From: Hauke Mehrtens Date: Fri, 10 Aug 2018 19:39:06 +0000 (+0200) Subject: curl: fix some security problems X-Git-Tag: v17.01.6~33 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9;p=oweals%2Fopenwrt.git curl: fix some security problems This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens --- diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index a0abf2a85d..fed5bac099 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=curl PKG_VERSION:=7.52.1 -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \ diff --git a/package/network/utils/curl/patches/105-CVE-2017-1000254.patch b/package/network/utils/curl/patches/105-CVE-2017-1000254.patch new file mode 100644 index 0000000000..56b0235583 --- /dev/null +++ b/package/network/utils/curl/patches/105-CVE-2017-1000254.patch @@ -0,0 +1,49 @@ +From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Sep 2017 00:35:22 +0200 +Subject: [PATCH] FTP: zero terminate the entry path even on bad input + +... a single double quote could leave the entry path buffer without a zero +terminating byte. CVE-2017-1000254 + +Test 1152 added to verify. + +Reported-by: Max Dymond +Bug: https://curl.haxx.se/docs/adv_20171004.html +--- + lib/ftp.c | 7 ++++-- + tests/data/Makefile.inc | 1 + + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1152 + +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct + char *ptr=&data->state.buffer[4]; /* start on the first letter */ + char *dir; + char *store; ++ bool entry_extracted = FALSE; + + dir = malloc(nread + 1); + if(!dir) +@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct + } + else { + /* end of path */ +- *store = '\0'; /* zero terminate */ ++ entry_extracted = TRUE; + break; /* get out of this loop */ + } + } +@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct + store++; + ptr++; + } +- ++ *store = '\0'; /* zero terminate */ ++ } ++ if(entry_extracted) { + /* If the path name does not look like an absolute path (i.e.: it + does not start with a '/'), we probably need some server-dependent + adjustments. For example, this is the case when connecting to diff --git a/package/network/utils/curl/patches/105-CVE-2017-8816.patch b/package/network/utils/curl/patches/105-CVE-2017-8816.patch deleted file mode 100644 index 4d2b3162a8..0000000000 --- a/package/network/utils/curl/patches/105-CVE-2017-8816.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 6 Nov 2017 23:51:52 +0100 -Subject: [PATCH] ntlm: avoid integer overflow for malloc size - -Reported-by: Alex Nichols -Assisted-by: Kamil Dudka and Max Dymond - -CVE-2017-8816 - -Bug: https://curl.haxx.se/docs/adv_2017-11e7.html ---- - lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index 1309bf0d9..e8962769c 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, - Curl_HMAC_final(ctxt, output); - - return CURLE_OK; - } - -+#ifndef SIZE_T_MAX -+/* some limits.h headers have this defined, some don't */ -+#if defined(_LP64) || defined(_I32LPx) -+#define SIZE_T_MAX 18446744073709551615U -+#else -+#define SIZE_T_MAX 4294967295U -+#endif -+#endif -+ - /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode - * (uppercase UserName + Domain) as the data - */ - CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, - const char *domain, size_t domlen, - unsigned char *ntlmhash, - unsigned char *ntlmv2hash) - { - /* Unicode representation */ -- size_t identity_len = (userlen + domlen) * 2; -- unsigned char *identity = malloc(identity_len); -+ size_t identity_len; -+ unsigned char *identity; - CURLcode result = CURLE_OK; - -+ /* we do the length checks below separately to avoid integer overflow risk -+ on extreme data lengths */ -+ if((userlen > SIZE_T_MAX/2) || -+ (domlen > SIZE_T_MAX/2) || -+ ((userlen + domlen) > SIZE_T_MAX/2)) -+ return CURLE_OUT_OF_MEMORY; -+ -+ identity_len = (userlen + domlen) * 2; -+ identity = malloc(identity_len); -+ - if(!identity) - return CURLE_OUT_OF_MEMORY; - - ascii_uppercase_to_unicode_le(identity, user, userlen); - ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); --- -2.15.0 - diff --git a/package/network/utils/curl/patches/106-CVE-2017-8817.patch b/package/network/utils/curl/patches/106-CVE-2017-8817.patch deleted file mode 100644 index 9e904f0b40..0000000000 --- a/package/network/utils/curl/patches/106-CVE-2017-8817.