diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2018-03-13 08:22:11 +0100 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2018-03-13 10:08:13 +0100 |
commit | 7084be4c7f3276f70ff28a60a123d0523c9a1f96 (patch) | |
tree | 23bf18f60047e24db0fc6642d8766f37dd7e7c29 /recipes-support/curl/curl/CVE-2018-1000005.patch | |
parent | e86af13fc3da3a3c524a6f84c48bd02e035b2333 (diff) | |
download | meta-el-common-7084be4c7f3276f70ff28a60a123d0523c9a1f96.tar.gz |
curl: fix for CVE-2018-1000005
Out-of-bounds read in code handling HTTP/2 trailers
References:
https://curl.haxx.se/docs/adv_2018-824a.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005
Affects libcurl 7.49.0 to and including 7.57.0
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-support/curl/curl/CVE-2018-1000005.patch')
-rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000005.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch new file mode 100644 index 0000000..200ef16 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000005.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com> | ||
3 | Date: Wed, 10 Jan 2018 10:12:18 -0800 | ||
4 | Subject: [PATCH] http2: fix incorrect trailer buffer size | ||
5 | |||
6 | Prior to this change the stored byte count of each trailer was | ||
7 | miscalculated and 1 less than required. It appears any trailer | ||
8 | after the first that was passed to Curl_client_write would be truncated | ||
9 | or corrupted as well as the size. Potentially the size of some | ||
10 | subsequent trailer could be erroneously extracted from the contents of | ||
11 | that trailer, and since that size is used by client write an | ||
12 | out-of-bounds read could occur and cause a crash or be otherwise | ||
13 | processed by client write. | ||
14 | |||
15 | The bug appears to have been born in 0761a51 (precedes 7.49.0). | ||
16 | |||
17 | Closes https://github.com/curl/curl/pull/2231 | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | CVE: CVE-2018-1000005 | ||
21 | |||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | lib/http2.c | 4 ++-- | ||
25 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
26 | |||
27 | diff --git a/lib/http2.c b/lib/http2.c | ||
28 | index 8e2fc71996..699287940e 100644 | ||
29 | --- a/lib/http2.c | ||
30 | +++ b/lib/http2.c | ||
31 | @@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, | ||
32 | |||
33 | if(stream->bodystarted) { | ||
34 | /* This is trailer fields. */ | ||
35 | - /* 3 is for ":" and "\r\n". */ | ||
36 | - uint32_t n = (uint32_t)(namelen + valuelen + 3); | ||
37 | + /* 4 is for ": " and "\r\n". */ | ||
38 | + uint32_t n = (uint32_t)(namelen + valuelen + 4); | ||
39 | |||
40 | DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, | ||
41 | value)); | ||