diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-12-04 11:57:38 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-12-06 11:34:56 +0100 |
commit | fac9f6136eed7dcba3d09c04f58bdcc0694c7437 (patch) | |
tree | e9ca6a1342c1e6d333daaa897b4f16beaae60517 /recipes-support/curl/curl/CVE-2017-1000257.patch | |
parent | be2fdb1cf46dfb5b14b98378ce5a5360afc734a7 (diff) | |
download | meta-nfv-access-common-fac9f6136eed7dcba3d09c04f58bdcc0694c7437.tar.gz |
curl: Security fix for CVE-2017-1000257
IMAP FETCH response out of bounds read
References:
https://curl.haxx.se/docs/adv_20171023.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-support/curl/curl/CVE-2017-1000257.patch')
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-1000257.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-1000257.patch b/recipes-support/curl/curl/CVE-2017-1000257.patch new file mode 100644 index 0000000..de0dc3a --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-1000257.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Sat, 7 Oct 2017 00:11:31 +0200 | ||
4 | Subject: [PATCH] imap: if a FETCH response has no size, don't call write | ||
5 | callback | ||
6 | |||
7 | CVE: CVE-2017-1000257 | ||
8 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000257.patch] | ||
9 | |||
10 | Reported-by: Brian Carpenter and 0xd34db347 | ||
11 | Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 | ||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | lib/imap.c | 5 +++++ | ||
15 | 1 file changed, 5 insertions(+) | ||
16 | |||
17 | diff --git a/lib/imap.c b/lib/imap.c | ||
18 | index 954d18f37..baa31a2f8 100644 | ||
19 | --- a/lib/imap.c | ||
20 | +++ b/lib/imap.c | ||
21 | @@ -1124,10 +1124,15 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, | ||
22 | |||
23 | if(chunk > (size_t)size) | ||
24 | /* The conversion from curl_off_t to size_t is always fine here */ | ||
25 | chunk = (size_t)size; | ||
26 | |||
27 | + if(!chunk) { | ||
28 | + /* no size, we're done with the data */ | ||
29 | + state(conn, IMAP_STOP); | ||
30 | + return CURLE_OK; | ||
31 | + } | ||
32 | result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); | ||
33 | if(result) | ||
34 | return result; | ||
35 | |||
36 | data->req.bytecount += chunk; | ||
37 | -- | ||
38 | 2.15.0.rc1 | ||
39 | |||