[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-5-2+backports' - external/curl

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Wed Feb 6 12:33:32 UTC 2019 

 external/curl/CVE-2018-16890.patch    |   39 ++++++++++++++++++++++++++++++++++
 external/curl/CVE-2019-3822.patch     |   35 ++++++++++++++++++++++++++++++
 external/curl/UnpackedTarball_curl.mk |    2 +
 3 files changed, 76 insertions(+)

New commits:
commit 9f755aed82154abe29c40899882b3a383aa6f475
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Feb 6 12:18:58 2019 +0100
Commit:     Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Feb 6 13:33:11 2019 +0100

    curl: add patches for CVE-2018-16890 and CVE-2019-3822
    
    The third one (CVE-2019-3823) isn't relevant because SMTP is disabled.
    
    Change-Id: I2383c1a7b0c67c586402d4098092cee565edcdda
    Reviewed-on: https://gerrit.libreoffice.org/67445
    Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
    Tested-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>

diff --git a/external/curl/CVE-2018-16890.patch b/external/curl/CVE-2018-16890.patch
new file mode 100644
index 000000000000..dabb229c2e6f
--- /dev/null
+++ b/external/curl/CVE-2018-16890.patch
@@ -0,0 +1,39 @@
+From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+---
+ lib/vauth/ntlm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index c3d55ed251..0ad4d972e3 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel at haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel at haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+     target_info_len = Curl_read16_le(&buffer[40]);
+     target_info_offset = Curl_read32_le(&buffer[44]);
+     if(target_info_len > 0) {
+-      if(((target_info_offset + target_info_len) > size) ||
++      if((target_info_offset >= size) ||
++         ((target_info_offset + target_info_len) > size) ||
+          (target_info_offset < 48)) {
+         infof(data, "NTLM handshake failure (bad type-2 message). "
+-                    "Target Info Offset Len is set incorrect by the peer\n");
++              "Target Info Offset Len is set incorrect by the peer\n");
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+ 
diff --git a/external/curl/CVE-2019-3822.patch b/external/curl/CVE-2019-3822.patch
new file mode 100644
index 000000000000..deb3edb3bccf
--- /dev/null
+++ b/external/curl/CVE-2019-3822.patch
@@ -0,0 +1,35 @@
+From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index 0ad4d972e3..6a8fc5ab3d 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+   });
+ 
+ #if USE_NTRESPONSES
+-  if(size < (NTLM_BUFSIZE - ntresplen)) {
+-    DEBUGASSERT(size == (size_t)ntrespoff);
+-    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+-    size += ntresplen;
++  /* ntresplen + size should not be risking an integer overflow here */
++  if(ntresplen + size > sizeof(ntlmbuf)) {
++    failf(data, "incoming NTLM message too big");
++    return CURLE_OUT_OF_MEMORY;
+   }
++  DEBUGASSERT(size == (size_t)ntrespoff);
++  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++  size += ntresplen;
+ 
+   DEBUG_OUT({
+     fprintf(stderr, "\n   ntresp=");
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 88aecc718fb5..b87fa5ca0891 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -30,6 +30,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
 	external/curl/CVE-2018-14618.patch \
 	external/curl/CVE-2017-1000254.patch \
 	external/curl/CVE-2018-1000120.patch \
+	external/curl/CVE-2018-16890.patch \
+	external/curl/CVE-2019-3822.patch \
 ))
 
 ifeq ($(SYSTEM_NSS),)

More information about the Libreoffice-commits mailing list