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 10 Nov 2017 08:52:45 +0100 -Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset - -The code would previous read beyond the end of the pattern string if the -match pattern ends with an open bracket when the default pattern -matching function is used. - -Detected by OSS-Fuzz: -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 - -CVE-2017-8817 - -Bug: https://curl.haxx.se/docs/adv_2017-ae72.html ---- - lib/curl_fnmatch.c | 9 +++------ - tests/data/Makefile.inc | 2 +- - tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 56 insertions(+), 7 deletions(-) - create mode 100644 tests/data/test1163 - -diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c -index da83393b4..8a1e106c4 100644 ---- a/lib/curl_fnmatch.c -+++ b/lib/curl_fnmatch.c -@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset) - unsigned char lastchar = 0; - bool something_found = FALSE; - unsigned char c; - for(;;) { - c = **p; -+ if(!c) -+ return SETCHARSET_FAIL; -+ - switch(state) { - case CURLFNM_SCHS_DEFAULT: - if(ISALNUM(c)) { /* ASCII value */ - rangestart = c; - charset[c] = 1; -@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset) - (*p)++; - } - else - return SETCHARSET_FAIL; - } -- else if(c == '\0') { -- return SETCHARSET_FAIL; -- } - else { - charset[c] = 1; - (*p)++; - something_found = TRUE; - } -@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset) - (*p)++; - } - else if(c == ']') { - return SETCHARSET_OK; - } -- else if(c == '\0') { -- return SETCHARSET_FAIL; -- } - else if(ISPRINT(c)) { - charset[c] = 1; - (*p)++; - state = CURLFNM_SCHS_DEFAULT; - } -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index dc1cc03bc..6eb37d81d 100644 ---- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000 -+++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000 -@@ -121,6 +121,7 @@ - test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ - test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ - test1144 \ -+test1163 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ - test1216 test1217 test1218 test1219 \ -diff --git a/tests/data/test1163 b/tests/data/test1163 -new file mode 100644 -index 000000000..a109b511b ---- /dev/null -+++ b/tests/data/test1163 -@@ -0,0 +1,52 @@ -+ -+ -+ -+FTP -+RETR -+LIST -+wildcardmatch -+ftplistparser -+flaky -+ -+ -+ -+# -+# Server-side -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+ftp -+ -+ -+lib576 -+ -+ -+FTP wildcard with pattern ending with an open-bracket -+ -+ -+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" -+ -+ -+ -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+CWD fully_simulated -+CWD DOS -+EPSV -+TYPE A -+LIST -+QUIT -+ -+# 78 == CURLE_REMOTE_FILE_NOT_FOUND -+ -+78 -+ -+ -+ --- -2.15.0 - diff --git a/package/network/utils/curl/patches/107-CVE-2017-1000257.patch b/package/network/utils/curl/patches/107-CVE-2017-1000257.patch new file mode 100644 index 0000000000..7baaa75df1 --- /dev/null +++ b/package/network/utils/curl/patches/107-CVE-2017-1000257.patch @@ -0,0 +1,28 @@ +From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 7 Oct 2017 00:11:31 +0200 +Subject: [PATCH] imap: if a FETCH response has no size, don't call write + callback + +CVE-2017-1000257 + +Reported-by: Brian Carpenter and 0xd34db347 +Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 +--- + lib/imap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1140,6 +1140,11 @@ static CURLcode imap_state_fetch_resp(st + /* The conversion from curl_off_t to size_t is always fine here */ + chunk = (size_t)size; + ++ if(!chunk) { ++ /* no size, we're done with the data */ ++ state(conn, IMAP_STOP); ++ return CURLE_OK; ++ } + result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); + if(result) + return result; diff --git a/package/network/utils/curl/patches/107-CVE-2017-8816.patch b/package/network/utils/curl/patches/107-CVE-2017-8816.patch new file mode 100644 index 0000000000..27775b0d81 --- /dev/null +++ b/package/network/utils/curl/patches/107-CVE-2017-8816.patch @@ -0,0 +1,56 @@ +From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Nov 2017 23:51:52 +0100 +Subject: [PATCH] ntlm: avoid integer overflow for malloc size + +Reported-by: Alex Nichols +Assisted-by: Kamil Dudka and Max Dymond + +CVE-2017-8816 + +Bug: https://curl.haxx.se/docs/adv_2017-11e7.html +--- + lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch + return CURLE_OK; + } + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(_LP64) || defined(_I32LPx) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ +@@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c + unsigned char *ntlmv2hash) + { + /* Unicode representation */ +- size_t identity_len = (userlen + domlen) * 2; +- unsigned char *identity = malloc(identity_len); ++ size_t identity_len; ++ unsigned char *identity; + CURLcode result = CURLE_OK; + ++ /* we do the length checks below separately to avoid integer overflow risk ++ on extreme data lengths */ ++ if((userlen > SIZE_T_MAX/2) || ++ (domlen > SIZE_T_MAX/2) || ++ ((userlen + domlen) > SIZE_T_MAX/2)) ++ return CURLE_OUT_OF_MEMORY; ++ ++ identity_len = (userlen + domlen) * 2; ++ identity = malloc(identity_len); ++ + if(!identity) + return CURLE_OUT_OF_MEMORY; + diff --git a/package/network/utils/curl/patches/108-CVE-2017-8817.patch b/package/network/utils/curl/patches/108-CVE-2017-8817.patch new file mode 100644 index 0000000000..4b7e79cc29 --- /dev/null +++ b/package/network/utils/curl/patches/108-CVE-2017-8817.patch @@ -0,0 +1,119 @@ +From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Nov 2017 08:52:45 +0100 +Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset + +The code would previous read beyond the end of the pattern string if the +match pattern ends with an open bracket when the default pattern +matching function is used. + +Detected by OSS-Fuzz: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 + +CVE-2017-8817 + +Bug: https://curl.haxx.se/docs/adv_2017-ae72.html +--- + lib/curl_fnmatch.c | 9 +++------ + tests/data/Makefile.inc | 2 +- + tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 7 deletions(-) + create mode 100644 tests/data/test1163 + +--- a/lib/curl_fnmatch.c ++++ b/lib/curl_fnmatch.c +@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, + unsigned char c; + for(;;) { + c = **p; ++ if(!c) ++ return SETCHARSET_FAIL; ++ + switch(state) { + case CURLFNM_SCHS_DEFAULT: + if(ISALNUM(c)) { /* ASCII value */ +@@ -197,9 +200,6 @@ static int setcharset(unsigned char **p, + else + return SETCHARSET_FAIL; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else { + charset[c] = 1; + (*p)++; +@@ -278,9 +278,6 @@ static int setcharset(unsigned char **p, + else if(c == ']') { + return SETCHARSET_OK; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else if(ISPRINT(c)) { + charset[c] = 1; + (*p)++; +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test + test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ + test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 \ ++test1163 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ + test1216 test1217 test1218 test1219 \ +--- /dev/null ++++ b/tests/data/test1163 +@@ -0,0 +1,52 @@ ++ ++ ++ ++FTP ++RETR ++LIST ++wildcardmatch ++ftplistparser ++flaky ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++lib576 ++ ++ ++FTP wildcard with pattern ending with an open-bracket ++ ++ ++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" ++ ++ ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD fully_simulated ++CWD DOS ++EPSV ++TYPE A ++LIST ++QUIT ++ ++# 78 == CURLE_REMOTE_FILE_NOT_FOUND ++ ++78 ++ ++ ++ diff --git a/package/network/utils/curl/patches/109-CVE-2018-1000005.patch b/package/network/utils/curl/patches/109-CVE-2018-1000005.patch new file mode 100644 index 0000000000..76d0ea771f --- /dev/null +++ b/package/network/utils/curl/patches/109-CVE-2018-1000005.patch @@ -0,0 +1,34 @@ +From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 +From: Zhouyihai Ding +Date: Wed, 10 Jan 2018 10:12:18 -0800 +Subject: [PATCH] http2: fix incorrect trailer buffer size + +Prior to this change the stored byte count of each trailer was +miscalculated and 1 less than required. It appears any trailer +after the first that was passed to Curl_client_write would be truncated +or corrupted as well as the size. Potentially the size of some +subsequent trailer could be erroneously extracted from the contents of +that trailer, and since that size is used by client write an +out-of-bounds read could occur and cause a crash or be otherwise +processed by client write. + +The bug appears to have been born in 0761a51 (precedes 7.49.0). + +Closes https://github.com/curl/curl/pull/2231 +--- + lib/http2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se + + if(stream->bodystarted) { + /* This is trailer fields. */ +- /* 3 is for ":" and "\r\n". */ +- uint32_t n = (uint32_t)(namelen + valuelen + 3); ++ /* 4 is for ": " and "\r\n". */ ++ uint32_t n = (uint32_t)(namelen + valuelen + 4); + + DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, + value)); diff --git a/package/network/utils/curl/patches/110-CVE-2018-1000007.patch b/package/network/utils/curl/patches/110-CVE-2018-1000007.patch new file mode 100644 index 0000000000..5387a5966b --- /dev/null +++ b/package/network/utils/curl/patches/110-CVE-2018-1000007.patch @@ -0,0 +1,102 @@ +From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Jan 2018 13:19:25 +0100 +Subject: [PATCH] http: prevent custom Authorization headers in redirects + +... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how +curl already handles Authorization headers created internally. + +Note: this changes behavior slightly, for the sake of reducing mistakes. + +Added test 317 and 318 to verify. + +Reported-by: Craig de Stigter +Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html +--- + docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++- + lib/http.c | 10 ++- + lib/setopt.c | 2 +- + lib/urldata.h | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test317 | 94 +++++++++++++++++++++++++ + tests/data/test318 | 95 ++++++++++++++++++++++++++ + 7 files changed, 212 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test317 + create mode 100644 tests/data/test318 + +--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 ++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -77,6 +77,16 @@ the headers. They may be private or othe + + Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you + intend them to get sent. ++ ++Custom headers are sent in all requests done by the easy handles, which ++implies that if you tell libcurl to follow redirects ++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent ++in the subsequent request. Redirects can of course go to other hosts and thus ++those servers will get all the contents of your custom headers too. ++ ++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers ++from being sent to other hosts than the first used one, unless specifically ++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option. + .SH DEFAULT + NULL + .SH PROTOCOLS +--- a/lib/http.c ++++ b/lib/http.c +@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata + if(!data->state.this_is_a_follow || + conn->bits.netrc || + !data->state.first_host || +- data->set.http_disable_hostname_check_before_authentication || ++ data->set.allow_auth_to_other_hosts || + strcasecompare(data->state.first_host, conn->host.name)) { + result = output_auth_headers(conn, authhost, request, path, FALSE); + } +@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct + checkprefix("Transfer-Encoding:", headers->data)) + /* HTTP/2 doesn't support chunked requests */ + ; ++ else if(checkprefix("Authorization:", headers->data) && ++ /* be careful of sending this potentially sensitive header to ++ other hosts */ ++ (data->state.this_is_a_follow && ++ data->state.first_host && ++ !data->set.allow_auth_to_other_hosts && ++ !strcasecompare(data->state.first_host, conn->host.name))) ++ ; + else { + CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", + headers->data); +--- a/lib/url.c ++++ b/lib/url.c +@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d + * Send authentication (user+password) when following locations, even when + * hostname changed. + */ +- data->set.http_disable_hostname_check_before_authentication = ++ data->set.allow_auth_to_other_hosts = + (0 != va_arg(param, long)) ? TRUE : FALSE; + break; + +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1675,7 +1675,7 @@ struct UserDefined { + bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ + bool http_follow_location; /* follow HTTP redirects */ + bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ +- bool http_disable_hostname_check_before_authentication; ++ bool allow_auth_to_other_hosts; + bool include_header; /* include received protocol headers in data output */ + bool http_set_referer; /* is a custom referer used */ + bool http_auto_referer; /* set "correct" referer when following location: */ diff --git a/package/network/utils/curl/patches/111-CVE-2018-1000120.patch b/package/network/utils/curl/patches/111-CVE-2018-1000120.patch new file mode 100644 index 0000000000..86b82b45f1 --- /dev/null +++ b/package/network/utils/curl/patches/111-CVE-2018-1000120.patch @@ -0,0 +1,53 @@ +From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 31 Jan 2018 08:40:11 +0100 +Subject: [PATCH] FTP: reject path components with control codes + +Refuse to operate when given path components featuring byte values lower +than 32. + +Previously, inserting a %00 sequence early in the directory part when +using the 'singlecwd' ftp method could make curl write a zero byte +outside of the allocated buffer. + +Test case 340 verifies. + +CVE-2018-1000120 +Reported-by: Duy Phan Thanh +Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html +--- + lib/ftp.c | 8 ++++---- + tests/data/Makefile.inc | 3 +++ + tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 4 deletions(-) + create mode 100644 tests/data/test340 + +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3235,7 +3235,7 @@ static CURLcode ftp_done(struct connectd + + if(!result) + /* get the "raw" path */ +- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); + if(result) { + /* We