[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - external/curl
Michael Stahl
mstahl at redhat.com
Thu Nov 30 12:19:03 UTC 2017
external/curl/CVE-2017-8816.patch | 67 ++++++++++++++++++++++++++++++++++
external/curl/UnpackedTarball_curl.mk | 1
2 files changed, 68 insertions(+)
New commits:
commit aa0f44de5b260b2b2a39bdd2de9445d72ab14265
Author: Michael Stahl <mstahl at redhat.com>
Date: Wed Nov 29 12:28:03 2017 +0100
curl: fix CVE-2017-8816
* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
* CVE-2017-8817 doesn't affect LO as CURLOPT_WILDCARDMATCH isn't used
* CVE-2017-8818 doesn't affect the old 7.52 version
Change-Id: I49ddb771ccdb93d5fe8f4b3544f74ab9b171c156
Reviewed-on: https://gerrit.libreoffice.org/45487
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/external/curl/CVE-2017-8816.patch b/external/curl/CVE-2017-8816.patch
new file mode 100644
index 000000000000..dd4fa677e03f
--- /dev/null
+++ b/external/curl/CVE-2017-8816.patch
@@ -0,0 +1,67 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+ Curl_HMAC_final(ctxt, output);
+
+ return CURLE_OK;
+ }
+
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+ const char *domain, size_t domlen,
+ unsigned char *ntlmhash,
+ unsigned char *ntlmv2hash)
+ {
+ /* Unicode representation */
+- size_t identity_len = (userlen + domlen) * 2;
+- unsigned char *identity = malloc(identity_len);
++ size_t identity_len;
++ unsigned char *identity;
+ CURLcode result = CURLE_OK;
+
++ /* we do the length checks below separately to avoid integer overflow risk
++ on extreme data lengths */
++ if((userlen > SIZE_T_MAX/2) ||
++ (domlen > SIZE_T_MAX/2) ||
++ ((userlen + domlen) > SIZE_T_MAX/2))
++ return CURLE_OUT_OF_MEMORY;
++
++ identity_len = (userlen + domlen) * 2;
++ identity = malloc(identity_len);
++
+ if(!identity)
+ return CURLE_OUT_OF_MEMORY;
+
+ ascii_uppercase_to_unicode_le(identity, user, userlen);
+ ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+--
+2.15.0
+
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index e65cc2e057e9..d158d4bd8444 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -23,6 +23,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc-schannel.patch.1 \
external/curl/curl-7.26.0_win-proxy.patch \
external/curl/curl-xp.patch.1 \
+ external/curl/CVE-2017-8816.patch \
))
ifeq ($(SYSTEM_NSS),)
More information about the Libreoffice-commits
mailing list