Bug#930555: unblock: curl/7.64.0-4
Hi,
On Sat, Jun 15, 2019 at 02:19:22PM +0200, Salvatore Bonaccorso wrote:
[...]
> Attached is as well the debdiff produced from the version in testing
> to the one in sid.
... or not. Now attached.
Regards,
Salvatore
diff -Nru curl-7.64.0/debian/changelog curl-7.64.0/debian/changelog
--- curl-7.64.0/debian/changelog 2019-05-04 13:51:06.000000000 +0200
+++ curl-7.64.0/debian/changelog 2019-06-14 20:23:32.000000000 +0200
@@ -1,3 +1,12 @@
+curl (7.64.0-4) unstable; urgency=medium
+
+ * Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
+ https://curl.haxx.se/docs/CVE-2019-5436.html
+ * Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352)
+ https://curl.haxx.se/docs/CVE-2019-5435.html
+
+ -- Alessandro Ghedini <ghedo@debian.org> Fri, 14 Jun 2019 19:23:32 +0100
+
curl (7.64.0-3) unstable; urgency=medium
* Fix potential crash in HTTP/2 code and busy loop at the end of connections
diff -Nru curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch
--- curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.64.0/debian/patches/16_tftp-use-the-current-blksize-for-recvfrom.patch 2019-06-14 20:23:32.000000000 +0200
@@ -0,0 +1,23 @@
+From 2576003415625d7b5f0e390902f8097830b82275 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 3 May 2019 22:20:37 +0200
+Subject: [PATCH] tftp: use the current blksize for recvfrom()
+
+bug: https://curl.haxx.se/docs/CVE-2019-5436.html
+Reported-by: l00p3r on hackerone
+CVE-2019-5436
+---
+ lib/tftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -1005,7 +1005,7 @@
+ state->sockfd = state->conn->sock[FIRSTSOCKET];
+ state->state = TFTP_STATE_START;
+ state->error = TFTP_ERR_NONE;
+- state->blksize = TFTP_BLKSIZE_DEFAULT;
++ state->blksize = blksize;
+ state->requested_blksize = blksize;
+
+ ((struct sockaddr *)&state->local_addr)->sa_family =
diff -Nru curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch
--- curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.64.0/debian/patches/17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch 2019-06-14 20:23:32.000000000 +0200
@@ -0,0 +1,245 @@
+From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Apr 2019 08:00:49 +0200
+Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size
+
+This limits all accepted input strings passed to libcurl to be less than
+CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
+curl_easy_setopt() and curl_url_set().
+
+The 8000000 number is arbitrary picked and is meant to detect mistakes
+or abuse, not to limit actual practical use cases. By limiting the
+acceptable string lengths we also reduce the risk of integer overflows
+all over.
+
+NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
+
+Test 1559 verifies.
+
+Closes #3805
+---
+ lib/setopt.c | 7 ++++
+ lib/urlapi.c | 8 ++++
+ lib/urldata.h | 4 ++
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test1559 | 44 +++++++++++++++++++++
+ tests/libtest/Makefile.inc | 6 ++-
+ tests/libtest/lib1559.c | 78 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 146 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test1559
+ create mode 100644 tests/libtest/lib1559.c
+
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -60,6 +60,13 @@
+ if(s) {
+ char *str = strdup(s);
+
++ if(str) {
++ size_t len = strlen(str);
++ if(len > CURL_MAX_INPUT_LENGTH) {
++ free(str);
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++ }
++ }
+ if(!str)
+ return CURLE_OUT_OF_MEMORY;
+
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -648,6 +648,10 @@
+ ************************************************************/
+ /* allocate scratch area */
+ urllen = strlen(url);
++ if(urllen > CURL_MAX_INPUT_LENGTH)
++ /* excessive input length */
++ return CURLUE_MALFORMED_INPUT;
++
+ path = u->scratch = malloc(urllen * 2 + 2);
+ if(!path)
+ return CURLUE_OUT_OF_MEMORY;
+@@ -1278,6 +1282,10 @@
+ const char *newp = part;
+ size_t nalloc = strlen(part);
+
++ if(nalloc > CURL_MAX_INPUT_LENGTH)
++ /* excessive input length */
++ return CURLUE_MALFORMED_INPUT;
++
+ if(urlencode) {
+ const char *i;
+ char *o;
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -79,6 +79,10 @@
+ */
+ #define RESP_TIMEOUT (120*1000)
+
++/* Max string intput length is a precaution against abuse and to detect junk
++ input easier and better. */
++#define CURL_MAX_INPUT_LENGTH 8000000
++
+ #include "cookie.h"
+ #include "psl.h"
+ #include "formdata.h"
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -176,7 +176,7 @@
+ test1533 test1534 test1535 test1536 test1537 test1538 \
+ test1540 \
+ test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
+-test1558 test1560 test1561 test1562 \
++test1558 test1559 test1560 test1561 test1562 \
+ \
+ test1590 test1591 test1592 \
+ \
+--- /dev/null
++++ b/tests/data/test1559
+@@ -0,0 +1,44 @@
++<testcase>
++<info>
++<keywords>
++CURLOPT_URL
++</keywords>
++</info>
++
++<reply>
++</reply>
++
++<client>
++<server>
++none
++</server>
++
++# require HTTP so that CURLOPT_POSTFIELDS works as assumed
++<features>
++http
++</features>
++<tool>
++lib1559
++</tool>
++
++<name>
++Set excessive URL lengths
++</name>
++</client>
++
++#
++# Verify that the test runs to completion without crashing
++<verify>
++<errorcode>
++0
++</errorcode>
++<stdout>
++CURLOPT_URL 10000000 bytes URL == 43
++CURLOPT_POSTFIELDS 10000000 bytes data == 0
++CURLUPART_URL 10000000 bytes URL == 3
++CURLUPART_SCHEME 10000000 bytes scheme == 3
++CURLUPART_USER 10000000 bytes user == 3
++</stdout>
++</verify>
++
++</testcase>
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -30,8 +30,7 @@
+ lib1534 lib1535 lib1536 lib1537 lib1538 \
+ lib1540 \
+ lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \
+- lib1558 \
+- lib1560 \
++ lib1558 lib1559 lib1560 \
+ lib1591 lib1592 \
+ lib1900 \
+ lib2033
+@@ -520,6 +519,9 @@
+ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1558_LDADD = $(TESTUTIL_LIBS)
+
++lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
++lib1559_LDADD = $(TESTUTIL_LIBS)
++
+ lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1560_LDADD = $(TESTUTIL_LIBS)
+
+--- /dev/null
++++ b/tests/libtest/lib1559.c
+@@ -0,0 +1,78 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "test.h"
++
++#include "testutil.h"
++#include "warnless.h"
++#include "memdebug.h"
++
++#define EXCESSIVE 10*1000*1000
++int test(char *URL)
++{
++ CURLcode res = 0;
++ CURL *curl = NULL;
++ char *longurl = malloc(EXCESSIVE);
++ CURLU *u;
++ (void)URL;
++
++ memset(longurl, 'a', EXCESSIVE);
++ longurl[EXCESSIVE-1] = 0;
++
++ global_init(CURL_GLOBAL_ALL);
++ easy_init(curl);
++
++ res = curl_easy_setopt(curl, CURLOPT_URL, longurl);
++ printf("CURLOPT_URL %d bytes URL == %d\n",
++ EXCESSIVE, (int)res);
++
++ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl);
++ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n",
++ EXCESSIVE, (int)res);
++
++ u = curl_url();
++ if(u) {
++ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0);
++ printf("CURLUPART_URL %d bytes URL == %d\n",
++ EXCESSIVE, (int)uc);
++ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME);
++ printf("CURLUPART_SCHEME %d bytes scheme == %d\n",
++ EXCESSIVE, (int)uc);
++ uc = curl_url_set(u, CURLUPART_USER, longurl, 0);
++ printf("CURLUPART_USER %d bytes user == %d\n",
++ EXCESSIVE, (int)uc);
++ curl_url_cleanup(u);
++ }
++
++ free(longurl);
++
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return 0;
++
++test_cleanup:
++
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return res; /* return the final return code */
++}
diff -Nru curl-7.64.0/debian/patches/series curl-7.64.0/debian/patches/series
--- curl-7.64.0/debian/patches/series 2019-05-04 13:51:06.000000000 +0200
+++ curl-7.64.0/debian/patches/series 2019-06-14 20:23:32.000000000 +0200
@@ -7,6 +7,8 @@
13_singlesocket-fix-the-sincebefore-placement.patch
14_connection_check-set-data-to-the-transfer-doing-the-.patch
15_connection_check-restore-original-conn-data-after-th.patch
+16_tftp-use-the-current-blksize-for-recvfrom.patch
+17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch
# do not add patches below
90_gnutls.patch
Reply to: