new upstream release - 7.54.0 (fixes CVE-2017-7468)

2017-04-20 09:04:35 +02:00 · 2017-04-20 09:04:35 +02:00 · 0f99fceebe
commit 0f99fceebe
parent db1a758364
5 changed files with 20 additions and 246 deletions
--- a/0001-curl-7.53.1-CVE-2017-7407.patch
+++ b/0001-curl-7.53.1-CVE-2017-7407.patch
@ -1,225 +0,0 @@
 From eb160abce0ac45a8e070d9fa995c61a416a58ddd Mon Sep 17 00:00:00 2001
 From: Dan Fandrich <dan@coneharvesters.com>
 Date: Sat, 11 Mar 2017 10:59:34 +0100
 Subject: [PATCH 1/2] tool_writeout: fixed a buffer read overrun on --write-out
 If a % ended the statement, the string's trailing NUL would be skipped
 and memory past the end of the buffer would be accessed and potentially
 displayed as part of the --write-out output. Added tests 1440 and 1441
 to check for this kind of condition.
 Reported-by: Brian Carpenter
 Upstream-commit: 1890d59905414ab84a35892b2e45833654aa5c13
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 src/tool_writeout.c     |  2 +-
 tests/data/Makefile.inc |  2 +-
 tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
 tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
 4 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 tests/data/test1440
 create mode 100644 tests/data/test1441
 diff --git a/src/tool_writeout.c b/src/tool_writeout.c
 index 2fb7774..7843182 100644
 --- a/src/tool_writeout.c
 +++ b/src/tool_writeout.c
@@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
   double doubleinfo;
   while(ptr && *ptr) {
 -    if('%' == *ptr) {
 +    if('%' == *ptr && ptr[1]) {
       if('%' == ptr[1]) {
         /* an escaped %-letter */
         fputc('%', stream);
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 8251ab9..2e70895 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -151,7 +151,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
 test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
 test1424 \
 test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
 -test1436 test1437 test1438 test1439 \
 +test1436 test1437 test1438 test1439 test1440 test1441 \
 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
 diff --git a/tests/data/test1440 b/tests/data/test1440
 new file mode 100644
 index 0000000..7ed0c4d
 --- /dev/null
 +++ b/tests/data/test1440
@@ -0,0 +1,31 @@
 +<testcase>
 +<info>
 +<keywords>
 +--write-out
 +</keywords>
 +</info>
 +# Server-side
 +<reply>
 +</reply>
 +
 +# Client-side
 +<client>
 +<server>
 +file
 +</server>
 +
 +<name>
 +Check --write-out with trailing %{
 +</name>
 +<command>
 +file://localhost/%PWD/log/ --write-out '%{'
 +</command>
 +</client>
 +
 +# Verify data
 +<verify>
 +<stdout nonewline="yes">
 +%{
 +</stdout>
 +</verify>
 +</testcase>
 diff --git a/tests/data/test1441 b/tests/data/test1441
 new file mode 100644
 index 0000000..6e253a6
 --- /dev/null
 +++ b/tests/data/test1441
@@ -0,0 +1,31 @@
 +<testcase>
 +<info>
 +<keywords>
 +--write-out
 +</keywords>
 +</info>
 +# Server-side
 +<reply>
 +</reply>
 +
 +# Client-side
 +<client>
 +<server>
 +file
 +</server>
 +
 +<name>
 +Check --write-out with trailing %
 +</name>
 +<command>
 +file://localhost/%PWD/log/ --write-out '%'
 +</command>
 +</client>
 +
 +# Verify data
 +<verify>
 +<stdout nonewline="yes">
 +%
 +</stdout>
 +</verify>
 +</testcase>
 -- 
 2.9.3
 From 67bee1434a17065da7db3fc2915c494f289f46de Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 24 Mar 2017 10:14:21 +0100
 Subject: [PATCH 2/2] curl: check for end of input in writeout backslash
 handling
 Reported-by: Brian Carpenter
 Added test 1442 to verify
 Upstream-commit: 8e65877870c1fac920b65219adec720df810aab9
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 src/tool_writeout.c     |  4 ++--
 tests/data/Makefile.inc |  2 +-
 tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/test1442
 diff --git a/src/tool_writeout.c b/src/tool_writeout.c
 index 7843182..5d92bd2 100644
 --- a/src/tool_writeout.c
 +++ b/src/tool_writeout.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
 - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
 + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -341,7 +341,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
         }
       }
     }
 -    else if('\\' == *ptr) {
 +    else if('\\' == *ptr && ptr[1]) {
