From: Stijn Segers <foss@volatilesystems.org>
Date: Sun, 3 Dec 2017 11:09:20 +0000 (+0100)
Subject: curl: apply CVE 2017-8816 and 2017-8817 security patches
X-Git-Tag: v17.01.5~316
X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=commitdiff_plain;h=060b7f1fbbcbfb381cdfe1f2800391ed1ade1724

curl: apply CVE 2017-8816 and 2017-8817 security patches

This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01
Curl package.

Compile-tested on ar71xx, ramips and x86.

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
---

diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile
index 758532e30a..5d829547aa 100644
--- a/package/network/utils/curl/Makefile
+++ b/package/network/utils/curl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
diff --git a/package/network/utils/curl/patches/105-CVE-2017-8816.patch b/package/network/utils/curl/patches/105-CVE-2017-8816.patch
new file mode 100644
index 0000000000..4d2b3162a8
--- /dev/null
+++ b/package/network/utils/curl/patches/105-CVE-2017-8816.patch
@@ -0,0 +1,67 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+   Curl_HMAC_final(ctxt, output);
+ 
+   return CURLE_OK;
+ }
+ 
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(_LP64) || defined(_I32LPx)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+                                        const char *domain, size_t domlen,
+                                        unsigned char *ntlmhash,
+                                        unsigned char *ntlmv2hash)
+ {
+   /* Unicode representation */
+-  size_t identity_len = (userlen + domlen) * 2;
+-  unsigned char *identity = malloc(identity_len);
++  size_t identity_len;
++  unsigned char *identity;
+   CURLcode result = CURLE_OK;
+ 
++  /* we do the length checks below separately to avoid integer overflow risk
++     on extreme data lengths */
++  if((userlen > SIZE_T_MAX/2) ||
++     (domlen > SIZE_T_MAX/2) ||
++     ((userlen + domlen) > SIZE_T_MAX/2))
++    return CURLE_OUT_OF_MEMORY;
++
++  identity_len = (userlen + domlen) * 2;
++  identity = malloc(identity_len);
++
+   if(!identity)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   ascii_uppercase_to_unicode_le(identity, user, userlen);
+   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+-- 
+2.15.0
+
diff --git a/package/network/utils/curl/patches/106-CVE-2017-8817.patch b/package/network/utils/curl/patches/106-CVE-2017-8817.patch
new file mode 100644
index 0000000000..9e904f0b40
--- /dev/null
+++ b/package/network/utils/curl/patches/106-CVE-2017-8817.patch
@@ -0,0 +1,141 @@
+From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Nov 2017 08:52:45 +0100
+Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
+
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+CVE-2017-8817
+
+Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+---
+ lib/curl_fnmatch.c      |  9 +++------
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/test1163
+
+diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
+index da83393b4..8a1e106c4 100644
+--- a/lib/curl_fnmatch.c
++++ b/lib/curl_fnmatch.c
+@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+   unsigned char lastchar   = 0;
+   bool something_found = FALSE;
+   unsigned char c;
+   for(;;) {
+     c = **p;
++    if(!c)
++      return SETCHARSET_FAIL;
++
+     switch(state) {
+     case CURLFNM_SCHS_DEFAULT:
+       if(ISALNUM(c)) { /* ASCII value */
+         rangestart = c;
+         charset[c] = 1;
+@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+           (*p)++;
+         }
+         else
+           return SETCHARSET_FAIL;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else {
+         charset[c] = 1;
+         (*p)++;
+         something_found = TRUE;
+       }
+@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+         (*p)++;
+       }
+       else if(c == ']') {
+         return SETCHARSET_OK;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else if(ISPRINT(c)) {
+         charset[c] = 1;
+         (*p)++;
+         state = CURLFNM_SCHS_DEFAULT;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index dc1cc03bc..6eb37d81d 100644
+--- a/tests/data/Makefile.inc.1	2017-11-29 20:00:26.126452486 +0000
++++ b/tests/data/Makefile.inc	2017-11-29 20:01:13.057783732 +0000
+@@ -121,6 +121,7 @@
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 \
++test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1163 b/tests/data/test1163
+new file mode 100644
+index 000000000..a109b511b
+--- /dev/null
++++ b/tests/data/test1163
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++RETR
++LIST
++wildcardmatch
++ftplistparser
++flaky
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++ftp
++</server>
++<tool>
++lib576
++</tool>
++<name>
++FTP wildcard with pattern ending with an open-bracket
++</name>
++<command>
++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
++</command>
++</client>
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD fully_simulated
++CWD DOS
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++# 78 == CURLE_REMOTE_FILE_NOT_FOUND
++<errorcode>
++78
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.15.0
+