diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2018-02-22 11:17:17 +0100 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2018-03-02 13:38:13 +0100 |
| commit | 3794f1d384d9bb8d436b830f762eee8e5457fd64 (patch) | |
| tree | 02ea737e653567227ebe36b409a94ccba3139365 /recipes-support | |
| parent | 11a471cb0df8cc7b46c7e7da6e278c377aec9df1 (diff) | |
| download | meta-el-common-3794f1d384d9bb8d436b830f762eee8e5457fd64.tar.gz | |
curl: fix for CVE-2018-1000005
HTTP/2 trailer out-of-bounds read
An out-of-bounds read in code handling HTTP/2 trailers was found.
This could lead to a denial-of-service or an information disclosure
in some circumstances.
Affected versions: libcurl 7.49.0 to and including 7.57.0
Upstream patch:
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-support')
| -rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000005.patch | 39 | ||||
| -rw-r--r-- | recipes-support/curl/curl_%.bbappend | 1 |
2 files changed, 40 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch new file mode 100644 index 0000000..2b864a1 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000005.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com> | ||
| 3 | Date: Wed, 10 Jan 2018 10:12:18 -0800 | ||
| 4 | Subject: [PATCH] http2: fix incorrect trailer buffer size | ||
| 5 | |||
| 6 | Prior to this change the stored byte count of each trailer was | ||
| 7 | miscalculated and 1 less than required. It appears any trailer | ||
| 8 | after the first that was passed to Curl_client_write would be truncated | ||
| 9 | or corrupted as well as the size. Potentially the size of some | ||
| 10 | subsequent trailer could be erroneously extracted from the contents of | ||
| 11 | that trailer, and since that size is used by client write an | ||
| 12 | out-of-bounds read could occur and cause a crash or be otherwise | ||
| 13 | processed by client write. | ||
| 14 | |||
| 15 | The bug appears to have been born in 0761a51 (precedes 7.49.0). | ||
| 16 | |||
| 17 | Closes https://github.com/curl/curl/pull/2231 | ||
| 18 | |||
| 19 | CVE: CVE-2018-1000005 | ||
| 20 | Upstream-Status: Backport | ||
| 21 | --- | ||
| 22 | lib/http2.c | 4 ++-- | ||
| 23 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/lib/http2.c b/lib/http2.c | ||
| 26 | index 8e2fc71996..699287940e 100644 | ||
| 27 | --- a/lib/http2.c | ||
| 28 | +++ b/lib/http2.c | ||
| 29 | @@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, | ||
| 30 | |||
| 31 | if(stream->bodystarted) { | ||
| 32 | /* This is trailer fields. */ | ||
| 33 | - /* 3 is for ":" and "\r\n". */ | ||
| 34 | - uint32_t n = (uint32_t)(namelen + valuelen + 3); | ||
| 35 | + /* 4 is for ": " and "\r\n". */ | ||
| 36 | + uint32_t n = (uint32_t)(namelen + valuelen + 4); | ||
| 37 | |||
| 38 | DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, | ||
| 39 | value)); | ||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 5e642bb..3727bea 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend | |||
| @@ -8,4 +8,5 @@ SRC_URI += "file://CVE-2017-7407.patch \ | |||
| 8 | file://CVE-2017-1000257.patch \ | 8 | file://CVE-2017-1000257.patch \ |
| 9 | file://CVE-2017-8816.patch \ | 9 | file://CVE-2017-8816.patch \ |
| 10 | file://CVE-2017-8817.patch \ | 10 | file://CVE-2017-8817.patch \ |
| 11 | file://CVE-2018-1000005.patch \ | ||
| 11 | " | 12 | " |