http: restore buffer pointer when bad response-line is parsed ... leaving the k->str could lead to buffer over-reads later on.
CVE: CVE-2018-1000301 Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://curl.haxx.se/docs/adv_2018-b138.html Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 Affects curl >= 7.20.0 && curl <= 7.59.0 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> --- .../curl/curl/CVE-2018-1000301.patch | 54 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.58.0.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2018-1000301.patch diff --git a/meta/recipes-support/curl/curl/CVE-2018-1000301.patch b/meta/recipes-support/curl/curl/CVE-2018-1000301.patch new file mode 100644 index 0000000..f42178e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-1000301.patch @@ -0,0 +1,54 @@ +From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed + +... leaving the k->str could lead to buffer over-reads later on. + +CVE: CVE-2018-1000301 +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +Upstream-Status: Backport [https://github.com/curl/curl-www/commit/3ee30b2b5e3836345ac510bc1674aa3a4272936e] +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 1a313b4fb..e080ae513 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3012,10 +3012,12 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + ssize_t *nread, + bool *stop_reading) + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { + size_t rest_length; + size_t full_length; +@@ -3076,11 +3078,13 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + /* since there's more, this is a partial bad header */ + k->badheader = HEADER_PARTHEADER; + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } + } + +-- +2.17.0 diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb index fdfbb3d..4376bb3 100644 --- a/meta/recipes-support/curl/curl_7.58.0.bb +++ b/meta/recipes-support/curl/curl_7.58.0.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=8;md5=3a34942f4ae3fbf1a303160714e66 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ file://CVE-2018-1000300.patch \ + file://CVE-2018-1000301.patch \ " -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core