curl: security fix for CVE-2017-8817

FTP wildcard out of bounds read References: https://curl.haxx.se/docs/adv_2017-ae72.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-12-04 11:57:40 +0100
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-12-06 11:34:56 +0100
commit: c207a4bc5d80dae6cc430df04bddaceac04687e6 (patch)
tree: 14dc10c3104b508f9c97ed706d02ac2cbc862cfc
parent: 0d571b4ef52c14ca5ea8faa1d6ffb7ec4992f9e8 (diff)
download: meta-el-common-c207a4bc5d80dae6cc430df04bddaceac04687e6.tar.gz
2 files changed, 135 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch
new file mode 100644
index 0000000..20ca406
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-8817.patch
@@ -0,0 +1,134 @@
+From 2dd71516235bb8f98210242c34a1a617caa8c171 Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Mon, 4 Dec 2017 10:25:14 +0100
+Subject: [PATCH] curl: fix for CVE-2017-8817
+wildcardmatch: fix heap buffer overflow in setcharset
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+CVE: CVE-2017-8817
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch]
+Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/curl_fnmatch.c      |  9 +++------
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test1163
+diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
+index e8108bb..2f34335 100644
+--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
+@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+   unsigned char c;
+   for(;;) {
+     c = **p;
+    if(!c)
+      return SETCHARSET_FAIL;
+
+     switch(state) {
+     case CURLFNM_SCHS_DEFAULT:
+       if(ISALNUM(c)) { /* ASCII value */
+@@ -197,9 +200,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+         else
+           return SETCHARSET_FAIL;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else {
+         charset[c] = 1;
+         (*p)++;
+@@ -278,9 +278,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+       else if(c == ']') {
+         return SETCHARSET_OK;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else if(ISPRINT(c)) {
+         charset[c] = 1;
+         (*p)++;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 01ad40d..20aa856 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -122,6 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 \
+ test1152 \
+test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1163 b/tests/data/test1163
+new file mode 100644
+index 0000000..3266fa8
+--- /dev/null
+++ b/tests/data/test1163
+@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+FTP
+RETR
+LIST
+wildcardmatch
+ftplistparser
+flaky
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<tool>
+lib576
+</tool>
+<name>
+FTP wildcard with pattern ending with an open-bracket
+</name>
+<command>
+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
+</command>
+</client>
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD fully_simulated
+CWD DOS
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
+<errorcode>
+78
+</errorcode>
+</verify>
+</testcase>
+-- 
+1.9.1
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index 18231f4..5e642bb 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://CVE-2017-7407.patch \
            file://CVE-2017-1000254.patch \
            file://CVE-2017-1000257.patch \
            file://CVE-2017-8816.patch \
+            file://CVE-2017-8817.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-12-04 11:57:40 +0100
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-12-06 11:34:56 +0100
commit	c207a4bc5d80dae6cc430df04bddaceac04687e6 (patch)
tree	14dc10c3104b508f9c97ed706d02ac2cbc862cfc
parent	0d571b4ef52c14ca5ea8faa1d6ffb7ec4992f9e8 (diff)
download	meta-el-common-c207a4bc5d80dae6cc430df04bddaceac04687e6.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch new file mode 100644 index 0000000..20ca406 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-8817.patch
@@ -0,0 +1,134 @@
		1	From 2dd71516235bb8f98210242c34a1a617caa8c171 Mon Sep 17 00:00:00 2001
		2	From: Sona Sarmadi <sona.sarmadi@enea.com>
		3	Date: Mon, 4 Dec 2017 10:25:14 +0100
		4	Subject: [PATCH] curl: fix for CVE-2017-8817
		5
		6	wildcardmatch: fix heap buffer overflow in setcharset
		7
		8	The code would previous read beyond the end of the pattern string if the
		9	match pattern ends with an open bracket when the default pattern
		10	matching function is used.
		11
		12	Detected by OSS-Fuzz:
		13	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
		14
		15	CVE: CVE-2017-8817
		16	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch]
		17
		18	Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
		19
		20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		21	---
		22	lib/curl_fnmatch.c \| 9 +++------
		23	tests/data/Makefile.inc \| 1 +
		24	tests/data/test1163 \| 52 +++++++++++++++++++++++++++++++++++++++++++++++++
		25	3 files changed, 56 insertions(+), 6 deletions(-)
		26	create mode 100644 tests/data/test1163
		27
		28	diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
		29	index e8108bb..2f34335 100644
		30	--- a/lib/curl_fnmatch.c
		31	+++ b/lib/curl_fnmatch.c
		32	@@ -133,6 +133,9 @@ static int setcharset(unsigned char *p, unsigned char charset)
		33	unsigned char c;
		34	for(;;) {
		35	c = **p;
		36	+ if(!c)
		37	+ return SETCHARSET_FAIL;
		38	+
		39	switch(state) {
		40	case CURLFNM_SCHS_DEFAULT:
		41	if(ISALNUM(c)) { /* ASCII value */
		42	@@ -197,9 +200,6 @@ static int setcharset(unsigned char *p, unsigned char charset)
		43	else
		44	return SETCHARSET_FAIL;
		45	}
		46	- else if(c == '\0') {
		47	- return SETCHARSET_FAIL;
		48	- }
		49	else {
		50	charset[c] = 1;
		51	(*p)++;
		52	@@ -278,9 +278,6 @@ static int setcharset(unsigned char *p, unsigned char charset)
		53	else if(c == ']') {
		54	return SETCHARSET_OK;
		55	}
		56	- else if(c == '\0') {
		57	- return SETCHARSET_FAIL;
		58	- }
		59	else if(ISPRINT(c)) {
		60	charset[c] = 1;
		61	(*p)++;
		62	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		63	index 01ad40d..20aa856 100644
		64	--- a/tests/data/Makefile.inc
		65	+++ b/tests/data/Makefile.inc
		66	@@ -122,6 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
		67	test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
		68	test1144 test1145 test1146 \
		69	test1152 \
		70	+test1163 \
		71	test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
		72	test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
		73	test1216 test1217 test1218 test1219 \
		74	diff --git a/tests/data/test1163 b/tests/data/test1163
		75	new file mode 100644
		76	index 0000000..3266fa8
		77	--- /dev/null
		78	+++ b/tests/data/test1163
		79	@@ -0,0 +1,52 @@
		80	+<testcase>
		81	+<info>
		82	+<keywords>
		83	+FTP
		84	+RETR
		85	+LIST
		86	+wildcardmatch
		87	+ftplistparser
		88	+flaky
		89	+</keywords>
		90	+</info>
		91	+
		92	+#
		93	+# Server-side
		94	+<reply>
		95	+<data>
		96	+</data>
		97	+</reply>
		98	+
		99	+# Client-side
		100	+<client>
		101	+<server>
		102	+ftp
		103	+</server>
		104	+<tool>
		105	+lib576
		106	+</tool>
		107	+<name>
		108	+FTP wildcard with pattern ending with an open-bracket
		109	+</name>
		110	+<command>
		111	+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
		112	+</command>
		113	+</client>
		114	+<verify>
		115	+<protocol>
		116	+USER anonymous
		117	+PASS ftp@example.com
		118	+PWD
		119	+CWD fully_simulated
		120	+CWD DOS
		121	+EPSV
		122	+TYPE A
		123	+LIST
		124	+QUIT
		125	+</protocol>
		126	+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
		127	+<errorcode>
		128	+78
		129	+</errorcode>
		130	+</verify>
		131	+</testcase>
		132	--
		133	1.9.1
		134


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 18231f4..5e642bb 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://CVE-2017-7407.patch \
7	file://CVE-2017-1000254.patch \	7	file://CVE-2017-1000254.patch \
8	file://CVE-2017-1000257.patch \	8	file://CVE-2017-1000257.patch \
9	file://CVE-2017-8816.patch \	9	file://CVE-2017-8816.patch \
		10	file://CVE-2017-8817.patch \
10	"	11	"