curl: fix for CVE-2018-1000005

Out-of-bounds read in code handling HTTP/2 trailers References: https://curl.haxx.se/docs/adv_2018-824a.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005 Affects libcurl 7.49.0 to and including 7.57.0 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2018-03-13 08:22:11 +0100
committer: Martin Borg <martin.borg@enea.com> 2018-03-13 10:08:13 +0100
commit: 7084be4c7f3276f70ff28a60a123d0523c9a1f96 (patch)
tree: 23bf18f60047e24db0fc6642d8766f37dd7e7c29
parent: e86af13fc3da3a3c524a6f84c48bd02e035b2333 (diff)
download: meta-el-common-7084be4c7f3276f70ff28a60a123d0523c9a1f96.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch
new file mode 100644
index 0000000..200ef16
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000005.patch
@@ -0,0 +1,41 @@
+From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
+From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
+Date: Wed, 10 Jan 2018 10:12:18 -0800
+Subject: [PATCH] http2: fix incorrect trailer buffer size
+Prior to this change the stored byte count of each trailer was
+miscalculated and 1 less than required. It appears any trailer
+after the first that was passed to Curl_client_write would be truncated
+or corrupted as well as the size. Potentially the size of some
+subsequent trailer could be erroneously extracted from the contents of
+that trailer, and since that size is used by client write an
+out-of-bounds read could occur and cause a crash or be otherwise
+processed by client write.
+The bug appears to have been born in 0761a51 (precedes 7.49.0).
+Closes https://github.com/curl/curl/pull/2231
+Upstream-Status: Backport
+CVE: CVE-2018-1000005
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/http2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/lib/http2.c b/lib/http2.c
+index 8e2fc71996..699287940e 100644
+--- a/lib/http2.c
+++ b/lib/http2.c
+@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+ 
+   if(stream->bodystarted) {
+     /* This is trailer fields. */
+-    /* 3 is for ":" and "\r\n". */
+-    uint32_t n = (uint32_t)(namelen + valuelen + 3);
+    /* 4 is for ": " and "\r\n". */
+    uint32_t n = (uint32_t)(namelen + valuelen + 4);
+ 
+     DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
+                  value));
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index 2da58d4..d30e613 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2017-1000257.patch \
            file://CVE-2017-8816.patch \
            file://CVE-2017-8817.patch \
+            file://CVE-2018-1000005.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2018-03-13 08:22:11 +0100
committer	Martin Borg <martin.borg@enea.com>	2018-03-13 10:08:13 +0100
commit	7084be4c7f3276f70ff28a60a123d0523c9a1f96 (patch)
tree	23bf18f60047e24db0fc6642d8766f37dd7e7c29
parent	e86af13fc3da3a3c524a6f84c48bd02e035b2333 (diff)
download	meta-el-common-7084be4c7f3276f70ff28a60a123d0523c9a1f96.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch new file mode 100644 index 0000000..200ef16 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000005.patch
@@ -0,0 +1,41 @@
		1	From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
		2	From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
		3	Date: Wed, 10 Jan 2018 10:12:18 -0800
		4	Subject: [PATCH] http2: fix incorrect trailer buffer size
		5
		6	Prior to this change the stored byte count of each trailer was
		7	miscalculated and 1 less than required. It appears any trailer
		8	after the first that was passed to Curl_client_write would be truncated
		9	or corrupted as well as the size. Potentially the size of some
		10	subsequent trailer could be erroneously extracted from the contents of
		11	that trailer, and since that size is used by client write an
		12	out-of-bounds read could occur and cause a crash or be otherwise
		13	processed by client write.
		14
		15	The bug appears to have been born in 0761a51 (precedes 7.49.0).
		16
		17	Closes https://github.com/curl/curl/pull/2231
		18
		19	Upstream-Status: Backport
		20	CVE: CVE-2018-1000005
		21
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	lib/http2.c \| 4 ++--
		25	1 file changed, 2 insertions(+), 2 deletions(-)
		26
		27	diff --git a/lib/http2.c b/lib/http2.c
		28	index 8e2fc71996..699287940e 100644
		29	--- a/lib/http2.c
		30	+++ b/lib/http2.c
		31	@@ -925,8 +925,8 @@ static int on_header(nghttp2_session session, const nghttp2_frame frame,
		32
		33	if(stream->bodystarted) {
		34	/* This is trailer fields. */
		35	- /* 3 is for ":" and "\r\n". */
		36	- uint32_t n = (uint32_t)(namelen + valuelen + 3);
		37	+ /* 4 is for ": " and "\r\n". */
		38	+ uint32_t n = (uint32_t)(namelen + valuelen + 4);
		39
		40	DEBUGF(infof(data_s, "h2 trailer: %.s: %.s\n", namelen, name, valuelen,
		41	value));


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 2da58d4..d30e613 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
4	SRC_URI += "file://CVE-2017-1000257.patch \	4	SRC_URI += "file://CVE-2017-1000257.patch \
5	file://CVE-2017-8816.patch \	5	file://CVE-2017-8816.patch \
6	file://CVE-2017-8817.patch \	6	file://CVE-2017-8817.patch \
		7	file://CVE-2018-1000005.patch \
7	"	8	"