external/curl/CVE-2018-14618.patch | 34 +++++++++++++++++++++++++++++++++ external/curl/CVE-2018-16890.patch | 30 +++++++++++++++++++++++++++++ external/curl/CVE-2019-3822.patch | 35 ++++++++++++++++++++++++++++++++++ external/curl/UnpackedTarball_curl.mk | 3 ++ 4 files changed, 102 insertions(+)
New commits: commit 542c991e559ae0f6132b7fea10d995a6452215ba Author: Michael Stahl <michael.st...@cib.de> AuthorDate: Wed Feb 6 12:18:58 2019 +0100 Commit: Thorsten Behrens <thorsten.behr...@cib.de> CommitDate: Fri Feb 8 16:50:34 2019 +0100 curl: add patches for CVE-2018-16890 and CVE-2019-3822 The third one (CVE-2019-3823) isn't relevant because SMTP is disabled. Reviewed-on: https://gerrit.libreoffice.org/67445 Reviewed-by: Thorsten Behrens <thorsten.behr...@cib.de> Tested-by: Thorsten Behrens <thorsten.behr...@cib.de> (cherry picked from commit 9f755aed82154abe29c40899882b3a383aa6f475) Change-Id: I2383c1a7b0c67c586402d4098092cee565edcdda Reviewed-on: https://gerrit.libreoffice.org/67509 Reviewed-by: Thorsten Behrens <thorsten.behr...@cib.de> Tested-by: Thorsten Behrens <thorsten.behr...@cib.de> diff --git a/external/curl/CVE-2018-16890.patch b/external/curl/CVE-2018-16890.patch new file mode 100644 index 000000000000..3ba0b38b21a4 --- /dev/null +++ b/external/curl/CVE-2018-16890.patch @@ -0,0 +1,30 @@ +From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Wed, 2 Jan 2019 20:33:08 +0100 +Subject: [PATCH] NTLM: fix size check condition for type2 received data + +Bug: https://curl.haxx.se/docs/CVE-2018-16890.html +Reported-by: Wenxiang Qian +CVE-2018-16890 +--- + lib/vauth/ntlm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c +index c3d55ed251..0ad4d972e3 100644 +--- a/lib/vauth/ntlm.c ++++ b/lib/vauth/ntlm.c +@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data, + target_info_len = Curl_read16_le(&buffer[40]); + target_info_offset = Curl_read32_le(&buffer[44]); + if(target_info_len > 0) { +- if(((target_info_offset + target_info_len) > size) || ++ if((target_info_offset >= size) || ++ ((target_info_offset + target_info_len) > size) || + (target_info_offset < 48)) { + infof(data, "NTLM handshake failure (bad type-2 message). " +- "Target Info Offset Len is set incorrect by the peer\n"); ++ "Target Info Offset Len is set incorrect by the peer\n"); + return CURLE_BAD_CONTENT_ENCODING; + } + diff --git a/external/curl/CVE-2019-3822.patch b/external/curl/CVE-2019-3822.patch new file mode 100644 index 000000000000..938926b1d331 --- /dev/null +++ b/external/curl/CVE-2019-3822.patch @@ -0,0 +1,35 @@ +From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Thu, 3 Jan 2019 12:59:28 +0100 +Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow + +Bug: https://curl.haxx.se/docs/CVE-2019-3822.html +Reported-by: Wenxiang Qian +CVE-2019-3822 +--- + lib/vauth/ntlm.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c +index 0ad4d972e3..6a8fc5ab3d 100644 +--- a/lib/vauth/ntlm.c ++++ b/lib/vauth/ntlm.c +@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, + }); + + #ifdef USE_NTRESPONSES +- if(size < (NTLM_BUFSIZE - ntresplen)) { +- DEBUGASSERT(size == (size_t)ntrespoff); +- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); +- size += ntresplen; ++ /* ntresplen + size should not be risking an integer overflow here */ ++ if(ntresplen + size > sizeof(ntlmbuf)) { ++ failf(data, "incoming NTLM message too big"); ++ return CURLE_OUT_OF_MEMORY; + } ++ DEBUGASSERT(size == (size_t)ntrespoff); ++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); ++ size += ntresplen; + + DEBUG_OUT({ + fprintf(stderr, "\n ntresp="); diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index 6ecef5bb4db7..66a70ecce8c6 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -22,6 +22,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/curl-msvc-disable-protocols.patch.1 \ external/curl/curl-7.26.0_win-proxy.patch \ external/curl/CVE-2018-14618.patch \ + external/curl/CVE-2018-16890.patch \ + external/curl/CVE-2019-3822.patch \ )) ifeq ($(OS),ANDROID) commit 8f6b5ab3ce67c3d4f463133fb9e67be3c2a0e1c8 Author: Thorsten Behrens <thorsten.behr...@cib.de> AuthorDate: Sat Sep 22 19:14:00 2018 +0200 Commit: Thorsten Behrens <thorsten.behr...@cib.de> CommitDate: Fri Feb 8 16:50:22 2019 +0100 curl: fix CVE-2018-14618 * don't upgrade to new release, just use the patch from git Change-Id: I1f2af0cb388c6a94a817b765d0a1eff9990f1661 diff --git a/external/curl/CVE-2018-14618.patch b/external/curl/CVE-2018-14618.patch new file mode 100644 index 000000000000..5d99c9fb3118 --- /dev/null +++ b/external/curl/CVE-2018-14618.patch @@ -0,0 +1,34 @@ +From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Mon, 13 Aug 2018 10:35:52 +0200 +Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password + +... since it would cause an integer overflow if longer than (max size_t +/ 2). + +This is CVE-2018-14618 + +Bug: https://curl.haxx.se/docs/CVE-2018-14618.html +Closes #2756 +Reported-by: Zhaoyang Wu +--- + lib/curl_ntlm_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index e27cab353c..922e85a926 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, + unsigned char *ntbuffer /* 21 bytes */) + { + size_t len = strlen(password); +- unsigned char *pw = len ? malloc(len * 2) : strdup(""); ++ unsigned char *pw; + CURLcode result; ++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ ++ return CURLE_OUT_OF_MEMORY; ++ pw = len ? malloc(len * 2) : strdup(""); + if(!pw) + return CURLE_OUT_OF_MEMORY; + diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index a578a103c350..6ecef5bb4db7 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -21,6 +21,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/curl-msvc.patch.1 \ external/curl/curl-msvc-disable-protocols.patch.1 \ external/curl/curl-7.26.0_win-proxy.patch \ + external/curl/CVE-2018-14618.patch \ )) ifeq ($(OS),ANDROID) _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits