external/curl/CVE-2017-8816.patch
| 67 ++++++
external/curl/CVE-2018-1000005.patch
| 36 +++
external/curl/CVE-2018-1000007.patch
| 110 ++++++++++
external/curl/UnpackedTarball_curl.mk
| 3
external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch
| 30 ++
external/liborcus/UnpackedTarball_liborcus.mk
| 1
6 files changed, 247 insertions(+)
New commits:
commit e9a124917f19f1928c11dc9a3dbaa78b681d1776
Author: Kohei Yoshida <kohei.yosh...@gmail.com>
Date: Wed Feb 21 20:08:23 2018 -0500
Patch liborcus to avoid incorrect parsing of XML.
Found by Antti Levomäki and Christian Jalio from Forcepoint.
This one is not a backport from the master branch. On the master
branch the same fix will come from updating liborcus from 0.13.3
to 0.13.4.
(cherry picked from commit 160350de5f07024b22fb5a9b596918ccc7f22c75)
Conflicts:
external/liborcus/UnpackedTarball_liborcus.mk
Reviewed-on: https://gerrit.libreoffice.org/50147
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Markus Mohrhard <markus.mohrh...@googlemail.com>
(cherry picked from commit f25bc1254782589af5d24471599260b65558154a)
Conflicts:
external/liborcus/UnpackedTarball_liborcus.mk
Change-Id: I701c5a65ff67d77767913f8d056682b9db549f84
diff --git
a/external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch
b/external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch
new file mode 100644
index 000000000000..990665f9c383
--- /dev/null
+++
b/external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch
@@ -0,0 +1,30 @@
+From 12e5d89cbd7101c61fbdf063322203a1590a0ef5 Mon Sep 17 00:00:00 2001
+From: Markus Mohrhard <markus.mohrh...@googlemail.com>
+Date: Wed, 21 Feb 2018 00:29:03 +0100
+Subject: [PATCH] protect the self-closing xml element code against
+ self-closing root elements
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by Antti Levomäki and Christian Jalio from Forcepoint.
+---
+ include/orcus/sax_parser.hpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/orcus/sax_parser.hpp b/include/orcus/sax_parser.hpp
+index ba5ebcd..67d5943 100644
+--- a/include/orcus/sax_parser.hpp
++++ b/include/orcus/sax_parser.hpp
+@@ -171,6 +171,8 @@ void
sax_parser<_Handler,_Config>::element_open(std::ptrdiff_t begin_pos)
+ m_handler.start_element(elem);
+ reset_buffer_pos();
+ m_handler.end_element(elem);
++ if (!m_nest_level)
++ m_root_elem_open = false;
+ #if ORCUS_DEBUG_SAX_PARSER
+ cout << "element_open: ns='" << elem.ns << "', name='" <<
elem.name << "' (self-closing)" << endl;
+ #endif
+--
+2.7.4
+
diff --git a/external/liborcus/UnpackedTarball_liborcus.mk
b/external/liborcus/UnpackedTarball_liborcus.mk
index 08f3423f2424..51f6e55e1de1 100644
--- a/external/liborcus/UnpackedTarball_liborcus.mk
+++ b/external/liborcus/UnpackedTarball_liborcus.mk
@@ -16,6 +16,7 @@ $(eval $(call gb_UnpackedTarball_set_patchlevel,liborcus,1))
$(eval $(call gb_UnpackedTarball_add_patches,liborcus,\
external/liborcus/0001-workaround-a-linking-problem-on-windows.patch \
external/liborcus/rpath.patch.0 \
+
external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch
\
))
ifeq ($(OS),WNT)
commit c6ebd39f5e8fa6aa56016cac819bc76ecd400ee0
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Jan 24 22:24:03 2018 +0100
curl: fix CVE-2018-1000005/1000007
* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
Change-Id: I4fbd7f1c5f1f0563895f6f8ede10063621d10a4b
Reviewed-on: https://gerrit.libreoffice.org/48542
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Eike Rathke <er...@redhat.com>
(cherry picked from commit ed497921314ebd41fce3483c92ca433b502628ca)
diff --git a/external/curl/CVE-2018-1000005.patch
b/external/curl/CVE-2018-1000005.patch
new file mode 100644
index 000000000000..7b5578b1aacc
--- /dev/null
+++ b/external/curl/CVE-2018-1000005.patch
@@ -0,0 +1,36 @@
+From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
+From: Zhouyihai Ding <ddyi...@ddyihai.svl.corp.google.com>
+Date: Wed, 10 Jan 2018 10:12:18 -0800
+Subject: [PATCH] http2: fix incorrect trailer buffer size
+
+Prior to this change the stored byte count of each trailer was
+miscalculated and 1 less than required. It appears any trailer
+after the first that was passed to Curl_client_write would be truncated
+or corrupted as well as the size. Potentially the size of some
+subsequent trailer could be erroneously extracted from the contents of
+that trailer, and since that size is used by client write an
+out-of-bounds read could occur and cause a crash or be otherwise
+processed by client write.
+
+The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+Closes https://github.com/curl/curl/pull/2231
+---
+ lib/http2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 8e2fc71996..699287940e 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const
nghttp2_frame *frame,
+
+ if(stream->bodystarted) {
+ /* This is trailer fields. */
+- /* 3 is for ":" and "\r\n". */
+- uint32_t n = (uint32_t)(namelen + valuelen + 3);
++ /* 4 is for ": " and "\r\n". */
++ uint32_t n = (uint32_t)(namelen + valuelen + 4);
+
+ DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
+ value));
diff --git a/external/curl/CVE-2018-1000007.patch
b/external/curl/CVE-2018-1000007.patch
new file mode 100644
index 000000000000..c474370c78ad
--- /dev/null
+++ b/external/curl/CVE-2018-1000007.patch
@@ -0,0 +1,110 @@
+From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Fri, 19 Jan 2018 13:19:25 +0100
+Subject: [PATCH] http: prevent custom Authorization headers in redirects
+
+... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+curl already handles Authorization headers created internally.
+
+Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+Added test 317 and 318 to verify.
+
+Reported-by: Craig de Stigter
+Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+---
+ docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++-
+ lib/http.c | 10 +++-
+ lib/setopt.c | 2 +-
+ lib/urldata.h | 2 +-
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test317 | 94 +++++++++++++++++++++++++++++++++
+ tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++
+ 7 files changed, 212 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test317
+ create mode 100644 tests/data/test318
+
+diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+index c5ccb1a53d..c9f29e393e 100644
+--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <dan...@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to
leak.
+
+ Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
+ intend them to get sent.
++
++Custom headers are sent in all requests done by the easy handles, which
++implies that if you tell libcurl to follow redirects
++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
++in the subsequent request. Redirects can of course go to other hosts and thus
++those servers will get all the contents of your custom headers too.
++
++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
++from being sent to other hosts than the first used one, unless specifically
++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
+ .SH DEFAULT
+ NULL
+ .SH PROTOCOLS
+diff --git a/lib/http.c b/lib/http.c
+index c1cdf2da02..a5007670d7 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn,
+ if(!data->state.this_is_a_follow ||
+ conn->bits.netrc ||
+ !data->state.first_host ||
+- data->set.http_disable_hostname_check_before_authentication ||
++ data->set.allow_auth_to_other_hosts ||
+ strcasecompare(data->state.first_host, conn->host.name)) {
+ result = output_auth_headers(conn, authhost, request, path, FALSE);
+ }
+@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata
*conn,
+ checkprefix("Transfer-Encoding:", headers->data))
+ /* HTTP/2 doesn't support chunked requests */
+ ;
++ else if(checkprefix("Authorization:", headers->data) &&
++ /* be careful of sending this potentially sensitive header
to
++ other hosts */
++ (data->state.this_is_a_follow &&
++ data->state.first_host &&
++ !data->set.allow_auth_to_other_hosts &&
++ !strcasecompare(data->state.first_host, conn->host.name)))
++ ;
+ else {
+ CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
+ headers->data);
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 66f30ea653..a5ef75c722 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption
option,
+ * Send authentication (user+password) when following locations, even when
+ * hostname changed.
+ */
+- data->set.http_disable_hostname_check_before_authentication =
++ data->set.allow_auth_to_other_hosts =
+ (0 != va_arg(param, long)) ? TRUE : FALSE;
+ break;
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 4dcd1a322c..5c04ad1720 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1599,7 +1599,7 @@ struct UserDefined {
+ bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
+ bool http_follow_location; /* follow HTTP redirects */
+ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
+- bool http_disable_hostname_check_before_authentication;
++ bool allow_auth_to_other_hosts;
+ bool include_header; /* include received protocol headers in data output
*/
+ bool http_set_referer; /* is a custom referer used */
+ bool http_auto_referer; /* set "correct" referer when following location: */
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index 4cabf2f1b80b..f9f3a8bf6016 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -24,6 +24,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-7.26.0_win-proxy.patch \
external/curl/curl-xp.patch.1 \
external/curl/CVE-2017-8816.patch \
+ external/curl/CVE-2018-1000005.patch \
+ external/curl/CVE-2018-1000007.patch \
))
ifeq ($(SYSTEM_NSS),)
commit 7e3c4a7ea9f3739178019d4a8ceb6159c9476fdd
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Nov 29 12:28:03 2017 +0100
curl: fix CVE-2017-8816
* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
* CVE-2017-8817 doesn't affect LO as CURLOPT_WILDCARDMATCH isn't used
* CVE-2017-8818 doesn't affect the old 7.52 version
Change-Id: I49ddb771ccdb93d5fe8f4b3544f74ab9b171c156
Reviewed-on: https://gerrit.libreoffice.org/45487
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit aa0f44de5b260b2b2a39bdd2de9445d72ab14265)
diff --git a/external/curl/CVE-2017-8816.patch
b/external/curl/CVE-2017-8816.patch
new file mode 100644
index 000000000000..dd4fa677e03f
--- /dev/null
+++ b/external/curl/CVE-2017-8816.patch
@@ -0,0 +1,67 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key,
unsigned int keylen,
+ Curl_HMAC_final(ctxt, output);
+
+ return CURLE_OK;
+ }
+
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+ const char *domain, size_t domlen,
+ unsigned char *ntlmhash,
+ unsigned char *ntlmv2hash)
+ {
+ /* Unicode representation */
+- size_t identity_len = (userlen + domlen) * 2;
+- unsigned char *identity = malloc(identity_len);
++ size_t identity_len;
++ unsigned char *identity;
+ CURLcode result = CURLE_OK;
+
++ /* we do the length checks below separately to avoid integer overflow risk
++ on extreme data lengths */
++ if((userlen > SIZE_T_MAX/2) ||
++ (domlen > SIZE_T_MAX/2) ||
++ ((userlen + domlen) > SIZE_T_MAX/2))
++ return CURLE_OUT_OF_MEMORY;
++
++ identity_len = (userlen + domlen) * 2;
++ identity = malloc(identity_len);
++
+ if(!identity)
+ return CURLE_OUT_OF_MEMORY;
+
+ ascii_uppercase_to_unicode_le(identity, user, userlen);
+ ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+--
+2.15.0
+
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index 6a5720d78459..4cabf2f1b80b 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -23,6 +23,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-7.26.0_mingw.patch \
external/curl/curl-7.26.0_win-proxy.patch \
external/curl/curl-xp.patch.1 \
+ external/curl/CVE-2017-8816.patch \
))
ifeq ($(SYSTEM_NSS),)
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
