curl: CVE-2016-8618

double-free in curl_maprintf Affected versions: curl 7.1 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102D.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-11-15 10:08:13 +0100
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2017-02-10 12:21:37 +0100
commit: e959182ba2941f29882d52c9fa700a83c477a504 (patch)
tree: ba283b770de8309eaf81eec918c41f4e0524bd49
parent: f896298d12f2295e3193f81c8126b3142828bd4d (diff)
download: poky-e959182ba2941f29882d52c9fa700a83c477a504.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
new file mode 100644
index 0000000000..2fd4749586
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
@@ -0,0 +1,52 @@
+From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 28 Sep 2016 10:15:34 +0200
+Subject: [PATCH] aprintf: detect wrap-around when growing allocation
+On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+bytes and crash.
+CVE: CVE-2016-8618
+Upstream-Status: Backport
+Bug: https://curl.haxx.se/docs/adv_20161102D.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/mprintf.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/lib/mprintf.c b/lib/mprintf.c
+index dbedeaa..2c88aa8 100644
+--- a/lib/mprintf.c
+++ b/lib/mprintf.c
+@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data)
+     }
+     infop->alloc = 32;
+     infop->len =0;
+   }
+   else if(infop->len+1 >= infop->alloc) {
+-    char *newptr;
+    char *newptr = NULL;
+    size_t newsize = infop->alloc*2;
+ 
+-    newptr = realloc(infop->buffer, infop->alloc*2);
+    /* detect wrap-around or other overflow problems */
+    if(newsize > infop->alloc)
+      newptr = realloc(infop->buffer, newsize);
+ 
+     if(!newptr) {
+       infop->fail = 1;
+       return -1; /* fail */
+     }
+     infop->buffer = newptr;
+-    infop->alloc *= 2;
+    infop->alloc = newsize;
+   }
+ 
+   infop->buffer[ infop->len ] = outc;
+ 
+   infop->len++;
+-- 
+2.9.3
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 37244110c3..27a999ee97 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
             file://CVE-2016-8615.patch \
             file://CVE-2016-8616.patch \
             file://CVE-2016-8617.patch \
+             file://CVE-2016-8618.patch \
           "
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-11-15 10:08:13 +0100
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2017-02-10 12:21:37 +0100
commit	e959182ba2941f29882d52c9fa700a83c477a504 (patch)
tree	ba283b770de8309eaf81eec918c41f4e0524bd49
parent	f896298d12f2295e3193f81c8126b3142828bd4d (diff)
download	poky-e959182ba2941f29882d52c9fa700a83c477a504.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch b/meta/recipes-support/curl/curl/CVE-2016-8618.patch new file mode 100644 index 0000000000..2fd4749586 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
@@ -0,0 +1,52 @@
		1	From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Wed, 28 Sep 2016 10:15:34 +0200
		4	Subject: [PATCH] aprintf: detect wrap-around when growing allocation
		5
		6	On 32bit systems we could otherwise wrap around after 2GB and allocate 0
		7	bytes and crash.
		8
		9	CVE: CVE-2016-8618
		10	Upstream-Status: Backport
		11
		12	Bug: https://curl.haxx.se/docs/adv_20161102D.html
		13	Reported-by: Cure53
		14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		15	---
		16	lib/mprintf.c \| 9 ++++++---
		17	1 file changed, 6 insertions(+), 3 deletions(-)
		18
		19	diff --git a/lib/mprintf.c b/lib/mprintf.c
		20	index dbedeaa..2c88aa8 100644
		21	--- a/lib/mprintf.c
		22	+++ b/lib/mprintf.c
		23	@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data)
		24	}
		25	infop->alloc = 32;
		26	infop->len =0;
		27	}
		28	else if(infop->len+1 >= infop->alloc) {
		29	- char *newptr;
		30	+ char *newptr = NULL;
		31	+ size_t newsize = infop->alloc*2;
		32
		33	- newptr = realloc(infop->buffer, infop->alloc*2);
		34	+ /* detect wrap-around or other overflow problems */
		35	+ if(newsize > infop->alloc)
		36	+ newptr = realloc(infop->buffer, newsize);
		37
		38	if(!newptr) {
		39	infop->fail = 1;
		40	return -1; /* fail */
		41	}
		42	infop->buffer = newptr;
		43	- infop->alloc *= 2;
		44	+ infop->alloc = newsize;
		45	}
		46
		47	infop->buffer[ infop->len ] = outc;
		48
		49	infop->len++;
		50	--
		51	2.9.3
		52


diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index 37244110c3..27a999ee97 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
18	file://CVE-2016-8615.patch \	18	file://CVE-2016-8615.patch \
19	file://CVE-2016-8616.patch \	19	file://CVE-2016-8616.patch \
20	file://CVE-2016-8617.patch \	20	file://CVE-2016-8617.patch \
		21	file://CVE-2016-8618.patch \
21	"	22	"
22		23
23	SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"	24	SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"