104-CVE-2017-1000101.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001 | ||
From: Daniel Stenberg <daniel@haxx.se> | ||
Date: Tue, 1 Aug 2017 17:16:07 +0200 | ||
Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow | ||
range | ||
|
||
Added test 1289 to verify. | ||
|
||
CVE-2017-1000101 | ||
|
||
Bug: https://curl.haxx.se/docs/adv_20170809A.html | ||
Reported-by: Brian Carpenter | ||
--- | ||
src/tool_urlglob.c | 5 ++++- | ||
tests/data/Makefile.inc | 2 +- | ||
tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ | ||
3 files changed, 40 insertions(+), 2 deletions(-) | ||
create mode 100644 tests/data/test1289 | ||
|
||
--- a/src/tool_urlglob.c | ||
+++ b/src/tool_urlglob.c | ||
@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob | ||
} | ||
errno = 0; | ||
max_n = strtoul(pattern, &endp, 10); | ||
- if(errno || (*endp == ':')) { | ||
+ if(errno) | ||
+ /* overflow */ | ||
+ endp = NULL; | ||
+ else if(*endp == ':') { | ||
pattern = endp+1; | ||
errno = 0; | ||
step_n = strtoul(pattern, &endp, 10); |