import curl-7.61.1-12.el8
This commit is contained in:
parent
96ffed0bbf
commit
2f86b67ef9
31
SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch
Normal file
31
SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 55a27027d5f024a0ecc2c23c81ed99de6192c9f3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 3 May 2019 22:20:37 +0200
|
||||||
|
Subject: [PATCH] tftp: use the current blksize for recvfrom()
|
||||||
|
|
||||||
|
bug: https://curl.haxx.se/docs/CVE-2019-5436.html
|
||||||
|
Reported-by: l00p3r on hackerone
|
||||||
|
CVE-2019-5436
|
||||||
|
|
||||||
|
Upstream-commit: 2576003415625d7b5f0e390902f8097830b82275
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/tftp.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
|
index 269b3cd..4f2a131 100644
|
||||||
|
--- a/lib/tftp.c
|
||||||
|
+++ b/lib/tftp.c
|
||||||
|
@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
state->sockfd = state->conn->sock[FIRSTSOCKET];
|
||||||
|
state->state = TFTP_STATE_START;
|
||||||
|
state->error = TFTP_ERR_NONE;
|
||||||
|
- state->blksize = TFTP_BLKSIZE_DEFAULT;
|
||||||
|
+ state->blksize = blksize;
|
||||||
|
state->requested_blksize = blksize;
|
||||||
|
|
||||||
|
((struct sockaddr *)&state->local_addr)->sa_family =
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
158
SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch
Normal file
158
SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
From 63f9837b4ccf600da79314e8667f91bda69988fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Vegas <>
|
||||||
|
Date: Sat, 31 Aug 2019 16:59:56 +0200
|
||||||
|
Subject: [PATCH 1/2] tftp: return error when packet is too small for options
|
||||||
|
|
||||||
|
Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/tftp.c | 53 +++++++++++++++++++++++++++++++++--------------------
|
||||||
|
1 file changed, 33 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
|
index 289cda2..4532170 100644
|
||||||
|
--- a/lib/tftp.c
|
||||||
|
+++ b/lib/tftp.c
|
||||||
|
@@ -404,13 +404,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize,
|
||||||
|
- char *buf, const char *option)
|
||||||
|
+static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize,
|
||||||
|
+ char *buf, const char *option)
|
||||||
|
{
|
||||||
|
- if(( strlen(option) + csize + 1) > (size_t)state->blksize)
|
||||||
|
- return 0;
|
||||||
|
+ if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
|
||||||
|
+ return CURLE_TFTP_ILLEGAL;
|
||||||
|
strcpy(buf, option);
|
||||||
|
- return strlen(option) + 1;
|
||||||
|
+ *csize += strlen(option) + 1;
|
||||||
|
+ return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
static CURLcode tftp_connect_for_tx(tftp_state_data_t *state,
|
||||||
|
@@ -511,26 +512,38 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
|
||||||
|
else
|
||||||
|
strcpy(buf, "0"); /* the destination is large enough */
|
||||||
|
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes,
|
||||||
|
- TFTP_OPTION_TSIZE);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes,
|
||||||
|
+ TFTP_OPTION_TSIZE);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+
|
||||||
|
/* add blksize option */
|
||||||
|
snprintf(buf, sizeof(buf), "%d", state->requested_blksize);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes,
|
||||||
|
- TFTP_OPTION_BLKSIZE);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes,
|
||||||
|
+ TFTP_OPTION_BLKSIZE);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes, buf);
|
||||||
|
|
||||||
|
/* add timeout option */
|
||||||
|
snprintf(buf, sizeof(buf), "%d", state->retry_time);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes,
|
||||||
|
- TFTP_OPTION_INTERVAL);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes,
|
||||||
|
+ TFTP_OPTION_INTERVAL);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+
|
||||||
|
+ if(result != CURLE_OK) {
|
||||||
|
+ failf(data, "TFTP buffer too small for options");
|
||||||
|
+ free(filename);
|
||||||
|
+ return CURLE_TFTP_ILLEGAL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* the typecase for the 3rd argument is mostly for systems that do
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
|
||||||
|
From b6b12a4cfe00c4850a1d6cee4cf267f00dee5987 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Vegas <>
|
||||||
|
Date: Sat, 31 Aug 2019 17:30:51 +0200
|
||||||
|
Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK
|
||||||
|
is received
|
||||||
|
|
||||||
|
Fixes potential buffer overflow from 'recvfrom()', should the server
|
||||||
|
return an OACK without blksize.