can limp along anyway (and should try to since we may already be in + * the error path) */ +@@ -4241,7 +4241,7 @@ CURLcode ftp_parse_url_path(struct conne + result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", + slash_pos ? dirlen : 1, + &ftpc->dirs[0], NULL, +- FALSE); ++ TRUE); + if(result) { + freedirs(ftpc); + return result; +@@ -4349,7 +4349,7 @@ CURLcode ftp_parse_url_path(struct conne + size_t dlen; + char *path; + CURLcode result = +- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); ++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); + if(result) { + freedirs(ftpc); + return result; diff --git a/package/network/utils/curl/patches/112-CVE-2018-1000121.patch b/package/network/utils/curl/patches/112-CVE-2018-1000121.patch new file mode 100644 index 0000000000..8fdb3377d3 --- /dev/null +++ b/package/network/utils/curl/patches/112-CVE-2018-1000121.patch @@ -0,0 +1,37 @@ +From 8f341a5d6f15381492ca2013325d485b6d8d1c13 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 6 Mar 2018 23:02:16 +0100 +Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL + before using + +CVE-2018-1000121 +Reported-by: Dario Weisser +Bug: https://curl.haxx.se/docs/adv_2018-97a2.html +--- + lib/openldap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -443,7 +443,7 @@ static ssize_t ldap_recv(struct connectd + + for(ent = ldap_first_message(li->ld, msg); ent; + ent = ldap_next_message(li->ld, ent)) { +- struct berval bv, *bvals, **bvp = &bvals; ++ struct berval bv, *bvals; + int binary = 0, msgtype; + CURLcode writeerr; + +@@ -505,9 +505,9 @@ static ssize_t ldap_recv(struct connectd + } + data->req.bytecount += bv.bv_len + 5; + +- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); +- rc == LDAP_SUCCESS; +- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { ++ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); ++ (rc == LDAP_SUCCESS) && bvals; ++ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { + int i; + + if(bv.bv_val == NULL) break; diff --git a/package/network/utils/curl/patches/113-CVE-2018-1000122.patch b/package/network/utils/curl/patches/113-CVE-2018-1000122.patch new file mode 100644 index 0000000000..68a81aef8a --- /dev/null +++ b/package/network/utils/curl/patches/113-CVE-2018-1000122.patch @@ -0,0 +1,33 @@ +From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 8 Mar 2018 10:33:16 +0100 +Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end + +CVE-2018-1000122 +Bug: https://curl.haxx.se/docs/adv_2018-b047.html + +Detected by OSS-fuzz +--- + lib/transfer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu + + } /* if(!header and data to read) */ + +- if(conn->handler->readwrite && +- (excess > 0 && !conn->bits.stream_was_rewound)) { ++ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { + /* Parse the excess data */ + k->str += nread; ++ ++ if(&k->str[excess] > &k->buf[data->set.buffer_size]) { ++ /* the excess amount was too excessive(!), make sure ++ it doesn't read out of buffer */ ++ excess = &k->buf[data->set.buffer_size] - k->str; ++ } + nread = (ssize_t)excess; + + result = conn->handler->readwrite(data, conn, &nread, &readmore); diff --git a/package/network/utils/curl/patches/114-CVE-2018-1000301.patch b/package/network/utils/curl/patches/114-CVE-2018-1000301.patch new file mode 100644 index 0000000000..993c985060 --- /dev/null +++ b/package/network/utils/curl/patches/114-CVE-2018-1000301.patch @@ -0,0 +1,39 @@ +From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed + +... leaving the k->str could lead to buffer over-reads later on. + +CVE: CVE-2018-1000301 +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/lib/http.c ++++ b/lib/http.c +@@ -2924,6 +2924,8 @@ CURLcode Curl_http_readwrite_headers(str + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { +@@ -2988,7 +2990,9 @@ CURLcode Curl_http_readwrite_headers(str + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } diff --git a/package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch b/package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch index 33ab296e56..0beac59e48 100644 --- a/package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch +++ b/package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch @@ -9,11 +9,9 @@ vtls must set wait for read/write flags for the socket. lib/vtls/vtls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index fad9335bbf..871622fef1 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c -@@ -485,8 +485,9 @@ void Curl_ssl_close_all(struct Curl_easy *data) +@@ -488,8 +488,9 @@ void Curl_ssl_close_all(struct Curl_easy } #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \