diff --git a/sblim-sfcb-1.4.9-fix-null-content-type-crash.patch b/sblim-sfcb-1.4.9-fix-null-content-type-crash.patch new file mode 100644 index 0000000..4009126 --- /dev/null +++ b/sblim-sfcb-1.4.9-fix-null-content-type-crash.patch @@ -0,0 +1,47 @@ +Author: Adam Majer +Summary: Fix crash caused by NULL content_type + +Also, allow requests with Content-Type set to text/xml + +==31976== Invalid read of size 1 +==31976== at 0x5883DEB: scanCimXmlRequest (cimXmlParserProcessed.c:1739) +==31976== by 0x588C88E: handleCimRequest (cimRequest.c:1850) +==31976== by 0x4E3D95A: doHttpRequest (httpAdapter.c:1399) +==31976== by 0x4E3EC96: handleHttpRequest (httpAdapter.c:1741) +==31976== by 0x4E3EC96: acceptRequest (httpAdapter.c:2022) +==31976== by 0x4E40B0C: httpDaemon (httpAdapter.c:2464) +==31976== by 0x404866: startHttpd (sfcBroker.c:540) +==31976== by 0x4038B3: main (sfcBroker.c:1062) +==31976== Address 0x0 is not stack'd, malloc'd or (recently) free'd +==31976== +==31976== +==31976== Process terminating with default action of signal 11 (SIGSEGV): dumping core +==31976== Access not within mapped region at address 0x0 +==31976== at 0x5883DEB: scanCimXmlRequest (cimXmlParserProcessed.c:1739) +==31976== by 0x588C88E: handleCimRequest (cimRequest.c:1850) +==31976== by 0x4E3D95A: doHttpRequest (httpAdapter.c:1399) +==31976== by 0x4E3EC96: handleHttpRequest (httpAdapter.c:1741) +==31976== by 0x4E3EC96: acceptRequest (httpAdapter.c:2022) +==31976== by 0x4E40B0C: httpDaemon (httpAdapter.c:2464) +==31976== by 0x404866: startHttpd (sfcBroker.c:540) +==31976== by 0x4038B3: main (sfcBroker.c:1062) + +(gdb) p *ctx +$3 = {cimDoc = 0x69058c0 "", principal = 0x0, host = 0x69054d9 "xxx.xx.xxx.xxx:5989", contentType = 0x0, teTrailers = 0, + sessionId = 1, role = 0x0, cimDocLength = 0, commHndl = 0xffefffab0, chunkFncs = 0x5044798 , + className = 0x0, operation = 0, verb = 0x6905480 "POST", path = 0x6905485 "/"} + +Index: sblim-sfcb-1.4.8/httpAdapter.c +=================================================================== +--- sblim-sfcb-1.4.8.orig/httpAdapter.c ++++ sblim-sfcb-1.4.8/httpAdapter.c +@@ -1047,7 +1047,7 @@ doHttpRequest(CommHndl conn_fd) + + inBuf.authorization = ""; + inBuf.protocol = "HTTP/1.1"; +- inBuf.content_type = NULL; ++ inBuf.content_type = "application/xml"; + inBuf.content_length = UINT_MAX; + inBuf.host = NULL; + inBuf.useragent = ""; + diff --git a/sblim-sfcb.spec b/sblim-sfcb.spec index dde0823..2b51b32 100644 --- a/sblim-sfcb.spec +++ b/sblim-sfcb.spec @@ -8,8 +8,7 @@ Name: sblim-sfcb Summary: Small Footprint CIM Broker URL: http://sblim.wiki.sourceforge.net/ Version: 1.4.9 -Release: 9%{?dist} -Group: Applications/System +Release: 10%{?dist} License: EPL Source0: http://downloads.sourceforge.net/sblim/%{name}-%{version}.tar.bz2 Source1: sfcb.service @@ -34,6 +33,9 @@ Patch5: sblim-sfcb-1.4.8-default-ecdh-curve-name.patch Patch6: sblim-sfcb-1.4.9-fix-ftbfs.patch # Patch7: fix possible null pointer dereference (CVE-2015-5185), rhbz#1255802 Patch7: sblim-sfcb-1.4.9-fix-null-deref.patch +# Patch8: fix null pointer (DoS) vulnerability via POST request to /cimom +# (CVE-2018-6644), patch by Adam Majer, rhbz#1543826 +Patch8: sblim-sfcb-1.4.9-fix-null-content-type-crash.patch Provides: cim-server = 0 Requires: cim-schema Requires: sblim-sfcCommon @@ -70,6 +72,7 @@ Programming Interface (CMPI). %patch5 -p1 -b .default-ecdh-curve-name %patch6 -p1 -b .fix-ftbfs %patch7 -p1 -b .fix-null-deref +%patch8 -p1 -b .fix-null-content-type-crash %build %configure --enable-debug --enable-uds --enable-ssl --enable-pam --enable-ipv6 \ @@ -129,6 +132,11 @@ fi; %files -f _pkg_list %changelog +* Wed Feb 14 2018 Vitezslav Crhonek - 1.4.9-10 +- Fix null pointer (DoS) vulnerability via POST request to /cimom (CVE-2018-6644) + (patch by Adam Majer) + Resolves: #1543825 + * Fri Feb 09 2018 Fedora Release Engineering - 1.4.9-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild