Hi, On Sat, Jun 15, 2019 at 02:19:22PM +0200, Salvatore Bonaccorso wrote: [...] > Attached is as well the debdiff produced from the version in testing > to the one in sid.
... or not. Now attached. Regards, Salvatore
diff -Nru curl-7.64.0/debian/changelog curl-7.64.0/debian/changelog --- curl-7.64.0/debian/changelog 2019-05-04 13:51:06.000000000 +0200 +++ curl-7.64.0/debian/changelog 2019-06-14 20:23:32.000000000 +0200 @@ -1,3 +1,12 @@ +curl (7.64.0-4) unstable; urgency=medium + + * Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351) + https://curl.haxx.se/docs/CVE-2019-5436.html + * Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352) + https://curl.haxx.se/docs/CVE-2019-5435.html + + -- Alessandro Ghedini <gh...@debian.org> Fri, 14 Jun 2019 19:23:32 +0100 + curl (7.64.0-3) unstable; urgency=medium * Fix potential crash in HTTP/2 code and busy loop at the end of connections diff -Nru curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch --- curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch 2019-06-14 20:23:32.000000000 +0200 @@ -0,0 +1,23 @@ +From 2576003415625d7b5f0e390902f8097830b82275 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Fri, 3 May 2019 22:20:37 +0200 +Subject: [PATCH] tftp: use the current blksize for recvfrom() + +bug: https://curl.haxx.se/docs/CVE-2019-5436.html +Reported-by: l00p3r on hackerone +CVE-2019-5436 +--- + lib/tftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -1005,7 +1005,7 @@ + state->sockfd = state->conn->sock[FIRSTSOCKET]; + state->state = TFTP_STATE_START; + state->error = TFTP_ERR_NONE; +- state->blksize = TFTP_BLKSIZE_DEFAULT; ++ state->blksize = blksize; + state->requested_blksize = blksize; + + ((struct sockaddr *)&state->local_addr)->sa_family = diff -Nru curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch --- curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch 2019-06-14 20:23:32.000000000 +0200 @@ -0,0 +1,245 @@ +From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Mon, 29 Apr 2019 08:00:49 +0200 +Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size + +This limits all accepted input strings passed to libcurl to be less than +CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: +curl_easy_setopt() and curl_url_set(). + +The 8000000 number is arbitrary picked and is meant to detect mistakes +or abuse, not to limit actual practical use cases. By limiting the +acceptable string lengths we also reduce the risk of integer overflows +all over. + +NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + +Test 1559 verifies. + +Closes #3805 +--- + lib/setopt.c | 7 ++++ + lib/urlapi.c | 8 ++++ + lib/urldata.h | 4 ++ + tests/data/Makefile.inc | 2 +- + tests/data/test1559 | 44 +++++++++++++++++++++ + tests/libtest/Makefile.inc | 6 ++- + tests/libtest/lib1559.c | 78 ++++++++++++++++++++++++++++++++++++++ + 7 files changed, 146 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test1559 + create mode 100644 tests/libtest/lib1559.c + +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -60,6 +60,13 @@ + if(s) { + char *str = strdup(s); + ++ if(str) { ++ size_t len = strlen(str); ++ if(len > CURL_MAX_INPUT_LENGTH) { ++ free(str); ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ } ++ } + if(!str) + return CURLE_OUT_OF_MEMORY; + +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -648,6 +648,10 @@ + ************************************************************/ + /* allocate scratch area */ + urllen = strlen(url); ++ if(urllen > CURL_MAX_INPUT_LENGTH) ++ /* excessive input length */ ++ return CURLUE_MALFORMED_INPUT; ++ + path = u->scratch = malloc(urllen * 2 + 2); + if(!path) + return CURLUE_OUT_OF_MEMORY; +@@ -1278,6 +1282,10 @@ + const char *newp = part; + size_t nalloc = strlen(part); + ++ if(nalloc > CURL_MAX_INPUT_LENGTH) ++ /* excessive input length */ ++ return CURLUE_MALFORMED_INPUT; ++ + if(urlencode) { + const char *i; + char *o; +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -79,6 +79,10 @@ + */ + #define RESP_TIMEOUT (120*1000) + ++/* Max string intput length is a precaution against abuse and to detect junk ++ input easier and better. */ ++#define CURL_MAX_INPUT_LENGTH 8000000 ++ + #include "cookie.h" + #include "psl.h" + #include "formdata.h" +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -176,7 +176,7 @@ + test1533 test1534 test1535 test1536 test1537 test1538 \ + test1540 \ + test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ +-test1558 test1560 test1561 test1562 \ ++test1558 test1559 test1560 test1561 test1562 \ + \ + test1590 test1591 test1592 \ + \ +--- /dev/null ++++ b/tests/data/test1559 +@@ -0,0 +1,44 @@ ++<testcase> ++<info> ++<keywords> ++CURLOPT_URL ++</keywords> ++</info> ++ ++<reply> ++</reply> ++ ++<client> ++<server> ++none ++</server> ++ ++# require HTTP so that CURLOPT_POSTFIELDS works as assumed ++<features> ++http ++</features> ++<tool> ++lib1559 ++</tool> ++ ++<name> ++Set excessive URL lengths ++</name> ++</client> ++ ++# ++# Verify that the test runs to completion without crashing ++<verify> ++<errorcode> ++0 ++</errorcode> ++<stdout> ++CURLOPT_URL 10000000 bytes URL == 43 ++CURLOPT_POSTFIELDS 10000000 bytes data == 0 ++CURLUPART_URL 10000000 bytes URL == 3 ++CURLUPART_SCHEME 10000000 bytes scheme == 3 ++CURLUPART_USER 10000000 bytes user == 3 ++</stdout> ++</verify> ++ ++</testcase> +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -30,8 +30,7 @@ + lib1534 lib1535 lib1536 lib1537 lib1538 \ + lib1540 \ + lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \ +- lib1558 \ +- lib1560 \ ++ lib1558 lib1559 lib1560 \ + lib1591 lib1592 \ + lib1900 \ + lib2033 +@@ -520,6 +519,9 @@ + lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1558_LDADD = $(TESTUTIL_LIBS) + ++lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1559_LDADD = $(TESTUTIL_LIBS) ++ + lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1560_LDADD = $(TESTUTIL_LIBS) + +--- /dev/null ++++ b/tests/libtest/lib1559.c +@@ -0,0 +1,78 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <dan...@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++#define EXCESSIVE 10*1000*1000 ++int test(char *URL) ++{ ++ CURLcode res = 0; ++ CURL *curl = NULL; ++ char *longurl = malloc(EXCESSIVE); ++ CURLU *u; ++ (void)URL; ++ ++ memset(longurl, 'a', EXCESSIVE); ++ longurl[EXCESSIVE-1] = 0; ++ ++ global_init(CURL_GLOBAL_ALL); ++ easy_init(curl); ++ ++ res = curl_easy_setopt(curl, CURLOPT_URL, longurl); ++ printf("CURLOPT_URL %d bytes URL == %d\n", ++ EXCESSIVE, (int)res); ++ ++ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl); ++ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n", ++ EXCESSIVE, (int)res); ++ ++ u = curl_url(); ++ if(u) { ++ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0); ++ printf("CURLUPART_URL %d bytes URL == %d\n", ++ EXCESSIVE, (int)uc); ++ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME); ++ printf("CURLUPART_SCHEME %d bytes scheme == %d\n", ++ EXCESSIVE, (int)uc); ++ uc = curl_url_set(u, CURLUPART_USER, longurl, 0); ++ printf("CURLUPART_USER %d bytes user == %d\n", ++ EXCESSIVE, (int)uc); ++ curl_url_cleanup(u); ++ } ++ ++ free(longurl); ++ ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return 0; ++ ++test_cleanup: ++ ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return res; /* return the final return code */ ++} diff -Nru curl-7.64.0/debian/patches/series curl-7.64.0/debian/patches/series --- curl-7.64.0/debian/patches/series 2019-05-04 13:51:06.000000000 +0200 +++ curl-7.64.0/debian/patches/series 2019-06-14 20:23:32.000000000 +0200 @@ -7,6 +7,8 @@ 13_singlesocket-fix-the-sincebefore-placement.patch 14_connection_check-set-data-to-the-transfer-doing-the-.patch 15_connection_check-restore-original-conn-data-after-th.patch +16_tftp-use-the-current-blksize-for-recvfrom.patch +17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch # do not add patches below 90_gnutls.patch