curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842

(From OE-Core rev: 0f0db9fc8512a0ecd0cdba3304a195cd925a5029) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2018-11-02 14:07:49 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-07 23:08:54 +0000
commit: c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93 (patch)
tree: c3ba9ed640c2a5ddc8aca4ae49afe445f80ef47b /meta/recipes-support/curl/curl/CVE-2018-16839.patch
parent: faacc5048746c5bd0366881cdf46470bfeef4300 (diff)
download: poky-c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93.tar.gz
1 files changed, 35 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
new file mode 100644
index 0000000000..bf972d2ed7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
@@ -0,0 +1,35 @@
+From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:27:35 +0800
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
+CVE: CVE-2018-16839
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
+  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.7.4
author	Changqing Li <changqing.li@windriver.com>	2018-11-02 14:07:49 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-11-07 23:08:54 +0000
commit	c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93 (patch)
tree	c3ba9ed640c2a5ddc8aca4ae49afe445f80ef47b /meta/recipes-support/curl/curl/CVE-2018-16839.patch
parent	faacc5048746c5bd0366881cdf46470bfeef4300 (diff)
download	poky-c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch new file mode 100644 index 0000000000..bf972d2ed7 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
@@ -0,0 +1,35 @@
	1	From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Thu, 1 Nov 2018 15:27:35 +0800
	4	Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
	5
	6	CVE-2018-16839
	7	Reported-by: Harry Sintonen
	8	Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
	9
	10	Upstream-Status: Backport [https://github.com/curl/curl/commit
	11	/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
	12
	13	CVE: CVE-2018-16839
	14
	15	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	16	---
	17	lib/vauth/cleartext.c \| 2 +-
	18	1 file changed, 1 insertion(+), 1 deletion(-)
	19
	20	diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
	21	index 5d61ce6..1367143 100644
	22	--- a/lib/vauth/cleartext.c
	23	+++ b/lib/vauth/cleartext.c
	24	@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
	25	plen = strlen(passwdp);
	26
	27	/* Compute binary message length. Check for overflows. */
	28	- if((ulen > SIZE_T_MAX/2) \|\| (plen > (SIZE_T_MAX/2 - 2)))
	29	+ if((ulen > SIZE_T_MAX/4) \|\| (plen > (SIZE_T_MAX/2 - 2)))
	30	return CURLE_OUT_OF_MEMORY;
	31	plainlen = 2 * ulen + plen + 2;
	32
	33	--
	34	2.7.4
	35