rpms / curl

Clone
Source Code
GIT

Blame SOURCES/0040-curl-7.61.1-CVE-2022-32208.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   0040-curl-7.61.1-CVE-2022-32208.patch
Blob History Raw
0fa833 
From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
0fa833 
From: Daniel Stenberg <daniel@haxx.se>
0fa833 
Date: Thu, 9 Jun 2022 09:27:24 +0200
0fa833 
Subject: [PATCH] krb5: return error properly on decode errors
0fa833
0fa833 
Bug: https://curl.se/docs/CVE-2022-32208.html
0fa833 
CVE-2022-32208
0fa833 
Reported-by: Harry Sintonen
0fa833 
Closes #9051
0fa833
0fa833 
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
0fa833 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
0fa833 
---
0fa833 
 lib/krb5.c     |  5 +----
0fa833 
 lib/security.c | 19 +++++++++++++++----
0fa833 
 2 files changed, 16 insertions(+), 8 deletions(-)
0fa833
0fa833 
diff --git a/lib/krb5.c b/lib/krb5.c
0fa833 
index 787137c..6f9e1f7 100644
0fa833 
--- a/lib/krb5.c
0fa833 
+++ b/lib/krb5.c
0fa833 
@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
0fa833 
   enc.value = buf;
0fa833 
   enc.length = len;
0fa833 
   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
0fa833 
-  if(maj != GSS_S_COMPLETE) {
0fa833 
-    if(len >= 4)
0fa833 
-      strcpy(buf, "599 ");
0fa833 
+  if(maj != GSS_S_COMPLETE)
0fa833 
     return -1;
0fa833 
-  }
0fa833
0fa833 
   memcpy(buf, dec.value, dec.length);
0fa833 
   len = curlx_uztosi(dec.length);
0fa833 
diff --git a/lib/security.c b/lib/security.c
0fa833 
index 52cce97..c95f290 100644
0fa833 
--- a/lib/security.c
0fa833 
+++ b/lib/security.c
0fa833 
@@ -64,6 +64,10 @@
0fa833 
 /* The last #include file should be: */
0fa833 
 #include "memdebug.h"
0fa833
0fa833 
+/* Max string input length is a precaution against abuse and to detect junk
0fa833 
+   input easier and better. */
0fa833 
+#define CURL_MAX_INPUT_LENGTH 8000000
0fa833 
+
0fa833 
 static const struct {
0fa833 
   enum protection_level level;
0fa833 
   const char *name;
0fa833 
@@ -192,6 +196,7 @@ static CURLcode read_data(struct connectdata *conn,
0fa833 
 {
0fa833 
   int len;
0fa833 
   CURLcode result;
0fa833 
+  int nread;
0fa833
0fa833 
   result = socket_read(fd, &len, sizeof(len));
0fa833 
   if(result)
0fa833 
@@ -200,7 +205,10 @@ static CURLcode read_data(struct connectdata *conn,
0fa833 
   if(len) {
0fa833 
     /* only realloc if there was a length */
0fa833 
     len = ntohl(len);
0fa833 
-    buf->data = Curl_saferealloc(buf->data, len);
0fa833 
+    if(len > CURL_MAX_INPUT_LENGTH)
0fa833 
+      len = 0;
0fa833 
+    else
0fa833 
+      buf->data = Curl_saferealloc(buf->data, len);
0fa833 
   }
0fa833 
   if(!len || !buf->data)
0fa833 
     return CURLE_OUT_OF_MEMORY;
0fa833 
@@ -208,8 +216,11 @@ static CURLcode read_data(struct connectdata *conn,
0fa833 
   result = socket_read(fd, buf->data, len);
0fa833 
   if(result)
0fa833 
     return result;
0fa833 
-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
0fa833 
-                                 conn->data_prot, conn);
0fa833 
+  nread = conn->mech->decode(conn->app_data, buf->data, len,
0fa833 
+                             conn->data_prot, conn);
0fa833 
+  if(nread < 0)
0fa833 
+    return CURLE_RECV_ERROR;
0fa833 
+  buf->size = (size_t)nread;
0fa833 
   buf->index = 0;
0fa833 
   return CURLE_OK;
0fa833 
 }
0fa833 
--
0fa833 
2.35.3
0fa833

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation