[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-5-4' - 2 commits - external/curl
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Wed Feb 6 13:01:17 UTC 2019
external/curl/CVE-2017-1000254.patch | 50 +++++++++++++++++++++++++
external/curl/CVE-2018-1000120.patch | 67 ++++++++++++++++++++++++++++++++++
external/curl/CVE-2018-14618.patch | 66 +++++++++++++++++++++++++++++++++
external/curl/CVE-2018-16890.patch | 39 +++++++++++++++++++
external/curl/CVE-2019-3822.patch | 35 +++++++++++++++++
external/curl/UnpackedTarball_curl.mk | 5 ++
6 files changed, 262 insertions(+)
New commits:
commit af0a70b2870efd90349ccacb1c500600323f738b
Author: Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Feb 6 12:18:58 2019 +0100
Commit: Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Wed Feb 6 13:43:07 2019 +0100
curl: add patches for CVE-2018-16890 and CVE-2019-3822
The third one (CVE-2019-3823) isn't relevant because SMTP is disabled.
Change-Id: I2383c1a7b0c67c586402d4098092cee565edcdda
Reviewed-on: https://gerrit.libreoffice.org/67445
Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
diff --git a/external/curl/CVE-2018-16890.patch b/external/curl/CVE-2018-16890.patch
new file mode 100644
index 000000000000..dabb229c2e6f
--- /dev/null
+++ b/external/curl/CVE-2018-16890.patch
@@ -0,0 +1,39 @@
+From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+---
+ lib/vauth/ntlm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index c3d55ed251..0ad4d972e3 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel at haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel at haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+ target_info_len = Curl_read16_le(&buffer[40]);
+ target_info_offset = Curl_read32_le(&buffer[44]);
+ if(target_info_len > 0) {
+- if(((target_info_offset + target_info_len) > size) ||
++ if((target_info_offset >= size) ||
++ ((target_info_offset + target_info_len) > size) ||
+ (target_info_offset < 48)) {
+ infof(data, "NTLM handshake failure (bad type-2 message). "
+- "Target Info Offset Len is set incorrect by the peer\n");
++ "Target Info Offset Len is set incorrect by the peer\n");
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
+
diff --git a/external/curl/CVE-2019-3822.patch b/external/curl/CVE-2019-3822.patch
new file mode 100644
index 000000000000..deb3edb3bccf
--- /dev/null
+++ b/external/curl/CVE-2019-3822.patch
@@ -0,0 +1,35 @@
+From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index 0ad4d972e3..6a8fc5ab3d 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+ });
+
+ #if USE_NTRESPONSES
+- if(size < (NTLM_BUFSIZE - ntresplen)) {
+- DEBUGASSERT(size == (size_t)ntrespoff);
+- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+- size += ntresplen;
++ /* ntresplen + size should not be risking an integer overflow here */
++ if(ntresplen + size > sizeof(ntlmbuf)) {
++ failf(data, "incoming NTLM message too big");
++ return CURLE_OUT_OF_MEMORY;
+ }
++ DEBUGASSERT(size == (size_t)ntrespoff);
++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++ size += ntresplen;
+
+ DEBUG_OUT({
+ fprintf(stderr, "\n ntresp=");
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 644b663f3b69..9e6dbac0fa28 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -29,6 +29,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/CVE-2018-14618.patch \
external/curl/CVE-2017-1000254.patch \
external/curl/CVE-2018-1000120.patch \
+ external/curl/CVE-2018-16890.patch \
+ external/curl/CVE-2019-3822.patch \
))
ifeq ($(SYSTEM_NSS),)
commit 7dcc756d7b39e7096830d1ba53fd06b7ca1ae47b
Author: Thorsten Behrens <Thorsten.Behrens at CIB.de>
AuthorDate: Mon Sep 10 06:16:58 2018 +0200
Commit: Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Wed Feb 6 13:42:50 2019 +0100
curl: fix CVE-2017-1000254 & CVE-2018-14618/1000120
* still don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
Change-Id: If9c235d2c3e1902f154cae570a9719945112fe33
(cherry picked from commit 8d86210e1d113f5688015ea197d7b04b173899fb)
diff --git a/external/curl/CVE-2017-1000254.patch b/external/curl/CVE-2017-1000254.patch
new file mode 100644
index 000000000000..2e2af20f7258
--- /dev/null
+++ b/external/curl/CVE-2017-1000254.patch
@@ -0,0 +1,50 @@
+From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Mon, 25 Sep 2017 00:35:22 +0200
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+---
+ lib/ftp.c | 7 ++++--
+ tests/data/Makefile.inc | 1 +
+ tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+diff -urN curl.org/lib/ftp.c curl/lib/ftp.c
+--- curl.org/lib/ftp.c 2016-12-19 09:15:11.000000000 +0100
++++ curl/lib/ftp.c 2018-09-10 05:52:32.148633155 +0200
+@@ -2825,6 +2825,7 @@
+ char *ptr=&data->state.buffer[4]; /* start on the first letter */
+ char *dir;
+ char *store;
++ bool entry_extracted = FALSE;
+
+ dir = malloc(nread + 1);
+ if(!dir)
+@@ -2856,7 +2857,7 @@
+ }
+ else {
+ /* end of path */
+- *store = '\0'; /* zero terminate */
++ entry_extracted = TRUE;
+ break; /* get out of this loop */
+ }
+ }
+@@ -2865,7 +2866,9 @@
+ store++;
+ ptr++;
+ }
+-
++ *store = '\0'; /* zero terminate */
++ }
++ if(entry_extracted) {
+ /* If the path name does not look like an absolute path (i.e.: it
+ does not start with a '/'), we probably need some server-dependent
+ adjustments. For example, this is the case when connecting to
diff --git a/external/curl/CVE-2018-1000120.patch b/external/curl/CVE-2018-1000120.patch
new file mode 100644
index 000000000000..6da1b1b3dcce
--- /dev/null
+++ b/external/curl/CVE-2018-1000120.patch
@@ -0,0 +1,67 @@
+From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 31 Jan 2018 08:40:11 +0100
+Subject: [PATCH] FTP: reject path components with control codes
+
+Refuse to operate when given path components featuring byte values lower
+than 32.
+
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+
+Test case 340 verifies.
+
+CVE-2018-1000120
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+---
+ lib/ftp.c | 8 ++++----
+ tests/data/Makefile.inc | 3 +++
+ tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test340
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index fec591918..e2cc38b62 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
+ ftpc->known_filesize = -1;
+ }
+
+ if(!result)
+ /* get the "raw" path */
+- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+ if(result) {
+ /* We can limp along anyway (and should try to since we may already be in
+ * the error path) */
+ ftpc->ctl_valid = FALSE; /* mark control connection as bad */
+ connclose(conn, "FTP: out of memory!"); /* mark for connection closure */
+@@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+ dirlen++;
+
+ result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+ slash_pos ? dirlen : 1,
+ &ftpc->dirs[0], NULL,
+- FALSE);
++ TRUE);
+ if(result) {
+ freedirs(ftpc);
+ return result;
+ }
+ ftpc->dirdepth = 1; /* we consider it to be a single dir */
+@@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+ /* prevpath is "raw" so we convert the input path before we compare the
+ strings */
+ size_t dlen;
+ char *path;
+ CURLcode result =
+- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+ if(result) {
+ freedirs(ftpc);
+ return result;
+ }
+
diff --git a/external/curl/CVE-2018-14618.patch b/external/curl/CVE-2018-14618.patch
new file mode 100644
index 000000000000..40f08e7305c1
--- /dev/null
+++ b/external/curl/CVE-2018-14618.patch
@@ -0,0 +1,66 @@
+From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Mon, 13 Aug 2018 10:35:52 +0200
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
+
+... since it would cause an integer overflow if longer than (max size_t
+/ 2).
+
+This is CVE-2018-14618
+
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
+Closes #2756
+Reported-by: Zhaoyang Wu
+---
+ lib/curl_ntlm_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index e27cab353c..922e85a926 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -526,6 +526,15 @@
+
+ #endif /* USE_NTLM_V2 && !USE_WINDOWS_SSPI */
+
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /*
+ * Set up nt hashed passwords
+ * @unittest: 1600
+@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
+ unsigned char *ntbuffer /* 21 bytes */)
+ {
+ size_t len = strlen(password);
+- unsigned char *pw = malloc(len * 2);
++ unsigned char *pw;
+ CURLcode result;
++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
++ return CURLE_OUT_OF_MEMORY;
++ pw = len ? malloc(len * 2) : strdup("");
+ if(!pw)
+ return CURLE_OUT_OF_MEMORY;
+
+@@ -621,15 +630,6 @@
+ return CURLE_OK;
+ }
+
+-#ifndef SIZE_T_MAX
+-/* some limits.h headers have this defined, some don't */
+-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+-#define SIZE_T_MAX 18446744073709551615U
+-#else
+-#define SIZE_T_MAX 4294967295U
+-#endif
+-#endif
+-
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 97d458b791c2..644b663f3b69 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -26,6 +26,9 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/CVE-2017-8816.patch \
external/curl/CVE-2018-1000005.patch \
external/curl/CVE-2018-1000007.patch \
+ external/curl/CVE-2018-14618.patch \
+ external/curl/CVE-2017-1000254.patch \
+ external/curl/CVE-2018-1000120.patch \
))
ifeq ($(SYSTEM_NSS),)
More information about the Libreoffice-commits
mailing list