summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-11-15 09:08:13 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:37 (GMT)
commite959182ba2941f29882d52c9fa700a83c477a504 (patch)
treeba283b770de8309eaf81eec918c41f4e0524bd49
parentf896298d12f2295e3193f81c8126b3142828bd4d (diff)
downloadpoky-e959182ba2941f29882d52c9fa700a83c477a504.tar.gz
curl: CVE-2016-8618
double-free in curl_maprintf Affected versions: curl 7.1 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102D.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8618.patch52
-rw-r--r--meta/recipes-support/curl/curl_7.47.1.bb1
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
new file mode 100644
index 0000000..2fd4749
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
@@ -0,0 +1,52 @@
1From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Wed, 28 Sep 2016 10:15:34 +0200
4Subject: [PATCH] aprintf: detect wrap-around when growing allocation
5
6On 32bit systems we could otherwise wrap around after 2GB and allocate 0
7bytes and crash.
8
9CVE: CVE-2016-8618
10Upstream-Status: Backport
11
12Bug: https://curl.haxx.se/docs/adv_20161102D.html
13Reported-by: Cure53
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 lib/mprintf.c | 9 ++++++---
17 1 file changed, 6 insertions(+), 3 deletions(-)
18
19diff --git a/lib/mprintf.c b/lib/mprintf.c
20index dbedeaa..2c88aa8 100644
21--- a/lib/mprintf.c
22+++ b/lib/mprintf.c
23@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data)
24 }
25 infop->alloc = 32;
26 infop->len =0;
27 }
28 else if(infop->len+1 >= infop->alloc) {
29- char *newptr;
30+ char *newptr = NULL;
31+ size_t newsize = infop->alloc*2;
32
33- newptr = realloc(infop->buffer, infop->alloc*2);
34+ /* detect wrap-around or other overflow problems */
35+ if(newsize > infop->alloc)
36+ newptr = realloc(infop->buffer, newsize);
37
38 if(!newptr) {
39 infop->fail = 1;
40 return -1; /* fail */
41 }
42 infop->buffer = newptr;
43- infop->alloc *= 2;
44+ infop->alloc = newsize;
45 }
46
47 infop->buffer[ infop->len ] = outc;
48
49 infop->len++;
50--
512.9.3
52
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 3724411..27a999e 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
18 file://CVE-2016-8615.patch \ 18 file://CVE-2016-8615.patch \
19 file://CVE-2016-8616.patch \ 19 file://CVE-2016-8616.patch \
20 file://CVE-2016-8617.patch \ 20 file://CVE-2016-8617.patch \
21 file://CVE-2016-8618.patch \
21 " 22 "
22 23
23SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" 24SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"