curl: security fix for CVE-2017-8816

NTLM buffer overflow via integer overflow References: https://curl.haxx.se/docs/adv_2017-12e7.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-12-04 11:57:39 +0100
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-12-06 11:34:56 +0100
commit: 0d571b4ef52c14ca5ea8faa1d6ffb7ec4992f9e8 (patch)
tree: 9d17a8d0ba46b7ccc1f40601b9722b12c1df1e46
parent: fac9f6136eed7dcba3d09c04f58bdcc0694c7437 (diff)
download: meta-el-common-0d571b4ef52c14ca5ea8faa1d6ffb7ec4992f9e8.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch
new file mode 100644
index 0000000..9b957ce
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-8816.patch
@@ -0,0 +1,69 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+CVE: CVE-2017-8816
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch]
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
+@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+   Curl_HMAC_final(ctxt, output);
+ 
+   return CURLE_OK;
+ }
+ 
+#ifndef SIZE_T_MAX
+/* some limits.h headers have this defined, some don't */
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+#endif
+
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+                                        const char *domain, size_t domlen,
+                                        unsigned char *ntlmhash,
+                                        unsigned char *ntlmv2hash)
+ {
+   /* Unicode representation */
+-  size_t identity_len = (userlen + domlen) * 2;
+-  unsigned char *identity = malloc(identity_len);
+  size_t identity_len;
+  unsigned char *identity;
+   CURLcode result = CURLE_OK;
+ 
+  /* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
+  if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
+   if(!identity)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   ascii_uppercase_to_unicode_le(identity, user, userlen);
+   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+-- 
+2.15.0
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index bc75100..18231f4 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://CVE-2017-7407.patch \
            file://CVE-2017-9502.patch \
            file://CVE-2017-1000254.patch \
            file://CVE-2017-1000257.patch \
+            file://CVE-2017-8816.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-12-04 11:57:39 +0100
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-12-06 11:34:56 +0100
commit	0d571b4ef52c14ca5ea8faa1d6ffb7ec4992f9e8 (patch)
tree	9d17a8d0ba46b7ccc1f40601b9722b12c1df1e46
parent	fac9f6136eed7dcba3d09c04f58bdcc0694c7437 (diff)
download	meta-el-common-0d571b4ef52c14ca5ea8faa1d6ffb7ec4992f9e8.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch new file mode 100644 index 0000000..9b957ce --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-8816.patch
@@ -0,0 +1,69 @@
		1	From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 6 Nov 2017 23:51:52 +0100
		4	Subject: [PATCH] ntlm: avoid integer overflow for malloc size
		5
		6	Reported-by: Alex Nichols
		7	Assisted-by: Kamil Dudka and Max Dymond
		8
		9	CVE: CVE-2017-8816
		10	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch]
		11
		12	Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
		13	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		14	---
		15	lib/curl_ntlm_core.c \| 23 +++++++++++++++++++++--
		16	1 file changed, 21 insertions(+), 2 deletions(-)
		17
		18	diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
		19	index 1309bf0d9..e8962769c 100644
		20	--- a/lib/curl_ntlm_core.c
		21	+++ b/lib/curl_ntlm_core.c
		22	@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
		23	Curl_HMAC_final(ctxt, output);
		24
		25	return CURLE_OK;
		26	}
		27
		28	+#ifndef SIZE_T_MAX
		29	+/* some limits.h headers have this defined, some don't */
		30	+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
		31	+#define SIZE_T_MAX 18446744073709551615U
		32	+#else
		33	+#define SIZE_T_MAX 4294967295U
		34	+#endif
		35	+#endif
		36	+
		37	/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
		38	* (uppercase UserName + Domain) as the data
		39	*/
		40	CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
		41	const char *domain, size_t domlen,
		42	unsigned char *ntlmhash,
		43	unsigned char *ntlmv2hash)
		44	{
		45	/* Unicode representation */
		46	- size_t identity_len = (userlen + domlen) * 2;
		47	- unsigned char *identity = malloc(identity_len);
		48	+ size_t identity_len;
		49	+ unsigned char *identity;
		50	CURLcode result = CURLE_OK;
		51
		52	+ /* we do the length checks below separately to avoid integer overflow risk
		53	+ on extreme data lengths */
		54	+ if((userlen > SIZE_T_MAX/2) \|\|
		55	+ (domlen > SIZE_T_MAX/2) \|\|
		56	+ ((userlen + domlen) > SIZE_T_MAX/2))
		57	+ return CURLE_OUT_OF_MEMORY;
		58	+
		59	+ identity_len = (userlen + domlen) * 2;
		60	+ identity = malloc(identity_len);
		61	+
		62	if(!identity)
		63	return CURLE_OUT_OF_MEMORY;
		64
		65	ascii_uppercase_to_unicode_le(identity, user, userlen);
		66	ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
		67	--
		68	2.15.0
		69


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index bc75100..18231f4 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://CVE-2017-7407.patch \
6	file://CVE-2017-9502.patch \	6	file://CVE-2017-9502.patch \
7	file://CVE-2017-1000254.patch \	7	file://CVE-2017-1000254.patch \
8	file://CVE-2017-1000257.patch \	8	file://CVE-2017-1000257.patch \
		9	file://CVE-2017-8816.patch \
9	"	10	"