[OE-core] [ROCKO][PATCH V2 11/34] curl: CVE-2018-1000300
Jagadeesh Krishnanjanappa
jkrishnanjanappa at mvista.com
Wed Aug 22 13:35:17 UTC 2018
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then
he
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
Affects curl >= 7.54.1 && curl <= 7.59.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
---
.../curl/curl/CVE-2018-1000300.patch | 44 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.58.0.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-1000300.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2018-1000300.patch b/meta/recipes-support/curl/curl/CVE-2018-1000300.patch
new file mode 100644
index 0000000..893d45c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-1000300.patch
@@ -0,0 +1,44 @@
+From 0a79d714bd55779a3a223efb5c089d0ad7e128a8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Fri, 23 Mar 2018 23:30:04 +0100
+Subject: [PATCH] pingpong: fix response cache memcpy overflow
+
+Response data for a handle with a large buffer might be cached and then
+used with the "closure" handle when it has a smaller buffer and then the
+larger cache will be copied and overflow the new smaller heap based
+buffer.
+
+Reported-by: Dario Weisser
+
+CVE: CVE-2018-1000300
+Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
+Upstream-Status: Backport [https://github.com/curl/curl-www/commit/3ee30b2b5e3836345ac510bc1674aa3a4272936e]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
+---
+ lib/pingpong.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/pingpong.c b/lib/pingpong.c
+index 438856a99..ad370ee82 100644
+--- a/lib/pingpong.c
++++ b/lib/pingpong.c
+@@ -302,11 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
+ *
+ * pp->cache_size is cast to ssize_t here. This should be safe, because
+ * it would have been populated with something of size int to begin
+ * with, even though its datatype may be larger than an int.
+ */
+- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
++ failf(data, "cached response data too big to handle");
++ return CURLE_RECV_ERROR;
++ }
+ memcpy(ptr, pp->cache, pp->cache_size);
+ gotbytes = (ssize_t)pp->cache_size;
+ free(pp->cache); /* free the cache */
+ pp->cache = NULL; /* clear the pointer */
+ pp->cache_size = 0; /* zero the size just in case */
+--
+2.17.0
+
diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb
index d2d0180..fdfbb3d 100644
--- a/meta/recipes-support/curl/curl_7.58.0.bb
+++ b/meta/recipes-support/curl/curl_7.58.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=8;md5=3a34942f4ae3fbf1a303160714e66
SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
+ file://CVE-2018-1000300.patch \
"
--
2.7.4
More information about the Openembedded-core
mailing list