[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#768321: marked as done (unblock: curl/7.38.0-3)

Your message dated Fri, 07 Nov 2014 12:51:54 +0000
with message-id <f34412642cc281f4b6cce447ce8c80ad@hogwarts.powdarrmonkey.net>
and subject line Re: Bug#768321: unblock: curl/7.38.0-3
has caused the Debian Bug report #768321,
regarding unblock: curl/7.38.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
768321: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768321
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello,

I'd like to upload curl 7.38.0-3 which contains a patch for CVE-2014-3707. This
will also contain an additional change that enables all hardening build flags,
which, AFAICT, isn't included in the approved changes categories, but given the
6 curl CVEs in the last 12 months, I think it'd be a good idea to have in
jessie.

Here's the changelog:

 curl (7.38.0-3) unstable; urgency=high
 .
   * Enable all hardening options (Closes: #763372)
   * Fix duphandle read out of bounds as per CVE-2014-3707
     http://curl.haxx.se/docs/adv_20141105.html
   * Set urgency=high accordingly

and the debdiff is attached.

Can I go on and upload the package?

Thanks

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru curl-7.38.0/debian/changelog curl-7.38.0/debian/changelog
--- curl-7.38.0/debian/changelog	2014-09-23 16:42:12.000000000 +0200
+++ curl-7.38.0/debian/changelog	2014-11-06 11:40:27.000000000 +0100
@@ -1,3 +1,12 @@
+curl (7.38.0-3) unstable; urgency=high
+
+  * Enable all hardening options (Closes: #763372)
+  * Fix duphandle read out of bounds as per CVE-2014-3707
+    http://curl.haxx.se/docs/adv_20141105.html
+  * Set urgency=high accordingly
+
+ -- Alessandro Ghedini <ghedo@debian.org>  Thu, 06 Nov 2014 11:40:24 +0100
+
 curl (7.38.0-2) unstable; urgency=medium
 
   * Check for libtoolize instead of libtool during build.
diff -Nru curl-7.38.0/debian/patches/11_CVE-2014-3707.patch curl-7.38.0/debian/patches/11_CVE-2014-3707.patch
--- curl-7.38.0/debian/patches/11_CVE-2014-3707.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.38.0/debian/patches/11_CVE-2014-3707.patch	2014-11-06 11:40:27.000000000 +0100
@@ -0,0 +1,400 @@
+From 3696fc1ba79d9b34660c44150be5e93ecf87dd9e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 17 Oct 2014 12:59:32 +0200
+Subject: [PATCH] curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of
+ bounds
+
+When duplicating a handle, the data to post was duplicated using
+strdup() when it could be binary and contain zeroes and it was not even
+zero terminated! This caused read out of bounds crashes/segfaults.
+
+Since the lib/strdup.c file no longer is easily shared with the curl
+tool with this change, it now uses its own version instead.
+
+Bug: http://curl.haxx.se/docs/adv_20141105.html
+CVE: CVE-2014-3707
+Reported-By: Symeon Paraschoudis
+---
+ lib/formdata.c    | 52 +++++++++-------------------------------------------
+ lib/strdup.c      | 32 +++++++++++++++++++++++++++-----
+ lib/strdup.h      |  3 ++-
+ lib/url.c         | 22 +++++++++++++++++-----
+ lib/urldata.h     | 11 +++++++++--
+ src/Makefile.inc  |  4 ++--
+ src/tool_setup.h  |  5 ++---
+ src/tool_strdup.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ src/tool_strdup.h | 30 ++++++++++++++++++++++++++++++
+ 9 files changed, 145 insertions(+), 61 deletions(-)
+ create mode 100644 src/tool_strdup.c
+ create mode 100644 src/tool_strdup.h
+
+--- a/lib/formdata.c
++++ b/lib/formdata.c
+@@ -36,6 +36,7 @@
+ #include "strequal.h"
+ #include "curl_memory.h"
+ #include "sendf.h"
++#include "strdup.h"
+ 
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -214,46 +215,6 @@
+ 
+ /***************************************************************************
+  *
+- * memdup()
+- *
+- * Copies the 'source' data to a newly allocated buffer buffer (that is
+- * returned). Uses buffer_length if not null, else uses strlen to determine
+- * the length of the buffer to be copied
+- *
+- * Returns the new pointer or NULL on failure.
+- *
+- ***************************************************************************/
+-static char *memdup(const char *src, size_t buffer_length)
+-{
+-  size_t length;
+-  bool add = FALSE;
+-  char *buffer;
+-
+-  if(buffer_length)
+-    length = buffer_length;
+-  else if(src) {
+-    length = strlen(src);
+-    add = TRUE;
+-  }
+-  else
+-    /* no length and a NULL src pointer! */
+-    return strdup("");
+-
+-  buffer = malloc(length+add);
+-  if(!buffer)
+-    return NULL; /* fail */
+-
+-  memcpy(buffer, src, length);
+-
+-  /* if length unknown do null termination */
+-  if(add)
+-    buffer[length] = '\0';
+-
+-  return buffer;
+-}
+-
+-/***************************************************************************
+- *
+  * FormAdd()
+  *
+  * Stores a formpost parameter and builds the appropriate linked list.
+@@ -682,9 +643,12 @@
+            (form == first_form) ) {
+           /* Note that there's small risk that form->name is NULL here if the
+              app passed in a bad combo, so we better check for that first. */
+-          if(form->name)
++          if(form->name) {
+             /* copy name (without strdup; possibly contains null characters) */
+-            form->name = memdup(form->name, form->namelength);
++            form->name = Curl_memdup(form->name, form->namelength?
++                                     form->namelength:
++                                     strlen(form->name)+1);
++          }
+           if(!form->name) {
+             return_value = CURL_FORMADD_MEMORY;
+             break;
+@@ -695,7 +659,9 @@
+                             HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |
+                             HTTPPOST_CALLBACK)) ) {
+           /* copy value (without strdup; possibly contains null characters) */
+-          form->value = memdup(form->value, form->contentslength);
++          form->value = Curl_memdup(form->value, form->contentslength?
++                                    form->contentslength:
++                                    strlen(form->value)+1);
+           if(!form->value) {
+             return_value = CURL_FORMADD_MEMORY;
+             break;
+--- a/lib/strdup.c
++++ b/lib/strdup.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -19,12 +19,12 @@
+  * KIND, either express or implied.
+  *
+  ***************************************************************************/
+-/*
+- * This file is 'mem-include-scan' clean. See test 1132.
+- */
+ #include "curl_setup.h"
+-
+ #include "strdup.h"
++#include "curl_memory.h"
++
++/* The last #include file should be: */
++#include "memdebug.h"
+ 
+ #ifndef HAVE_STRDUP
+ char *curlx_strdup(const char *str)
+@@ -50,3 +50,25 @@
+ 
+ }
+ #endif
++
++/***************************************************************************
++ *
++ * Curl_memdup(source, length)
++ *
++ * Copies the 'source' data to a newly allocated buffer (that is
++ * returned). Copies 'length' bytes.
++ *
++ * Returns the new pointer or NULL on failure.
++ *
++ ***************************************************************************/
++char *Curl_memdup(const char *src, size_t length)
++{
++  char *buffer = malloc(length);
++  if(!buffer)
++    return NULL; /* fail */
++
++  memcpy(buffer, src, length);
++
++  /* if length unknown do null termination */
++  return buffer;
++}
+--- a/lib/strdup.h
++++ b/lib/strdup.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -26,5 +26,6 @@
+ #ifndef HAVE_STRDUP
+ extern char *curlx_strdup(const char *str);
+ #endif
++char *Curl_memdup(const char *src, size_t buffer_length);
+ 
+ #endif /* HEADER_CURL_STRDUP_H */
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -125,6 +125,7 @@
+ #include "multihandle.h"
+ #include "pipeline.h"
+ #include "dotdot.h"
++#include "strdup.h"
+ 
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -270,8 +271,9 @@
+ {
+   /* Free all dynamic strings stored in the data->set substructure. */
+   enum dupstring i;
+-  for(i=(enum dupstring)0; i < STRING_LAST; i++)
++  for(i=(enum dupstring)0; i < STRING_LAST; i++) {
+     Curl_safefree(data->set.str[i]);
++  }
+ 
+   if(data->change.referer_alloc) {
+     Curl_safefree(data->change.referer);
+@@ -356,14 +358,24 @@
+   memset(dst->set.str, 0, STRING_LAST * sizeof(char *));
+ 
+   /* duplicate all strings */
+-  for(i=(enum dupstring)0; i< STRING_LAST; i++) {
++  for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {
+     r = setstropt(&dst->set.str[i], src->set.str[i]);
+     if(r != CURLE_OK)
+-      break;
++      return r;
+   }
+ 
+-  /* If a failure occurred, freeing has to be performed externally. */
+-  return r;
++  /* duplicate memory areas pointed to */
++  i = STRING_COPYPOSTFIELDS;
++  if(src->set.postfieldsize && src->set.str[i]) {
++    /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */
++    dst->set.str[i] = Curl_memdup(src->set.str[i], src->set.postfieldsize);
++    if(!dst->set.str[i])
++      return CURLE_OUT_OF_MEMORY;
++    /* point to the new copy */
++    dst->set.postfields = dst->set.str[i];
++  }
++
++  return CURLE_OK;
+ }
+ 
+ /*
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1378,7 +1378,6 @@
+   STRING_KRB_LEVEL,       /* krb security level */
+   STRING_NETRC_FILE,      /* if not NULL, use this instead of trying to find
+                              $HOME/.netrc */
+-  STRING_COPYPOSTFIELDS,  /* if POST, set the fields' values here */
+   STRING_PROXY,           /* proxy to use */
+   STRING_SET_RANGE,       /* range, if used */
+   STRING_SET_REFERER,     /* custom string for the HTTP referer field */
+@@ -1420,7 +1419,15 @@
+ 
+   STRING_BEARER,          /* <bearer>, if used */
+ 
+-  /* -- end of strings -- */
++  /* -- end of zero-terminated strings -- */
++
++  STRING_LASTZEROTERMINATED,
++
++  /* -- below this are pointers to binary data that cannot be strdup'ed.
++     Each such pointer must be added manually to Curl_dupset() --- */
++
++  STRING_COPYPOSTFIELDS,  /* if POST, set the fields' values here */
++
+   STRING_LAST /* not used, just an end-of-list marker */
+ };
+ 
+--- a/src/Makefile.inc
++++ b/src/Makefile.inc
+@@ -11,7 +11,6 @@
+ # the official API, but we re-use the code here to avoid duplication.
+ CURLX_CFILES = \
+ 	../lib/strtoofft.c \
+-	../lib/strdup.c \
+ 	../lib/rawstr.c \
+ 	../lib/nonblock.c \
+ 	../lib/warnless.c
+@@ -19,7 +18,6 @@
+ CURLX_HFILES = \
+ 	../lib/curl_setup.h \
+ 	../lib/strtoofft.h \
+-	../lib/strdup.h \
+ 	../lib/rawstr.h \
+ 	../lib/nonblock.h \
+ 	../lib/warnless.h
+@@ -55,6 +53,7 @@
+ 	tool_panykey.c \
+ 	tool_paramhlp.c \
+ 	tool_parsecfg.c \
++	tool_strdup.c \
+ 	tool_setopt.c \
+ 	tool_sleep.c \
+ 	tool_urlglob.c \
+@@ -99,6 +98,7 @@
+ 	tool_setopt.h \
+ 	tool_setup.h \
+ 	tool_sleep.h \
++	tool_strdup.h \
+ 	tool_urlglob.h \
+ 	tool_util.h \
+ 	tool_version.h \
+--- a/src/tool_setup.h
++++ b/src/tool_setup.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -67,8 +67,7 @@
+ #endif
+ 
+ #ifndef HAVE_STRDUP
+-#  include "strdup.h"
+-#  define strdup(ptr) curlx_strdup(ptr)
++#  include "tool_strdup.h"
+ #endif
+ 
+ #endif /* HEADER_CURL_TOOL_SETUP_H */
+--- /dev/null
++++ b/src/tool_strdup.c
+@@ -0,0 +1,47 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at http://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "strdup.h"
++
++#ifndef HAVE_STRDUP
++char *strdup(const char *str)
++{
++  size_t len;
++  char *newstr;
++
++  if(!str)
++    return (char *)NULL;
++
++  len = strlen(str);
++
++  if(len >= ((size_t)-1) / sizeof(char))
++    return (char *)NULL;
++
++  newstr = malloc((len+1)*sizeof(char));
++  if(!newstr)
++    return (char *)NULL;
++
++  memcpy(newstr,str,(len+1)*sizeof(char));
++
++  return newstr;
++
++}
++#endif
+--- /dev/null
++++ b/src/tool_strdup.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_TOOL_STRDUP_H
++#define HEADER_TOOL_STRDUP_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at http://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "tool_setup.h"
++
++#ifndef HAVE_STRDUP
++extern char *strdup(const char *str);
++#endif
++
++#endif /* HEADER_TOOL_STRDUP_H */
diff -Nru curl-7.38.0/debian/patches/series curl-7.38.0/debian/patches/series
--- curl-7.38.0/debian/patches/series	2014-09-23 16:42:12.000000000 +0200
+++ curl-7.38.0/debian/patches/series	2014-11-06 11:40:27.000000000 +0100
@@ -7,6 +7,7 @@
 08_fix-spelling.patch
 09_libtoolize_check.patch
 10_fix-resolver.patch
+11_CVE-2014-3707.patch
 
 # do not add patches below
 90_gnutls.patch
diff -Nru curl-7.38.0/debian/rules curl-7.38.0/debian/rules
--- curl-7.38.0/debian/rules	2014-09-23 16:42:12.000000000 +0200
+++ curl-7.38.0/debian/rules	2014-11-06 11:40:27.000000000 +0100
@@ -6,6 +6,9 @@
 # this will catch miss-linking. (e.g. undefined symbols)
 #export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs
 
+# enable all hardening options (see #763372)
+export DEB_BUILD_MAINT_OPTIONS:=hardening=+all
+
 CONFIGURE_ARGS = -- --disable-dependency-tracking		\
 	--disable-symbol-hiding --enable-versioned-symbols	\
 	--enable-threaded-resolver --with-lber-lib=lber --with-gssapi=/usr

--- End Message ---
--- Begin Message --- 
On 2014-11-07 10:12, Alessandro Ghedini wrote:

On Thu, Nov 06, 2014 at 05:04:38PM +0100, Niels Thykier wrote:

We are willing to accept the proposed debdiff.  One remark, the
hardening change is accepted as an exception; normally I would have
rejected that (but cURL ought to have it - thus, the exception).

Please let us know when it is accepted in unstable.


Uploaded and accepted.


Unblocked, thanks.

--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

--- End Message ---
Reply to: