[curl/f20] Resolves: CVE-2014-3707 - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle()
Kamil Dudka
kdudka at fedoraproject.org
Wed Nov 5 11:58:00 UTC 2014
commit cbe7f5bb1f1220374353c1ff6987495f2e6e2186
Author: Kamil Dudka <kdudka at redhat.com>
Date: Wed Nov 5 12:32:57 2014 +0100
Resolves: CVE-2014-3707 - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle()
0016-curl-7.32.0-b3875606.patch | 280 +++++++++++++++++++++++++++++++++++++++
curl.spec | 9 +-
2 files changed, 288 insertions(+), 1 deletions(-)
---
diff --git a/0016-curl-7.32.0-b3875606.patch b/0016-curl-7.32.0-b3875606.patch
new file mode 100644
index 0000000..b0bd143
--- /dev/null
+++ b/0016-curl-7.32.0-b3875606.patch
@@ -0,0 +1,280 @@
+From 45a125c1d6aaa2352c5ec04eecba322930e6d169 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Fri, 17 Oct 2014 12:59:32 +0200
+Subject: [PATCH] curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of
+ bounds
+
+When duplicating a handle, the data to post was duplicated using
+strdup() when it could be binary and contain zeroes and it was not even
+zero terminated! This caused read out of bounds crashes/segfaults.
+
+Bug: http://curl.haxx.se/docs/adv_20141105.html
+CVE: CVE-2014-3707
+Reported-By: Symeon Paraschoudis
+Upstream-commit: b3875606925536f82fc61f3114ac42f29eaf6945
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/formdata.c | 50 ++++++++------------------------------------------
+ lib/strdup.c | 29 ++++++++++++++++++++++++++---
+ lib/strdup.h | 1 +
+ lib/url.c | 19 +++++++++++++++----
+ lib/urldata.h | 11 +++++++++--
+ src/Makefile.in | 5 ++---
+ src/Makefile.inc | 1 -
+ 7 files changed, 61 insertions(+), 55 deletions(-)
+
+diff --git a/lib/formdata.c b/lib/formdata.c
+index 3260928..050f538 100644
+--- a/lib/formdata.c
++++ b/lib/formdata.c
+@@ -36,6 +36,7 @@
+ #include "strequal.h"
+ #include "curl_memory.h"
+ #include "sendf.h"
++#include "strdup.h"
+
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -214,46 +215,6 @@ static const char *ContentTypeForFilename(const char *filename,
+
+ /***************************************************************************
+ *
+- * memdup()
+- *
+- * Copies the 'source' data to a newly allocated buffer buffer (that is
+- * returned). Uses buffer_length if not null, else uses strlen to determine
+- * the length of the buffer to be copied
+- *
+- * Returns the new pointer or NULL on failure.
+- *
+- ***************************************************************************/
+-static char *memdup(const char *src, size_t buffer_length)
+-{
+- size_t length;
+- bool add = FALSE;
+- char *buffer;
+-
+- if(buffer_length)
+- length = buffer_length;
+- else if(src) {
+- length = strlen(src);
+- add = TRUE;
+- }
+- else
+- /* no length and a NULL src pointer! */
+- return strdup("");
+-
+- buffer = malloc(length+add);
+- if(!buffer)
+- return NULL; /* fail */
+-
+- memcpy(buffer, src, length);
+-
+- /* if length unknown do null termination */
+- if(add)
+- buffer[length] = '\0';
+-
+- return buffer;
+-}
+-
+-/***************************************************************************
+- *
+ * FormAdd()
+ *
+ * Stores a formpost parameter and builds the appropriate linked list.
+@@ -684,7 +645,10 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost,
+ app passed in a bad combo, so we better check for that first. */
+ if(form->name)
+ /* copy name (without strdup; possibly contains null characters) */
+- form->name = memdup(form->name, form->namelength);
++ form->name = Curl_memdup(form->name, form->namelength?
++ form->namelength:
++ strlen(form->name)+1);
++
+ if(!form->name) {
+ return_value = CURL_FORMADD_MEMORY;
+ break;
+@@ -695,7 +659,9 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost,
+ HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |
+ HTTPPOST_CALLBACK)) ) {
+ /* copy value (without strdup; possibly contains null characters) */
+- form->value = memdup(form->value, form->contentslength);
++ form->value = Curl_memdup(form->value, form->contentslength?
++ form->contentslength:
++ strlen(form->value)+1);
+ if(!form->value) {
+ return_value = CURL_FORMADD_MEMORY;
+ break;
+diff --git a/lib/strdup.c b/lib/strdup.c
+index 3b776b1..14f370f 100644
+--- a/lib/strdup.c
++++ b/lib/strdup.c
+@@ -19,12 +19,13 @@
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+-/*
+- * This file is 'mem-include-scan' clean. See test 1132.
+- */
+ #include "curl_setup.h"
+
+ #include "strdup.h"
++#include "curl_memory.h"
++
++/* The last #include file should be: */
++#include "memdebug.h"
+
+ #ifndef HAVE_STRDUP
+ char *curlx_strdup(const char *str)
+@@ -50,3 +51,25 @@ char *curlx_strdup(const char *str)
+
+ }
+ #endif
++
++/***************************************************************************
++ *
++ * Curl_memdup(source, length)
++ *
++ * Copies the 'source' data to a newly allocated buffer (that is
++ * returned). Copies 'length' bytes.
++ *
++ * Returns the new pointer or NULL on failure.
++ *
++ ***************************************************************************/
++char *Curl_memdup(const char *src, size_t length)
++{
++ char *buffer = malloc(length);
++ if(!buffer)
++ return NULL; /* fail */
++
++ memcpy(buffer, src, length);
++
++ /* if length unknown do null termination */
++ return buffer;
++}
+diff --git a/lib/strdup.h b/lib/strdup.h
+index 49af911..36cc430 100644
+--- a/lib/strdup.h
++++ b/lib/strdup.h
+@@ -26,5 +26,6 @@
+ #ifndef HAVE_STRDUP
+ extern char *curlx_strdup(const char *str);
+ #endif
++char *Curl_memdup(const char *src, size_t buffer_length);
+
+ #endif /* HEADER_CURL_STRDUP_H */
+diff --git a/lib/url.c b/lib/url.c
+index b0aade1..0aa5a33 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -125,6 +125,7 @@ int curl_win32_idn_to_ascii(const char *in, char **out);
+ #include "multihandle.h"
+ #include "pipeline.h"
+ #include "dotdot.h"
++#include "strdup.h"
+
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -358,14 +359,24 @@ CURLcode Curl_dupset(struct SessionHandle *dst, struct SessionHandle *src)
+ memset(dst->set.str, 0, STRING_LAST * sizeof(char *));
+
+ /* duplicate all strings */
+- for(i=(enum dupstring)0; i< STRING_LAST; i++) {
++ for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {
+ r = setstropt(&dst->set.str[i], src->set.str[i]);
+ if(r != CURLE_OK)
+- break;
++ return r;
+ }
+
+- /* If a failure occurred, freeing has to be performed externally. */
+- return r;
++ /* duplicate memory areas pointed to */
++ i = STRING_COPYPOSTFIELDS;
++ if(src->set.postfieldsize && src->set.str[i]) {
++ /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */
++ dst->set.str[i] = Curl_memdup(src->set.str[i], src->set.postfieldsize);
++ if(!dst->set.str[i])
++ return CURLE_OUT_OF_MEMORY;
++ /* point to the new copy */
++ dst->set.postfields = dst->set.str[i];
++ }
++
++ return CURLE_OK;
+ }
+
+ /*
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 640cbb1..d03440b 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1350,7 +1350,6 @@ enum dupstring {
+ STRING_KRB_LEVEL, /* krb security level */
+ STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
+ $HOME/.netrc */
+- STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
+ STRING_PROXY, /* proxy to use */
+ STRING_SET_RANGE, /* range, if used */
+ STRING_SET_REFERER, /* custom string for the HTTP referer field */
+@@ -1390,7 +1389,15 @@ enum dupstring {
+ STRING_TLSAUTH_PASSWORD, /* TLS auth <password> */
+ #endif
+
+- /* -- end of strings -- */
++ /* -- end of zero-terminated strings -- */
++
++ STRING_LASTZEROTERMINATED,
++
++ /* -- below this are pointers to binary data that cannot be strdup'ed.
++ Each such pointer must be added manually to Curl_dupset() --- */
++
++ STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
++
+ STRING_LAST /* not used, just an end-of-list marker */
+ };
+
+diff --git a/src/Makefile.in b/src/Makefile.in
+index 86e3d3a..74e8b9e 100644
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -164,7 +164,7 @@ am__objects_1 = libcurltool_la-tool_binmode.lo \
+ libcurltool_la-tool_util.lo libcurltool_la-tool_vms.lo \
+ libcurltool_la-tool_writeenv.lo \
+ libcurltool_la-tool_writeout.lo libcurltool_la-tool_xattr.lo
+-am__objects_2 = libcurltool_la-strtoofft.lo libcurltool_la-strdup.lo \
++am__objects_2 = libcurltool_la-strtoofft.lo \
+ libcurltool_la-rawstr.lo libcurltool_la-nonblock.lo
+ am__objects_3 =
+ am__objects_4 = $(am__objects_1) $(am__objects_2) $(am__objects_3)
+@@ -200,7 +200,7 @@ am__objects_5 = curl-tool_binmode.$(OBJEXT) curl-tool_bname.$(OBJEXT) \
+ curl-tool_urlglob.$(OBJEXT) curl-tool_util.$(OBJEXT) \
+ curl-tool_vms.$(OBJEXT) curl-tool_writeenv.$(OBJEXT) \
+ curl-tool_writeout.$(OBJEXT) curl-tool_xattr.$(OBJEXT)
+-am__objects_6 = curl-strtoofft.$(OBJEXT) curl-strdup.$(OBJEXT) \
++am__objects_6 = curl-strtoofft.$(OBJEXT) \
+ curl-rawstr.$(OBJEXT) curl-nonblock.$(OBJEXT)
+ am_curl_OBJECTS = $(am__objects_5) $(am__objects_6) $(am__objects_3)
+ curl_OBJECTS = $(am_curl_OBJECTS)
+@@ -503,7 +503,6 @@ AM_CPPFLAGS = -I$(top_builddir)/include/curl -I$(top_builddir)/include \
+ # the official API, but we re-use the code here to avoid duplication.
+ CURLX_ONES = \
+ ../lib/strtoofft.c \
+- ../lib/strdup.c \
+ ../lib/rawstr.c \
+ ../lib/nonblock.c
+
+diff --git a/src/Makefile.inc b/src/Makefile.inc
+index 3f9044d..ea81000 100644
+--- a/src/Makefile.inc
++++ b/src/Makefile.inc
+@@ -11,7 +11,6 @@
+ # the official API, but we re-use the code here to avoid duplication.
+ CURLX_ONES = \
+ ../lib/strtoofft.c \
+- ../lib/strdup.c \
+ ../lib/rawstr.c \
+ ../lib/nonblock.c
+
+--
+2.1.0
+
diff --git a/curl.spec b/curl.spec
index 20c7f87..d10789f 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.32.0
-Release: 14%{?dist}
+Release: 15%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -52,6 +52,9 @@ Patch14: 0014-curl-7.32.0-CVE-2014-3620.patch
# fix a connection failure when FTPS handle is reused
Patch15: 0015-curl-7.32.0-0aecdf68.patch
+# fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)
+Patch16: 0016-curl-7.32.0-b3875606.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -179,6 +182,7 @@ documentation of the library, too.
%patch13 -p1
%patch14 -p1
%patch15 -p1
+%patch16 -p1
# Fedora patches
%patch101 -p1
@@ -300,6 +304,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Wed Nov 05 2014 Kamil Dudka <kdudka at redhat.com> 7.32.0-15
+- fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)
+
* Tue Oct 21 2014 Kamil Dudka <kdudka at redhat.com> 7.32.0-14
- fix a connection failure when FTPS handle is reused
More information about the scm-commits
mailing list