curl: CVE-2017-1000101

URL globbing out of bounds read Reference: https://curl.haxx.se/docs/adv_20170809A.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-10-03 10:55:30 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-10-04 09:58:01 +0200
commit: 979c1b9d9d24db9e8ac3d7f4ac9b8de08de1d737 (patch)
tree: 047be9fb45e5fd8542c449a0b0bccfabd8030469
parent: dd659758deef67be170cd8916a3cfa788e79ad0d (diff)
download: meta-el-common-979c1b9d9d24db9e8ac3d7f4ac9b8de08de1d737.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-1000101.patch b/recipes-support/curl/curl/CVE-2017-1000101.patch
new file mode 100644
index 0000000..2b25cfd
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-1000101.patch
@@ -0,0 +1,97 @@
+From 7bf8af31fc9eaecd845d59ecb6a0dbe9e2028cf7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 1 Aug 2017 17:16:07 +0200
+Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
+ range
+Added test 1289 to verify.
+CVE-2017-1000101
+Bug: https://curl.haxx.se/docs/adv_20170809A.html
+Reported-by: Brian Carpenter
+CVE: CVE-2017-1000101
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000101.patch]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ src/tool_urlglob.c      |  5 ++++-
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1289     | 35 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1289
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index d002f27..caf2385 100644
+--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
+@@ -269,7 +269,10 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+         }
+         errno = 0;
+         max_n = strtoul(pattern, &endp, 10);
+-        if(errno || (*endp == ':')) {
+        if(errno)
+          /* overflow */
+          endp = NULL;
+        else if(*endp == ':') {
+           pattern = endp+1;
+           errno = 0;
+           step_n = strtoul(pattern, &endp, 10);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8251ab9..6f41eef 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -130,7 +130,7 @@ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
+ test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \
+ test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \
+ \
+-test1280 test1281 test1282 test1283 test1284 test1285 test1286 \
+test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1289 \
+ \
+ test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
+ test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \
+diff --git a/tests/data/test1289 b/tests/data/test1289
+new file mode 100644
+index 0000000..d679cc0
+--- /dev/null
+++ b/tests/data/test1289
+@@ -0,0 +1,35 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+globbing
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+globbing with overflow and bad syntxx
+</name>
+<command>
+http://ur%20[0-60000000000000000000
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# curl: (3) [globbing] bad range in column 
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
+-- 
+1.9.1
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index f915ba1..72cd405 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2017-7468.patch \
            file://CVE-2017-9502.patch \
            file://CVE-2017-1000100.patch \
+            file://CVE-2017-1000101.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-10-03 10:55:30 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-10-04 09:58:01 +0200
commit	979c1b9d9d24db9e8ac3d7f4ac9b8de08de1d737 (patch)
tree	047be9fb45e5fd8542c449a0b0bccfabd8030469
parent	dd659758deef67be170cd8916a3cfa788e79ad0d (diff)
download	meta-el-common-979c1b9d9d24db9e8ac3d7f4ac9b8de08de1d737.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2017-1000101.patch b/recipes-support/curl/curl/CVE-2017-1000101.patch new file mode 100644 index 0000000..2b25cfd --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-1000101.patch
@@ -0,0 +1,97 @@
		1	From 7bf8af31fc9eaecd845d59ecb6a0dbe9e2028cf7 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 1 Aug 2017 17:16:07 +0200
		4	Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
		5	range
		6
		7	Added test 1289 to verify.
		8
		9	CVE-2017-1000101
		10
		11	Bug: https://curl.haxx.se/docs/adv_20170809A.html
		12	Reported-by: Brian Carpenter
		13
		14	CVE: CVE-2017-1000101
		15	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000101.patch]
		16
		17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		18	---
		19	src/tool_urlglob.c \| 5 ++++-
		20	tests/data/Makefile.inc \| 2 +-
		21	tests/data/test1289 \| 35 +++++++++++++++++++++++++++++++++++
		22	3 files changed, 40 insertions(+), 2 deletions(-)
		23	create mode 100644 tests/data/test1289
		24
		25	diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
		26	index d002f27..caf2385 100644
		27	--- a/src/tool_urlglob.c
		28	+++ b/src/tool_urlglob.c
		29	@@ -269,7 +269,10 @@ static CURLcode glob_range(URLGlob glob, char *patternp,
		30	}
		31	errno = 0;
		32	max_n = strtoul(pattern, &endp, 10);
		33	- if(errno \|\| (*endp == ':')) {
		34	+ if(errno)
		35	+ /* overflow */
		36	+ endp = NULL;
		37	+ else if(*endp == ':') {
		38	pattern = endp+1;
		39	errno = 0;
		40	step_n = strtoul(pattern, &endp, 10);
		41	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		42	index 8251ab9..6f41eef 100644
		43	--- a/tests/data/Makefile.inc
		44	+++ b/tests/data/Makefile.inc
		45	@@ -130,7 +130,7 @@ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
		46	test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \
		47	test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \
		48	\
		49	-test1280 test1281 test1282 test1283 test1284 test1285 test1286 \
		50	+test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1289 \
		51	\
		52	test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
		53	test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \
		54	diff --git a/tests/data/test1289 b/tests/data/test1289
		55	new file mode 100644
		56	index 0000000..d679cc0
		57	--- /dev/null
		58	+++ b/tests/data/test1289
		59	@@ -0,0 +1,35 @@
		60	+<testcase>
		61	+<info>
		62	+<keywords>
		63	+HTTP
		64	+HTTP GET
		65	+globbing
		66	+</keywords>
		67	+</info>
		68	+
		69	+#
		70	+# Server-side
		71	+<reply>
		72	+</reply>
		73	+
		74	+# Client-side
		75	+<client>
		76	+<server>
		77	+http
		78	+</server>
		79	+<name>
		80	+globbing with overflow and bad syntxx
		81	+</name>
		82	+<command>
		83	+http://ur%20[0-60000000000000000000
		84	+</command>
		85	+</client>
		86	+
		87	+# Verify data after the test has been "shot"
		88	+<verify>
		89	+# curl: (3) [globbing] bad range in column
		90	+<errorcode>
		91	+3
		92	+</errorcode>
		93	+</verify>
		94	+</testcase>
		95	--
		96	1.9.1
		97


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index f915ba1..72cd405 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
4	SRC_URI += "file://CVE-2017-7468.patch \	4	SRC_URI += "file://CVE-2017-7468.patch \
5	file://CVE-2017-9502.patch \	5	file://CVE-2017-9502.patch \
6	file://CVE-2017-1000100.patch \	6	file://CVE-2017-1000100.patch \
		7	file://CVE-2017-1000101.patch \
7	"	8	"