diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2018-02-22 11:17:17 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2018-03-02 13:38:13 +0100 |
commit | 3794f1d384d9bb8d436b830f762eee8e5457fd64 (patch) | |
tree | 02ea737e653567227ebe36b409a94ccba3139365 /recipes-support | |
parent | 11a471cb0df8cc7b46c7e7da6e278c377aec9df1 (diff) | |
download | meta-el-common-3794f1d384d9bb8d436b830f762eee8e5457fd64.tar.gz |
curl: fix for CVE-2018-1000005
HTTP/2 trailer out-of-bounds read
An out-of-bounds read in code handling HTTP/2 trailers was found.
This could lead to a denial-of-service or an information disclosure
in some circumstances.
Affected versions: libcurl 7.49.0 to and including 7.57.0
Upstream patch:
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-support')
-rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000005.patch | 39 | ||||
-rw-r--r-- | recipes-support/curl/curl_%.bbappend | 1 |
2 files changed, 40 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch new file mode 100644 index 0000000..2b864a1 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000005.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com> | ||
3 | Date: Wed, 10 Jan 2018 10:12:18 -0800 | ||
4 | Subject: [PATCH] http2: fix incorrect trailer buffer size | ||
5 | |||
6 | Prior to this change the stored byte count of each trailer was | ||
7 | miscalculated and 1 less than required. It appears any trailer | ||
8 | after the first that was passed to Curl_client_write would be truncated | ||
9 | or corrupted as well as the size. Potentially the size of some | ||
10 | subsequent trailer could be erroneously extracted from the contents of | ||
11 | that trailer, and since that size is used by client write an | ||
12 | out-of-bounds read could occur and cause a crash or be otherwise | ||
13 | processed by client write. | ||
14 | |||
15 | The bug appears to have been born in 0761a51 (precedes 7.49.0). | ||
16 | |||
17 | Closes https://github.com/curl/curl/pull/2231 | ||
18 | |||
19 | CVE: CVE-2018-1000005 | ||
20 | Upstream-Status: Backport | ||
21 | --- | ||
22 | lib/http2.c | 4 ++-- | ||
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/lib/http2.c b/lib/http2.c | ||
26 | index 8e2fc71996..699287940e 100644 | ||
27 | --- a/lib/http2.c | ||
28 | +++ b/lib/http2.c | ||
29 | @@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, | ||
30 | |||
31 | if(stream->bodystarted) { | ||
32 | /* This is trailer fields. */ | ||
33 | - /* 3 is for ":" and "\r\n". */ | ||
34 | - uint32_t n = (uint32_t)(namelen + valuelen + 3); | ||
35 | + /* 4 is for ": " and "\r\n". */ | ||
36 | + uint32_t n = (uint32_t)(namelen + valuelen + 4); | ||
37 | |||
38 | DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, | ||
39 | value)); | ||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 5e642bb..3727bea 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend | |||
@@ -8,4 +8,5 @@ SRC_URI += "file://CVE-2017-7407.patch \ | |||
8 | file://CVE-2017-1000257.patch \ | 8 | file://CVE-2017-1000257.patch \ |
9 | file://CVE-2017-8816.patch \ | 9 | file://CVE-2017-8816.patch \ |
10 | file://CVE-2017-8817.patch \ | 10 | file://CVE-2017-8817.patch \ |
11 | file://CVE-2018-1000005.patch \ | ||
11 | " | 12 | " |