external/curl/CVE-2017-8816.patch | 67 ++++++ external/curl/CVE-2018-1000005.patch | 36 +++ external/curl/CVE-2018-1000007.patch | 110 ++++++++++ external/curl/UnpackedTarball_curl.mk | 3 external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch | 30 ++ external/liborcus/UnpackedTarball_liborcus.mk | 1 6 files changed, 247 insertions(+)
New commits: commit e9a124917f19f1928c11dc9a3dbaa78b681d1776 Author: Kohei Yoshida <kohei.yosh...@gmail.com> Date: Wed Feb 21 20:08:23 2018 -0500 Patch liborcus to avoid incorrect parsing of XML. Found by Antti Levomäki and Christian Jalio from Forcepoint. This one is not a backport from the master branch. On the master branch the same fix will come from updating liborcus from 0.13.3 to 0.13.4. (cherry picked from commit 160350de5f07024b22fb5a9b596918ccc7f22c75) Conflicts: external/liborcus/UnpackedTarball_liborcus.mk Reviewed-on: https://gerrit.libreoffice.org/50147 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Markus Mohrhard <markus.mohrh...@googlemail.com> (cherry picked from commit f25bc1254782589af5d24471599260b65558154a) Conflicts: external/liborcus/UnpackedTarball_liborcus.mk Change-Id: I701c5a65ff67d77767913f8d056682b9db549f84 diff --git a/external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch b/external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch new file mode 100644 index 000000000000..990665f9c383 --- /dev/null +++ b/external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch @@ -0,0 +1,30 @@ +From 12e5d89cbd7101c61fbdf063322203a1590a0ef5 Mon Sep 17 00:00:00 2001 +From: Markus Mohrhard <markus.mohrh...@googlemail.com> +Date: Wed, 21 Feb 2018 00:29:03 +0100 +Subject: [PATCH] protect the self-closing xml element code against + self-closing root elements +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Found by Antti Levomäki and Christian Jalio from Forcepoint. +--- + include/orcus/sax_parser.hpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/orcus/sax_parser.hpp b/include/orcus/sax_parser.hpp +index ba5ebcd..67d5943 100644 +--- a/include/orcus/sax_parser.hpp ++++ b/include/orcus/sax_parser.hpp +@@ -171,6 +171,8 @@ void sax_parser<_Handler,_Config>::element_open(std::ptrdiff_t begin_pos) + m_handler.start_element(elem); + reset_buffer_pos(); + m_handler.end_element(elem); ++ if (!m_nest_level) ++ m_root_elem_open = false; + #if ORCUS_DEBUG_SAX_PARSER + cout << "element_open: ns='" << elem.ns << "', name='" << elem.name << "' (self-closing)" << endl; + #endif +-- +2.7.4 + diff --git a/external/liborcus/UnpackedTarball_liborcus.mk b/external/liborcus/UnpackedTarball_liborcus.mk index 08f3423f2424..51f6e55e1de1 100644 --- a/external/liborcus/UnpackedTarball_liborcus.mk +++ b/external/liborcus/UnpackedTarball_liborcus.mk @@ -16,6 +16,7 @@ $(eval $(call gb_UnpackedTarball_set_patchlevel,liborcus,1)) $(eval $(call gb_UnpackedTarball_add_patches,liborcus,\ external/liborcus/0001-workaround-a-linking-problem-on-windows.patch \ external/liborcus/rpath.patch.0 \ + external/liborcus/0001-protect-the-self-closing-xml-element-code-against-se.patch \ )) ifeq ($(OS),WNT) commit c6ebd39f5e8fa6aa56016cac819bc76ecd400ee0 Author: Michael Stahl <mst...@redhat.com> Date: Wed Jan 24 22:24:03 2018 +0100 curl: fix CVE-2018-1000005/1000007 * don't upgrade to new release, no idea how the new windows build system likes targeting Win XP which is still supported in 5.4 Change-Id: I4fbd7f1c5f1f0563895f6f8ede10063621d10a4b Reviewed-on: https://gerrit.libreoffice.org/48542 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Eike Rathke <er...@redhat.com> (cherry picked from commit ed497921314ebd41fce3483c92ca433b502628ca) diff --git a/external/curl/CVE-2018-1000005.patch b/external/curl/CVE-2018-1000005.patch new file mode 100644 index 000000000000..7b5578b1aacc --- /dev/null +++ b/external/curl/CVE-2018-1000005.patch @@ -0,0 +1,36 @@ +From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 +From: Zhouyihai Ding <ddyi...