Commit b77fa222 authored by Leonardo Arena's avatar Leonardo Arena

main/curl: security fixes (CVE-2019-5481, CVE-2019-5482)

closes #10793
parent fd0aefe7
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl pkgname=curl
pkgver=7.61.1 pkgver=7.61.1
pkgrel=2 pkgrel=3
pkgdesc="URL retrival utility and library" pkgdesc="URL retrival utility and library"
url="https://curl.haxx.se" url="https://curl.haxx.se"
arch="all" arch="all"
...@@ -21,10 +21,16 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz ...@@ -21,10 +21,16 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
CVE-2018-16890.patch CVE-2018-16890.patch
CVE-2019-3822.patch CVE-2019-3822.patch
CVE-2019-3823.patch CVE-2019-3823.patch
CVE-2019-5481.patch
CVE-2019-5482.patch
" "
builddir="$srcdir/$pkgname-$pkgver" builddir="$srcdir/$pkgname-$pkgver"
# secfixes: # secfixes:
# 7.61.1-r3:
# - CVE-2019-5481
# - CVE-2019-5482
# 7.61.1-r2: # 7.61.1-r2:
# - CVE-2018-16890 # - CVE-2018-16890
# - CVE-2019-3822 # - CVE-2019-3822
...@@ -127,4 +133,6 @@ c1a684f17267b08f77625064ac62e4f06989c552d6d501565f8bebf31d3a96a613f0683376ec7cc1 ...@@ -127,4 +133,6 @@ c1a684f17267b08f77625064ac62e4f06989c552d6d501565f8bebf31d3a96a613f0683376ec7cc1
dcaca036eafaaae66eba99808d00ff6bed3c9e59c2c1239ca1ddcf54c9e1c53edabd543dc6925ded3cdf9efd39c0968353527ae5ed0b986cefba333fbc7fd1af CVE-2018-16842.patch dcaca036eafaaae66eba99808d00ff6bed3c9e59c2c1239ca1ddcf54c9e1c53edabd543dc6925ded3cdf9efd39c0968353527ae5ed0b986cefba333fbc7fd1af CVE-2018-16842.patch
573b896bd78e404002398bdf38d952ec6247af551ef7d6e34d52acbf004f8f4de60299e3a8f83be75e22dfb8731e466aea0253efec7116282afab32dbb1f66e8 CVE-2018-16890.patch 573b896bd78e404002398bdf38d952ec6247af551ef7d6e34d52acbf004f8f4de60299e3a8f83be75e22dfb8731e466aea0253efec7116282afab32dbb1f66e8 CVE-2018-16890.patch
959a55237752b254bc5f58308607f3cf0475e207a7400ff6be7942c48131787f1dec4c05be5b76865ae0adf81ebae77774085ad0c19dd342fb0307cfcfe24b6c CVE-2019-3822.patch 959a55237752b254bc5f58308607f3cf0475e207a7400ff6be7942c48131787f1dec4c05be5b76865ae0adf81ebae77774085ad0c19dd342fb0307cfcfe24b6c CVE-2019-3822.patch
73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69 CVE-2019-3823.patch" 73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69 CVE-2019-3823.patch
37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch
6a048e3794415792a4554651bc55b71c22735f58293db584e9c822af9faad22f27c730b5d649d4bf1fb8d2c251f8d6e2f67249929bb7b3a76495c1f36a898ce7 CVE-2019-5482.patch"
From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 Sep 2019 22:59:32 +0200
Subject: [PATCH] security:read_data fix bad realloc()
... that could end up a double-free
CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
---
lib/security.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/security.c b/lib/security.c
index 550ea2da8d..c5e4e135df 100644
--- a/lib/security.c
+++ b/lib/security.c
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
struct krb5buffer *buf)
{
int len;
- void *tmp = NULL;
CURLcode result;
result = socket_read(fd, &len, sizeof(len));
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
- tmp = Curl_saferealloc(buf->data, len);
+ buf->data = Curl_saferealloc(buf->data, len);
}
- if(tmp == NULL)
+ if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
- buf->data = tmp;
result = socket_read(fd, buf->data, len);
if(result)
return result;
From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
From: Thomas Vegas <>
Date: Sat, 31 Aug 2019 17:30:51 +0200
Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
received
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.
Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
---
lib/tftp.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/lib/tftp.c b/lib/tftp.c
index a7176cec80..346f293dc5 100644
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
{
tftp_state_data_t *state;
int blksize;
+ int need_blksize;
blksize = TFTP_BLKSIZE_DEFAULT;
@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
return CURLE_TFTP_ILLEGAL;
}
+ need_blksize = blksize;
+ /* default size is the fallback when no OACK is received */
+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
+ need_blksize = TFTP_BLKSIZE_DEFAULT;
+
if(!state->rpacket.data) {
- state->rpacket.data = calloc(1, blksize + 2 + 2);
+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
if(!state->rpacket.data)
return CURLE_OUT_OF_MEMORY;
}
if(!state->spacket.data) {
- state->spacket.data = calloc(1, blksize + 2 + 2);
+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
if(!state->spacket.data)
return CURLE_OUT_OF_MEMORY;
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment