[Libreoffice-commits] core.git: Branch 'feature/cib_contract891' - 2 commits - external/curl
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Fri Feb 8 15:53:49 UTC 2019
external/curl/CVE-2018-14618.patch | 34 +++++++++++++++++++++++++++++++++
external/curl/CVE-2018-16890.patch | 30 +++++++++++++++++++++++++++++
external/curl/CVE-2019-3822.patch | 35 ++++++++++++++++++++++++++++++++++
external/curl/UnpackedTarball_curl.mk | 3 ++
4 files changed, 102 insertions(+)
New commits:
commit 542c991e559ae0f6132b7fea10d995a6452215ba
Author: Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Feb 6 12:18:58 2019 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Fri Feb 8 16:50:34 2019 +0100
curl: add patches for CVE-2018-16890 and CVE-2019-3822
The third one (CVE-2019-3823) isn't relevant because SMTP is disabled.
Reviewed-on: https://gerrit.libreoffice.org/67445
Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
(cherry picked from commit 9f755aed82154abe29c40899882b3a383aa6f475)
Change-Id: I2383c1a7b0c67c586402d4098092cee565edcdda
Reviewed-on: https://gerrit.libreoffice.org/67509
Reviewed-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens at CIB.de>
diff --git a/external/curl/CVE-2018-16890.patch b/external/curl/CVE-2018-16890.patch
new file mode 100644
index 000000000000..3ba0b38b21a4
--- /dev/null
+++ b/external/curl/CVE-2018-16890.patch
@@ -0,0 +1,30 @@
+From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+---
+ lib/vauth/ntlm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index c3d55ed251..0ad4d972e3 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+ target_info_len = Curl_read16_le(&buffer[40]);
+ target_info_offset = Curl_read32_le(&buffer[44]);
+ if(target_info_len > 0) {
+- if(((target_info_offset + target_info_len) > size) ||
++ if((target_info_offset >= size) ||
++ ((target_info_offset + target_info_len) > size) ||
+ (target_info_offset < 48)) {
+ infof(data, "NTLM handshake failure (bad type-2 message). "
+- "Target Info Offset Len is set incorrect by the peer\n");
++ "Target Info Offset Len is set incorrect by the peer\n");
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
+
diff --git a/external/curl/CVE-2019-3822.patch b/external/curl/CVE-2019-3822.patch
new file mode 100644
index 000000000000..938926b1d331
--- /dev/null
+++ b/external/curl/CVE-2019-3822.patch
@@ -0,0 +1,35 @@
+From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index 0ad4d972e3..6a8fc5ab3d 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+ });
+
+ #ifdef USE_NTRESPONSES
+- if(size < (NTLM_BUFSIZE - ntresplen)) {
+- DEBUGASSERT(size == (size_t)ntrespoff);
+- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+- size += ntresplen;
++ /* ntresplen + size should not be risking an integer overflow here */
++ if(ntresplen + size > sizeof(ntlmbuf)) {
++ failf(data, "incoming NTLM message too big");
++ return CURLE_OUT_OF_MEMORY;
+ }
++ DEBUGASSERT(size == (size_t)ntrespoff);
++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++ size += ntresplen;
+
+ DEBUG_OUT({
+ fprintf(stderr, "\n ntresp=");
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 6ecef5bb4db7..66a70ecce8c6 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -22,6 +22,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc-disable-protocols.patch.1 \
external/curl/curl-7.26.0_win-proxy.patch \
external/curl/CVE-2018-14618.patch \
+ external/curl/CVE-2018-16890.patch \
+ external/curl/CVE-2019-3822.patch \
))
ifeq ($(OS),ANDROID)
commit 8f6b5ab3ce67c3d4f463133fb9e67be3c2a0e1c8
Author: Thorsten Behrens <Thorsten.Behrens at CIB.de>
AuthorDate: Sat Sep 22 19:14:00 2018 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Fri Feb 8 16:50:22 2019 +0100
curl: fix CVE-2018-14618
* don't upgrade to new release, just use the patch from git
Change-Id: I1f2af0cb388c6a94a817b765d0a1eff9990f1661
diff --git a/external/curl/CVE-2018-14618.patch b/external/curl/CVE-2018-14618.patch
new file mode 100644
index 000000000000..5d99c9fb3118
--- /dev/null
+++ b/external/curl/CVE-2018-14618.patch
@@ -0,0 +1,34 @@
+From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Mon, 13 Aug 2018 10:35:52 +0200
+Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
+
+... since it would cause an integer overflow if longer than (max size_t
+/ 2).
+
+This is CVE-2018-14618
+
+Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
+Closes #2756
+Reported-by: Zhaoyang Wu
+---
+ lib/curl_ntlm_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index e27cab353c..922e85a926 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
+ unsigned char *ntbuffer /* 21 bytes */)
+ {
+ size_t len = strlen(password);
+- unsigned char *pw = len ? malloc(len * 2) : strdup("");
++ unsigned char *pw;
+ CURLcode result;
++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
++ return CURLE_OUT_OF_MEMORY;
++ pw = len ? malloc(len * 2) : strdup("");
+ if(!pw)
+ return CURLE_OUT_OF_MEMORY;
+
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index a578a103c350..6ecef5bb4db7 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -21,6 +21,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc.patch.1 \
external/curl/curl-msvc-disable-protocols.patch.1 \
external/curl/curl-7.26.0_win-proxy.patch \
+ external/curl/CVE-2018-14618.patch \
))
ifeq ($(OS),ANDROID)
More information about the Libreoffice-commits
mailing list