From 7084be4c7f3276f70ff28a60a123d0523c9a1f96 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 13 Mar 2018 08:22:11 +0100 Subject: curl: fix for CVE-2018-1000005 Out-of-bounds read in code handling HTTP/2 trailers References: https://curl.haxx.se/docs/adv_2018-824a.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005 Affects libcurl 7.49.0 to and including 7.57.0 Signed-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- recipes-support/curl/curl/CVE-2018-1000005.patch | 41 ++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 recipes-support/curl/curl/CVE-2018-1000005.patch (limited to 'recipes-support/curl/curl') diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch new file mode 100644 index 0000000..200ef16 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000005.patch @@ -0,0 +1,41 @@ +From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 +From: Zhouyihai Ding +Date: Wed, 10 Jan 2018 10:12:18 -0800 +Subject: [PATCH] http2: fix incorrect trailer buffer size + +Prior to this change the stored byte count of each trailer was +miscalculated and 1 less than required. It appears any trailer +after the first that was passed to Curl_client_write would be truncated +or corrupted as well as the size. Potentially the size of some +subsequent trailer could be erroneously extracted from the contents of +that trailer, and since that size is used by client write an +out-of-bounds read could occur and cause a crash or be otherwise +processed by client write. + +The bug appears to have been born in 0761a51 (precedes 7.49.0). + +Closes https://github.com/curl/curl/pull/2231 + +Upstream-Status: Backport +CVE: CVE-2018-1000005 + +Signed-off-by: Sona Sarmadi +--- + lib/http2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 8e2fc71996..699287940e 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + + if(stream->bodystarted) { + /* This is trailer fields. */ +- /* 3 is for ":" and "\r\n". */ +- uint32_t n = (uint32_t)(namelen + valuelen + 3); ++ /* 4 is for ": " and "\r\n". */ ++ uint32_t n = (uint32_t)(namelen + valuelen + 4); + + DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, + value)); -- cgit v1.2.3-54-g00ecf