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
|
||||||
|
CVE-2019-5482
|
||||||
|
|
||||||
|
Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/tftp.c | 12 +++++++++---
|
||||||
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
|
index 4532170..5651b62 100644
|
||||||
|
--- a/lib/tftp.c
|
||||||
|
+++ b/lib/tftp.c
|
||||||
|
@@ -982,6 +982,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
{
|
||||||
|
tftp_state_data_t *state;
|
||||||
|
int blksize;
|
||||||
|
+ int need_blksize;
|
||||||
|
|
||||||
|
blksize = TFTP_BLKSIZE_DEFAULT;
|
||||||
|
|
||||||
|
@@ -996,15 +997,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
return CURLE_TFTP_ILLEGAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ need_blksize = blksize;
|
||||||
|
+ /* default size is the fallback when no OACK is received */
|
||||||
|
+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
|
||||||
|
+ need_blksize = TFTP_BLKSIZE_DEFAULT;
|
||||||
|
+
|
||||||
|
if(!state->rpacket.data) {
|
||||||
|
- state->rpacket.data = calloc(1, blksize + 2 + 2);
|
||||||
|
+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
|
||||||
|
|
||||||
|
if(!state->rpacket.data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!state->spacket.data) {
|
||||||
|
- state->spacket.data = calloc(1, blksize + 2 + 2);
|
||||||
|
+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
|
||||||
|
|
||||||
|
if(!state->spacket.data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
@@ -1018,7 +1024,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
state->sockfd = state->conn->sock[FIRSTSOCKET];
|
||||||
|
state->state = TFTP_STATE_START;
|
||||||
|
state->error = TFTP_ERR_NONE;
|
||||||
|
- state->blksize = blksize;
|
||||||
|
+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
|
||||||
|
state->requested_blksize = blksize;
|
||||||
|
|
||||||
|
((struct sockaddr *)&state->local_addr)->sa_family =
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
46
SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch
Normal file
46
SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 3 Sep 2019 22:59:32 +0200
|
||||||
|
Subject: [PATCH] security:read_data fix bad realloc()
|
||||||
|
|
||||||
|
... that could end up a double-free
|
||||||
|
|
||||||
|
CVE-2019-5481
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
|
||||||
|
|
||||||
|
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/security.c | 6 ++----
|
||||||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/security.c b/lib/security.c
|
||||||
|
index 550ea2d..c5e4e13 100644
|
||||||
|
--- a/lib/security.c
|
||||||
|
+++ b/lib/security.c
|
||||||
|
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
struct krb5buffer *buf)
|
||||||
|
{
|
||||||
|
int len;
|
||||||
|
- void *tmp = NULL;
|
||||||
|
CURLcode result;
|
||||||
|
|
||||||
|
result = socket_read(fd, &len, sizeof(len));
|
||||||
|
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
if(len) {
|
||||||
|
/* only realloc if there was a length */
|
||||||
|
len = ntohl(len);
|
||||||
|
- tmp = Curl_saferealloc(buf->data, len);
|
||||||
|
+ buf->data = Curl_saferealloc(buf->data, len);
|
||||||
|
}
|
||||||
|
- if(tmp == NULL)
|
||||||
|
+ if(!len || !buf->data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
- buf->data = tmp;
|
||||||
|
result = socket_read(fd, buf->data, len);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.61.1
|
Version: 7.61.1
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
@ -43,6 +43,15 @@ Patch11: 0011-curl-7.61.1-CVE-2019-3823.patch
|
|||||||
# do not let libssh create a new socket for SCP/SFTP (#1669156)
|
# do not let libssh create a new socket for SCP/SFTP (#1669156)
|
||||||
Patch14: 0014-curl-7.61.1-libssh-socket.patch
|
Patch14: 0014-curl-7.61.1-libssh-socket.patch
|
||||||
|
|
||||||
|
# fix TFTP receive buffer overflow (CVE-2019-5436)
|
||||||
|
Patch17: 0017-curl-7.64.0-CVE-2019-5436.patch
|
||||||
|
|
||||||
|
# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
|
||||||
|
Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch
|
||||||
|
|
||||||
|
# double free due to subsequent call of realloc() (CVE-2019-5481)
|
||||||
|
Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -221,6 +230,11 @@ git apply %{PATCH4}
|
|||||||
%patch103 -p1
|
%patch103 -p1
|
||||||
%patch104 -p1
|
%patch104 -p1
|
||||||
|
|
||||||
|
# upstream patches
|
||||||
|
%patch17 -p1
|
||||||
|
%patch18 -p1
|
||||||
|
%patch19 -p1
|
||||||
|
|
||||||
# make tests/*.py use Python 3
|
# make tests/*.py use Python 3
|
||||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||||
|
|
||||||
@ -380,6 +394,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12
|
||||||
|
- double free due to subsequent call of realloc() (CVE-2019-5481)
|
||||||
|
- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
|
||||||
|
- fix TFTP receive buffer overflow (CVE-2019-5436)
|
||||||
|
|
||||||
* Mon May 13 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11
|
* Mon May 13 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11
|
||||||
- rebuild with updated annobin to prevent Execshield RPMDiff check from failing
|
- rebuild with updated annobin to prevent Execshield RPMDiff check from failing
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user