       switch(ptr[1]) {
       case 'r':
         fputc('\r', stream);
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 2e70895..267ff6a 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -151,7 +151,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
 test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
 test1424 \
 test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
 -test1436 test1437 test1438 test1439 test1440 test1441 \
 +test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
 diff --git a/tests/data/test1442 b/tests/data/test1442
 new file mode 100644
 index 0000000..255a4c9
 --- /dev/null
 +++ b/tests/data/test1442
@@ -0,0 +1,35 @@
 +<testcase>
 +<info>
 +<keywords>
 +--write-out
 +FILE
 +</keywords>
 +</info>
 +# Server-side
 +<reply>
 +</reply>
 +
 +# Client-side
 +<client>
 +<server>
 +file
 +</server>
 +
 +<name>
 +Check --write-out with trailing \
 +</name>
 +<command>
 +file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
 +</command>
 +</client>
 +
 +# Verify data
 +<verify>
 +<errorcode>
 +37
 +</errorcode>
 +<stdout nonewline="yes">
 +\
 +</stdout>
 +</verify>
 +</testcase>
 -- 
 2.9.3
--- a/curl-7.53.1.tar.lzma.asc
+++ b/curl-7.53.1.tar.lzma.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAliv5c0ACgkQXMkI/bce
 EsIhQAf+MnT0c/mIi2ADpOgYq4+3Hf8hypkuWkICSWwyH8j2mRJCRDPO3yAOU8U9
 RlVEzPm+Tb13zCLWPLgRu1T75YMHPwJ6+q9wnNNGzBFJ5ShWs/JxL1rhj21ZFQoA
 3l/as6qm8iXkbZOfePWNbgr7W+NyasxHjf9L6O31oWauY3X9FYLcYr9nzUTFHFSh
 gzOAxb7/oYkZTtYccvRSI75Eohqi2kSx6gAkMhcWwbqU1QCU80c+vX2PlptaPNP/
 GGpe3IH66q8v/ExfIL/Tu6LfhdV+ulP2c3m++dYiOvT3wUMSuqHt0WzosOHEUjh5
 SFi75fQRJLkA0fn/3luoj9B+PO7G8g==
 =xg39
 -----END PGP SIGNATURE-----
--- a/curl-7.54.0.tar.lzma.asc
+++ b/curl-7.54.0.tar.lzma.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlj2+VgACgkQXMkI/bce
 EsL64ggArqbQBdEOW1mDk2+89N7cvUH3D464INWi+E8ub3UZagOy0819VaHw7Zkn
 1ijkK5FS/FU97Ep8PHOpgAQgjMBFlolzTgRuv7rQEJLTiD77c85o/c4wMJ5rheXJ
 I3hReQUUEO7B+g+aC+qca/pelRdvKw84h9YI1me0yL5+M6rqKuY8kvFhISnTm2q8
 wqGbhTIoeil2nPvTXpKmcNu+3Uvv38luEGxFn+NpiiT1hGWLc82n4aLXISV3sjUu
 kBwCop+H3I2/KVIMtJ/BjlDEkgqveHfClIVAaw7J89PhuVXgLQhPhTrNhY6xrs65
 JW0avsaMq7vEkTwY4K4+wfbl07QVJg==
 =EHd1
 -----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,14 +1,11 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.53.1
+Version: 7.54.0
-Release: 7%{?dist}
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 # fix out of bounds read in curl --write-out (CVE-2017-7407)
 Patch1:   0001-curl-7.53.1-CVE-2017-7407.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -21,7 +18,7 @@ Patch104: 0104-curl-7.19.7-localhost6.patch
 Provides: webclient
 URL: https://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
-BuildRequires: automake
+#BuildRequires: automake
 BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
@ -141,7 +138,6 @@ be installed.
 %setup -q
 # upstream patches
 %patch1 -p1
 # Fedora patches
 %patch101 -p1
@ -149,8 +145,8 @@ be installed.
 %patch104 -p1
 # regenerate Makefile.in files
-aclocal -I m4
+#aclocal -I m4
-automake
+#automake
 # disable test 1112 (#565305) and test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
@ -301,6 +297,9 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
 %changelog
 * Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
 - new upstream release (fixes CVE-2017-7468)
 * Thu Apr 13 2017 Paul Howarth <paul@city-fan.org> 7.53.1-7
 - add %%post and %%postun scriptlets for libcurl-minimal
 - libcurl-minimal provides both libcurl and libcurl%%{?_isa}
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.53.1.tar.lzma) = 1a04904a32b3c8767bcdc629c08446495ed40b7ed20e96d74101a0539bc88eba9a2350712afda94d886520f480172f532f020f0c730deb2bbec0bdc2eb5371ea
+SHA512 (curl-7.54.0.tar.lzma) = b3dc867cef20254d80989e4890f0bc2eee5b973b223570bd9a197bcd416a1631cfb3e7dbeee180366f5fafa2cfccd30cc8fc23904c07c55c3207b601035f8bd4
`@ -1 +1 @@`
	`SHA512 (curl-7.53.1.tar.lzma) = 1a04904a32b3c8767bcdc629c08446495ed40b7ed20e96d74101a0539bc88eba9a2350712afda94d886520f480172f532f020f0c730deb2bbec0bdc2eb5371ea`	`SHA512 (curl-7.54.0.tar.lzma) = b3dc867cef20254d80989e4890f0bc2eee5b973b223570bd9a197bcd416a1631cfb3e7dbeee180366f5fafa2cfccd30cc8fc23904c07c55c3207b601035f8bd4`