From 060b7f1fbbcbfb381cdfe1f2800391ed1ade1724 Mon Sep 17 00:00:00 2001 From: Stijn Segers Date: Sun, 3 Dec 2017 12:09:20 +0100 Subject: [PATCH] curl: apply CVE 2017-8816 and 2017-8817 security patches This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers --- package/network/utils/curl/Makefile | 2 +- .../curl/patches/105-CVE-2017-8816.patch | 67 +++++++++ .../curl/patches/106-CVE-2017-8817.patch | 141 ++++++++++++++++++ 3 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 package/network/utils/curl/patches/105-CVE-2017-8816.patch create mode 100644 package/network/utils/curl/patches/106-CVE-2017-8817.patch diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 758532e30a..5d829547aa 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=curl PKG_VERSION:=7.52.1 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \ diff --git a/package/network/utils/curl/patches/105-CVE-2017-8816.patch b/package/network/utils/curl/patches/105-CVE-2017-8816.patch new file mode 100644 index 0000000000..4d2b3162a8 --- /dev/null +++ b/package/network/utils/curl/patches/105-CVE-2017-8816.patch @@ -0,0 +1,67 @@ +From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Nov 2017 23:51:52 +0100 +Subject: [PATCH] ntlm: avoid integer overflow for malloc size + +Reported-by: Alex Nichols +Assisted-by: Kamil Dudka and Max Dymond + +CVE-2017-8816 + +Bug: https://curl.haxx.se/docs/adv_2017-11e7.html +--- + lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index 1309bf0d9..e8962769c 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + Curl_HMAC_final(ctxt, output); + + return CURLE_OK; + } + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(_LP64) || defined(_I32LPx) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ + CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, + const char *domain, size_t domlen, + unsigned char *ntlmhash, + unsigned char *ntlmv2hash) + { + /* Unicode representation */ +- size_t identity_len = (userlen + domlen) * 2; +- unsigned char *identity = malloc(identity_len); ++ size_t identity_len; ++ unsigned char *identity; + CURLcode result = CURLE_OK; + ++ /* we do the length checks below separately to avoid integer overflow risk ++ on extreme data lengths */ ++ if((userlen > SIZE_T_MAX/2) || ++ (domlen > SIZE_T_MAX/2) || ++ ((userlen + domlen) > SIZE_T_MAX/2)) ++ return CURLE_OUT_OF_MEMORY; ++ ++ identity_len = (userlen + domlen) * 2; ++ identity = malloc(identity_len); ++ + if(!identity) + return CURLE_OUT_OF_MEMORY; + + ascii_uppercase_to_unicode_le(identity, user, userlen); + ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); +-- +2.15.0 + diff --git a/package/network/utils/curl/patches/106-CVE-2017-8817.patch b/package/network/utils/curl/patches/106-CVE-2017-8817.patch new file mode 100644 index 0000000000..9e904f0b40 --- /dev/null +++ b/package/network/utils/curl/patches/106-CVE-2017-8817.patch @@ -0,0 +1,141 @@ +From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Nov 2017 08:52:45 +0100 +Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset + +The code would previous read beyond the end of the pattern string if the +match pattern ends with an open bracket when the default pattern +matching function is used. + +Detected by OSS-Fuzz: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 + +CVE-2017-8817 + +Bug: https://curl.haxx.se/docs/adv_2017-ae72.html +--- + lib/curl_fnmatch.c | 9 +++------ + tests/data/Makefile.inc | 2 +- + tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 7 deletions(-) + create mode 100644 tests/data/test1163 + +diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c +index da83393b4..8a1e106c4 100644 +--- a/lib/curl_fnmatch.c ++++ b/lib/curl_fnmatch.c +@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset) + unsigned char lastchar = 0; + bool something_found = FALSE; + unsigned char c; + for(;;) { + c = **p; ++ if(!c) ++ return SETCHARSET_FAIL; ++ + switch(state) { + case CURLFNM_SCHS_DEFAULT: + if(ISALNUM(c)) { /* ASCII value */ + rangestart = c; + charset[c] = 1; +@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset) + (*p)++; + } + else + return SETCHARSET_FAIL; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else { + charset[c] = 1; + (*p)++; + something_found = TRUE; + } +@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset) + (*p)++; + } + else if(c == ']') { + return SETCHARSET_OK; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else if(ISPRINT(c)) { + charset[c] = 1; + (*p)++; + state = CURLFNM_SCHS_DEFAULT; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index dc1cc03bc..6eb37d81d 100644 +--- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000 ++++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000 +@@ -121,6 +121,7 @@ + test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ + test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 \ ++test1163 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ + test1216 test1217 test1218 test1219 \ +diff --git a/tests/data/test1163 b/tests/data/test1163 +new file mode 100644 +index 000000000..a109b511b +--- /dev/null ++++ b/tests/data/test1163 +@@ -0,0 +1,52 @@ ++ ++ ++ ++FTP ++RETR ++LIST ++wildcardmatch ++ftplistparser ++flaky ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++lib576 ++ ++ ++FTP wildcard with pattern ending with an open-bracket ++ ++ ++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" ++ ++ ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD fully_simulated ++CWD DOS ++EPSV ++TYPE A ++LIST ++QUIT ++ ++# 78 == CURLE_REMOTE_FILE_NOT_FOUND ++ ++78 ++ ++ ++ +-- +2.15.0 + -- 2.30.2