@ddyihai.svl.corp.google.com> +Date: Wed, 10 Jan 2018 10:12:18 -0800 +Subject: [PATCH] http2: fix incorrect trailer buffer size + +Prior to this change the stored byte count of each trailer was +miscalculated and 1 less than required. It appears any trailer +after the first that was passed to Curl_client_write would be truncated +or corrupted as well as the size. Potentially the size of some +subsequent trailer could be erroneously extracted from the contents of +that trailer, and since that size is used by client write an +out-of-bounds read could occur and cause a crash or be otherwise +processed by client write. + +The bug appears to have been born in 0761a51 (precedes 7.49.0). + +Closes https://github.com/curl/curl/pull/2231 +--- + lib/http2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 8e2fc71996..699287940e 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + + if(stream->bodystarted) { + /* This is trailer fields. */ +- /* 3 is for ":" and "\r\n". */ +- uint32_t n = (uint32_t)(namelen + valuelen + 3); ++ /* 4 is for ": " and "\r\n". */ ++ uint32_t n = (uint32_t)(namelen + valuelen + 4); + + DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, + value)); diff --git a/external/curl/CVE-2018-1000007.patch b/external/curl/CVE-2018-1000007.patch new file mode 100644 index 000000000000..c474370c78ad --- /dev/null +++ b/external/curl/CVE-2018-1000007.patch @@ -0,0 +1,110 @@ +From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Fri, 19 Jan 2018 13:19:25 +0100 +Subject: [PATCH] http: prevent custom Authorization headers in redirects + +... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how +curl already handles Authorization headers created internally. + +Note: this changes behavior slightly, for the sake of reducing mistakes. + +Added test 317 and 318 to verify. + +Reported-by: Craig de Stigter +Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html +--- + docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++- + lib/http.c | 10 +++- + lib/setopt.c | 2 +- + lib/urldata.h | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test317 | 94 +++++++++++++++++++++++++++++++++ + tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++ + 7 files changed, 212 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test317 + create mode 100644 tests/data/test318 + +diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +index c5ccb1a53d..c9f29e393e 100644 +--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 ++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al. ++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <dan...@haxx.se>, et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to leak. + + Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you + intend them to get sent. ++ ++Custom headers are sent in all requests done by the easy handles, which ++implies that if you tell libcurl to follow redirects ++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent ++in the subsequent request. Redirects can of course go to other hosts and thus ++those servers will get all the contents of your custom headers too. ++ ++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers ++from being sent to other hosts than the first used one, unless specifically ++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option. + .SH DEFAULT + NULL + .SH PROTOCOLS +diff --git a/lib/http.c b/lib/http.c +index c1cdf2da02..a5007670d7 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn, + if(!data->state.this_is_a_follow || + conn->bits.netrc || + !data->state.first_host || +- data->set.http_disable_hostname_check_before_authentication || ++ data->set.allow_auth_to_other_hosts || + strcasecompare(data->state.first_host, conn->host.name)) { + result = output_auth_headers(conn, authhost, request, path, FALSE); + } +@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, + checkprefix("Transfer-Encoding:", headers->data)) + /* HTTP/2 doesn't support chunked requests */ + ; ++ else if(checkprefix("Authorization:", headers->data) && ++ /* be careful of sending this potentially sensitive header to ++ other hosts */ ++ (data->state.this_is_a_follow && ++ data->state.first_host && ++ !data->set.allow_auth_to_other_hosts && ++ !strcasecompare(data->state.first_host, conn->host.name))) ++ ; + else { + CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", + headers->data); +diff --git a/lib/setopt.c b/lib/setopt.c +index 66f30ea653..a5ef75c722 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + * Send authentication (user+password) when following locations, even when + * hostname changed. + */ +- data->set.http_disable_hostname_check_before_authentication = ++ data->set.allow_auth_to_other_hosts = + (0 != va_arg(param, long)) ? TRUE : FALSE; + break; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 4dcd1a322c..5c04ad1720 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1599,7 +1599,7 @@ struct UserDefined { + bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ + bool http_follow_location; /* follow HTTP redirects */ + bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ +- bool http_disable_hostname_check_before_authentication; ++ bool allow_auth_to_other_hosts; + bool include_header; /* include received protocol headers in data output */ + bool http_set_referer; /* is a custom referer used */ + bool http_auto_referer; /* set "correct" referer when following location: */ diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index 4cabf2f1b80b..f9f3a8bf6016 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -24,6 +24,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/curl-7.26.0_win-proxy.patch \ external/curl/curl-xp.patch.1 \ external/curl/CVE-2017-8816.patch \ + external/curl/CVE-2018-1000005.patch \ + external/curl/CVE-2018-1000007.patch \ )) ifeq ($(SYSTEM_NSS),) commit 7e3c4a7ea9f3739178019d4a8ceb6159c9476fdd Author: Michael Stahl <mst...@redhat.com> Date: Wed Nov 29 12:28:03 2017 +0100 curl: fix CVE-2017-8816 * don't upgrade to new release, no idea how the new windows build system likes targeting Win XP which is still supported in 5.4 * CVE-2017-8817 doesn't affect LO as CURLOPT_WILDCARDMATCH isn't used * CVE-2017-8818 doesn't affect the old 7.52 version Change-Id: I49ddb771ccdb93d5fe8f4b3544f74ab9b171c156 Reviewed-on: https://gerrit.libreoffice.org/45487 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit aa0f44de5b260b2b2a39bdd2de9445d72ab14265) diff --git a/external/curl/CVE-2017-8816.patch b/external/curl/CVE-2017-8816.patch new file mode 100644 index 000000000000..dd4fa677e03f --- /dev/null +++ b/external/curl/CVE-2017-8816.patch @@ -0,0 +1,67 @@ +From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Mon, 6 Nov 2017 23:51:52 +0100 +Subject: [PATCH] ntlm: avoid integer overflow for malloc size + +Reported-by: Alex Nichols +Assisted-by: Kamil Dudka and Max Dymond + +CVE-2017-8816 + +Bug: https://curl.haxx.se/docs/adv_2017-11e7.html +--- + lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index 1309bf0d9..e8962769c 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + Curl_HMAC_final(ctxt, output); + + return CURLE_OK; + } + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ + CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, + const char *domain, size_t domlen, + unsigned char *ntlmhash, + unsigned char *ntlmv2hash) + { + /* Unicode representation */ +- size_t identity_len = (userlen + domlen) * 2; +- unsigned char *identity = malloc(identity_len); ++ size_t identity_len; ++ unsigned char *identity; + CURLcode result = CURLE_OK; + ++ /* we do the length checks below separately to avoid integer overflow risk ++ on extreme data lengths */ ++ if((userlen > SIZE_T_MAX/2) || ++ (domlen > SIZE_T_MAX/2) || ++ ((userlen + domlen) > SIZE_T_MAX/2)) ++ return CURLE_OUT_OF_MEMORY; ++ ++ identity_len = (userlen + domlen) * 2; ++ identity = malloc(identity_len); ++ + if(!identity) + return CURLE_OUT_OF_MEMORY; + + ascii_uppercase_to_unicode_le(identity, user, userlen); + ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); +-- +2.15.0 + diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index 6a5720d78459..4cabf2f1b80b 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -23,6 +23,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/curl-7.26.0_mingw.patch \ external/curl/curl-7.26.0_win-proxy.patch \ external/curl/curl-xp.patch.1 \ + external/curl/CVE-2017-8816.patch \ )) ifeq ($(SYSTEM_NSS),) _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits