From 979c1b9d9d24db9e8ac3d7f4ac9b8de08de1d737 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 3 Oct 2017 10:55:30 +0200 Subject: curl: CVE-2017-1000101 URL globbing out of bounds read Reference: https://curl.haxx.se/docs/adv_20170809A.html Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-support/curl/curl/CVE-2017-1000101.patch | 97 ++++++++++++++++++++++++ recipes-support/curl/curl_%.bbappend | 1 + 2 files changed, 98 insertions(+) create mode 100644 recipes-support/curl/curl/CVE-2017-1000101.patch diff --git a/recipes-support/curl/curl/CVE-2017-1000101.patch b/recipes-support/curl/curl/CVE-2017-1000101.patch new file mode 100644 index 0000000..2b25cfd --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-1000101.patch @@ -0,0 +1,97 @@ +From 7bf8af31fc9eaecd845d59ecb6a0dbe9e2028cf7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:07 +0200 +Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow + range + +Added test 1289 to verify. + +CVE-2017-1000101 + +Bug: https://curl.haxx.se/docs/adv_20170809A.html +Reported-by: Brian Carpenter + +CVE: CVE-2017-1000101 +Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000101.patch] + +Signed-off-by: Sona Sarmadi +--- + src/tool_urlglob.c | 5 ++++- + tests/data/Makefile.inc | 2 +- + tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1289 + +diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c +index d002f27..caf2385 100644 +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -269,7 +269,10 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + } + errno = 0; + max_n = strtoul(pattern, &endp, 10); +- if(errno || (*endp == ':')) { ++ if(errno) ++ /* overflow */ ++ endp = NULL; ++ else if(*endp == ':') { + pattern = endp+1; + errno = 0; + step_n = strtoul(pattern, &endp, 10); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 8251ab9..6f41eef 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -130,7 +130,7 @@ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \ + test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \ + test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \ + \ +-test1280 test1281 test1282 test1283 test1284 test1285 test1286 \ ++test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1289 \ + \ + test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ + test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ +diff --git a/tests/data/test1289 b/tests/data/test1289 +new file mode 100644 +index 0000000..d679cc0 +--- /dev/null ++++ b/tests/data/test1289 +@@ -0,0 +1,35 @@ ++ ++ ++ ++HTTP ++HTTP GET ++globbing ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++globbing with overflow and bad syntxx ++ ++ ++http://ur%20[0-60000000000000000000 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# curl: (3) [globbing] bad range in column ++ ++3 ++ ++ ++ +-- +1.9.1 + diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index f915ba1..72cd405 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend @@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2017-7468.patch \ file://CVE-2017-9502.patch \ file://CVE-2017-1000100.patch \ + file://CVE-2017-1000101.patch \ " -- cgit v1.2.3-54-g00ecf