Fix null pointer (DoS) vulnerability via POST request to /cimom (CVE-2018-6644)

sblim-sfcb-1.4.9-fix-null-content-type-crash.patch

@@ -0,0 +1,47 @@
+Author: Adam Majer <adam.majer@suse.de>
+Summary: Fix crash caused by NULL content_type
+
+Also, allow requests with Content-Type set to text/xml
+
+==31976== Invalid read of size 1
+==31976==    at 0x5883DEB: scanCimXmlRequest (cimXmlParserProcessed.c:1739)
+==31976==    by 0x588C88E: handleCimRequest (cimRequest.c:1850)
+==31976==    by 0x4E3D95A: doHttpRequest (httpAdapter.c:1399)
+==31976==    by 0x4E3EC96: handleHttpRequest (httpAdapter.c:1741)
+==31976==    by 0x4E3EC96: acceptRequest (httpAdapter.c:2022)
+==31976==    by 0x4E40B0C: httpDaemon (httpAdapter.c:2464)
+==31976==    by 0x404866: startHttpd (sfcBroker.c:540)
+==31976==    by 0x4038B3: main (sfcBroker.c:1062)
+==31976==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
+==31976== 
+==31976== 
+==31976== Process terminating with default action of signal 11 (SIGSEGV): dumping core
+==31976==  Access not within mapped region at address 0x0
+==31976==    at 0x5883DEB: scanCimXmlRequest (cimXmlParserProcessed.c:1739)
+==31976==    by 0x588C88E: handleCimRequest (cimRequest.c:1850)
+==31976==    by 0x4E3D95A: doHttpRequest (httpAdapter.c:1399)
+==31976==    by 0x4E3EC96: handleHttpRequest (httpAdapter.c:1741)
+==31976==    by 0x4E3EC96: acceptRequest (httpAdapter.c:2022)
+==31976==    by 0x4E40B0C: httpDaemon (httpAdapter.c:2464)
+==31976==    by 0x404866: startHttpd (sfcBroker.c:540)
+==31976==    by 0x4038B3: main (sfcBroker.c:1062)
+
+(gdb) p *ctx
+$3 = {cimDoc = 0x69058c0 "", principal = 0x0, host = 0x69054d9 "xxx.xx.xxx.xxx:5989", contentType = 0x0, teTrailers = 0, 
+  sessionId = 1, role = 0x0, cimDocLength = 0, commHndl = 0xffefffab0, chunkFncs = 0x5044798 <httpChunkFunctions>, 
+  className = 0x0, operation = 0, verb = 0x6905480 "POST", path = 0x6905485 "/"}
+
+Index: sblim-sfcb-1.4.8/httpAdapter.c
+===================================================================
+--- sblim-sfcb-1.4.8.orig/httpAdapter.c
++++ sblim-sfcb-1.4.8/httpAdapter.c
+@@ -1047,7 +1047,7 @@ doHttpRequest(CommHndl conn_fd)
+ 
+   inBuf.authorization = "";
+   inBuf.protocol = "HTTP/1.1";
+-  inBuf.content_type = NULL;
++  inBuf.content_type = "application/xml";
+   inBuf.content_length = UINT_MAX;
+   inBuf.host = NULL;
+   inBuf.useragent = "";
+

sblim-sfcb.spec

@@ -8,8 +8,7 @@ Name: sblim-sfcb
 Summary: Small Footprint CIM Broker
 URL: http://sblim.wiki.sourceforge.net/
 Version: 1.4.9
-Release: 9%{?dist}
-Group: Applications/System
+Release: 10%{?dist}
 License: EPL
 Source0: http://downloads.sourceforge.net/sblim/%{name}-%{version}.tar.bz2
 Source1: sfcb.service
@@ -34,6 +33,9 @@ Patch5: sblim-sfcb-1.4.8-default-ecdh-curve-name.patch
 Patch6: sblim-sfcb-1.4.9-fix-ftbfs.patch
 # Patch7: fix possible null pointer dereference (CVE-2015-5185), rhbz#1255802
 Patch7: sblim-sfcb-1.4.9-fix-null-deref.patch
+# Patch8: fix null pointer (DoS) vulnerability via POST request to /cimom
+#   (CVE-2018-6644), patch by Adam Majer, rhbz#1543826
+Patch8: sblim-sfcb-1.4.9-fix-null-content-type-crash.patch
 Provides: cim-server = 0
 Requires: cim-schema
 Requires: sblim-sfcCommon
@@ -70,6 +72,7 @@ Programming Interface (CMPI).
 %patch5 -p1 -b .default-ecdh-curve-name
 %patch6 -p1 -b .fix-ftbfs
 %patch7 -p1 -b .fix-null-deref
+%patch8 -p1 -b .fix-null-content-type-crash
 
 %build
 %configure --enable-debug --enable-uds --enable-ssl --enable-pam --enable-ipv6 \
@@ -129,6 +132,11 @@ fi;
 %files -f _pkg_list
 
 %changelog
+* Wed Feb 14 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-10
+- Fix null pointer (DoS) vulnerability via POST request to /cimom (CVE-2018-6644)
+  (patch by Adam Majer)
+  Resolves: #1543825
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild