[curl/f19] fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)

[Kamil Dudka]

commit e73e6809e408f5272f2deba5edce76ffef418dc8
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Sat Jun 22 23:05:15 2013 +0200

    fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)

 0008-curl-7.29.0-192c4f78.patch |   43 +++++++++++++++++++++++++++++++++++++++
 curl.spec                       |    9 +++++++-
 2 files changed, 51 insertions(+), 1 deletions(-)
---
diff --git a/0008-curl-7.29.0-192c4f78.patch b/0008-curl-7.29.0-192c4f78.patch
new file mode 100644
index 0000000..299f386
--- /dev/null
+++ b/0008-curl-7.29.0-192c4f78.patch
@@ -0,0 +1,43 @@
+From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Sun, 19 May 2013 23:24:29 +0200
+Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
+
+Security problem: CVE-2013-2174
+
+If a program would give a string like "%FF" to curl_easy_unescape() but
+ask for it to decode only the first byte, it would still parse and
+decode the full hex sequence. The function then not only read beyond the
+allowed buffer but it would also deduct the *unsigned* counter variable
+for how many more bytes there's left to read in the buffer by two,
+making the counter wrap. Continuing this, the function would go on
+reading beyond the buffer and soon writing beyond the allocated target
+buffer...
+
+Bug: http://curl.haxx.se/docs/adv_20130622.html
+Reported-by: Timo Sirainen
+
+[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737]
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/escape.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index 6a26cf8..a567edb 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
+ 
+   while(--alloc > 0) {
+     in = *string;
+-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
++    if(('%' == in) && (alloc > 2) &&
++       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+       /* this is two hexadecimal digits following a '%' */
+       char hexstr[3];
+       char *ptr;
+-- 
+1.7.1
+
diff --git a/curl.spec b/curl.spec
index 5eb3eaf..70d8f5f 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.29.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -28,6 +28,9 @@ Patch6: 0006-curl-7.29.0-25e577b3.patch
 # prevent an artificial timeout event due to stale speed-check data (#906031)
 Patch7: 0007-curl-7.29.0-b37b5233.patch
 
+# fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)
+Patch8: 0008-curl-7.29.0-192c4f78.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.29.0-multilib.patch
 
@@ -128,6 +131,7 @@ documentation of the library, too.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -245,6 +249,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Sat Jun 22 2013 Kamil Dudka <kdudka at redhat.com> 7.29.0-7
+- fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)
+
 * Fri Apr 26 2013 Kamil Dudka <kdudka at redhat.com> 7.29.0-6
 - prevent an artificial timeout event due to stale speed-check data (#906031)
 - show proper host name on failed resolve (#957173)