From a1bd4f84de03b8d4f0f1c65acba7914cd9c601ce Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Nov 01 2018 10:50:08 +0000 Subject: Resolves: CVE-2018-16839 - SASL password overflow via integer overflow --- diff --git a/0012-curl-7.59.0-CVE-2018-16839.patch b/0012-curl-7.59.0-CVE-2018-16839.patch new file mode 100644 index 0000000..5570f44 --- /dev/null +++ b/0012-curl-7.59.0-CVE-2018-16839.patch @@ -0,0 +1,136 @@ +From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 20 Mar 2018 15:15:14 +0100 +Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check + +Make the integer overflow check not rely on the undefined behavior that +a size_t wraps around on overflow. + +Detected by lgtm.com +Closes #2408 + +Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 11 +---------- + lib/curl_setup.h | 9 +++++++++ + lib/vauth/cleartext.c | 14 ++++---------- + 3 files changed, 14 insertions(+), 20 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index e5c785d..b69c293 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -143,15 +143,6 @@ + #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" + #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) + +-#ifndef SIZE_T_MAX +-/* some limits.h headers have this defined, some don't */ +-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +-#define SIZE_T_MAX 18446744073709551615U +-#else +-#define SIZE_T_MAX 4294967295U +-#endif +-#endif +- + /* + * Turns a 56-bit key into being 64-bit wide. + */ +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index f128696..e4503c6 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -447,6 +447,15 @@ + # endif + #endif + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* + * Arg 2 type for gethostname in case it hasn't been defined in config file. + */ +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c +index a761ae7..5d61ce6 100644 +--- a/lib/vauth/cleartext.c ++++ b/lib/vauth/cleartext.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, + ulen = strlen(userp); + plen = strlen(passwdp); + +- /* Compute binary message length, checking for overflows. */ +- plainlen = 2 * ulen; +- if(plainlen < ulen) +- return CURLE_OUT_OF_MEMORY; +- plainlen += plen; +- if(plainlen < plen) +- return CURLE_OUT_OF_MEMORY; +- plainlen += 2; +- if(plainlen < 2) ++ /* Compute binary message length. Check for overflows. */ ++ if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) + return CURLE_OUT_OF_MEMORY; ++ plainlen = 2 * ulen + plen + 2; + + plainauth = malloc(plainlen); + if(!plainauth) +-- +2.17.2 + + +From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Sep 2018 16:08:16 +0200 +Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check + +CVE-2018-16839 +Reported-by: Harry Sintonen +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html + +Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5 +Signed-off-by: Kamil Dudka +--- + lib/vauth/cleartext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c +index 5d61ce6..1367143 100644 +--- a/lib/vauth/cleartext.c ++++ b/lib/vauth/cleartext.c +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, + plen = strlen(passwdp); + + /* Compute binary message length. Check for overflows. */ +- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) ++ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) + return CURLE_OUT_OF_MEMORY; + plainlen = 2 * ulen + plen + 2; + +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 6cd55a8..d26bec3 100644 --- a/curl.spec +++ b/curl.spec @@ -40,6 +40,9 @@ BuildRequires: git # fix use-after-free in handle close (CVE-2018-16840) Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch +# SASL password overflow via integer overflow (CVE-2018-16839) +Patch12: 0012-curl-7.59.0-CVE-2018-16839.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -201,6 +204,7 @@ be installed. %patch9 -p1 git apply %{PATCH10} %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -348,6 +352,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- SASL password overflow via integer overflow (CVE-2018-16839) - fix use-after-free in handle close (CVE-2018-16840) - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4