Blame SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch

b97401
From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001
b97401
From: Daniel Stenberg <daniel@haxx.se>
b97401
Date: Sat, 12 Jun 2021 18:25:15 +0200
b97401
Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
b97401
b97401
CVE-2021-22925
b97401
b97401
Reported-by: Red Hat Product Security
b97401
Bug: https://curl.se/docs/CVE-2021-22925.html
b97401
b97401
Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
b97401
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
b97401
---
b97401
 lib/telnet.c | 17 +++++++++++------
b97401
 1 file changed, 11 insertions(+), 6 deletions(-)
b97401
b97401
diff --git a/lib/telnet.c b/lib/telnet.c
b97401
index fdd137f..567c22c 100644
b97401
--- a/lib/telnet.c
b97401
+++ b/lib/telnet.c
b97401
@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data)
b97401
         size_t tmplen = (strlen(v->data) + 1);
b97401
         /* Add the variable only if it fits */
b97401
         if(len + tmplen < (int)sizeof(temp)-6) {
b97401
-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
b97401
-            msnprintf((char *)&temp[len], sizeof(temp) - len,
b97401
-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
b97401
-                      CURL_NEW_ENV_VALUE, varval);
b97401
-            len += tmplen;
b97401
-          }
b97401
+          int rv;
b97401
+          char sep[2] = "";
b97401
+          varval[0] = 0;
b97401
+          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
b97401
+          if(rv == 1)
b97401
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
b97401
+                             "%c%s", CURL_NEW_ENV_VAR, varname);
b97401
+          else if(rv >= 2)
b97401
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
b97401
+                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
b97401
+                             CURL_NEW_ENV_VALUE, varval);
b97401
         }
b97401
       }
b97401
       msnprintf((char *)&temp[len], sizeof(temp) - len,
b97401
-- 
b97401
2.31.1
b97401