From a8283e1a8bc777cc05c9860b30f2314385a76638 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 20 2020 10:23:52 +0000 Subject: import curl-7.29.0-58.el7 --- diff --git a/SOURCES/0071-curl-7.29.0-CVE-2019-5482.patch b/SOURCES/0071-curl-7.29.0-CVE-2019-5482.patch new file mode 100644 index 0000000..ad6f9dc --- /dev/null +++ b/SOURCES/0071-curl-7.29.0-CVE-2019-5482.patch @@ -0,0 +1,176 @@ +From fe9b4ce23f82a3b2564123bbc3c674cc07a04f2b Mon Sep 17 00:00:00 2001 +From: Thomas Vegas <> +Date: Sat, 31 Aug 2019 16:59:56 +0200 +Subject: [PATCH 1/2] tftp: return error when packet is too small for options + +Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 76 +++++++++++++++++++++++++++++++++--------------------- + 1 file changed, 46 insertions(+), 30 deletions(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index 022648a..8ab9d71 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -405,13 +405,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state, + return CURLE_OK; + } + +-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize, +- char *buf, const char *option) ++static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize, ++ char *buf, const char *option) + { +- if(( strlen(option) + csize + 1 ) > (size_t)state->blksize) +- return 0; ++ if(( strlen(option) + *csize + 1) > (size_t)state->blksize) ++ return CURLE_TFTP_ILLEGAL; + strcpy(buf, option); +- return( strlen(option) + 1 ); ++ *csize += strlen(option) + 1; ++ return CURLE_OK; + } + + static CURLcode tftp_connect_for_tx(tftp_state_data_t *state, +@@ -498,31 +499,46 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) + sbytes = 4 + strlen(filename) + strlen(mode); + + /* add tsize option */ +- if(data->set.upload && (data->set.infilesize != -1)) +- snprintf( buf, sizeof(buf), "%" FORMAT_OFF_T, data->set.infilesize ); +- else +- strcpy(buf, "0"); /* the destination is large enough */ +- +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data+sbytes, +- TFTP_OPTION_TSIZE); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data+sbytes, buf); +- /* add blksize option */ +- snprintf( buf, sizeof(buf), "%d", state->requested_blksize ); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data+sbytes, +- TFTP_OPTION_BLKSIZE); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data+sbytes, buf ); +- +- /* add timeout option */ +- snprintf( buf, sizeof(buf), "%d", state->retry_time); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data+sbytes, +- TFTP_OPTION_INTERVAL); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data+sbytes, buf ); ++ { ++ CURLcode result; ++ if(data->set.upload && (data->set.infilesize != -1)) ++ snprintf( buf, sizeof(buf), "%" FORMAT_OFF_T, data->set.infilesize ); ++ else ++ strcpy(buf, "0"); /* the destination is large enough */ ++ ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, ++ TFTP_OPTION_TSIZE); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, buf); ++ ++ /* add blksize option */ ++ snprintf(buf, sizeof(buf), "%d", state->requested_blksize); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, ++ TFTP_OPTION_BLKSIZE); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, buf); ++ ++ /* add timeout option */ ++ snprintf(buf, sizeof(buf), "%d", state->retry_time); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, ++ TFTP_OPTION_INTERVAL); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, buf); ++ ++ if(result != CURLE_OK) { ++ failf(data, "TFTP buffer too small for options"); ++ free(filename); ++ return CURLE_TFTP_ILLEGAL; ++ } ++ } + + /* the typecase for the 3rd argument is mostly for systems that do + not have a size_t argument, like older unixes that want an 'int' */ +-- +2.20.1 + + +From ea5ca5f9ee1a4588061fc8b5a10c5b65fb68a0cd Mon Sep 17 00:00:00 2001 +From: Thomas Vegas <> +Date: Sat, 31 Aug 2019 17:30:51 +0200 +Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK + is received + +Fixes potential buffer overflow from 'recvfrom()', should the server +return an OACK without blksize. + +Bug: https://curl.haxx.se/docs/CVE-2019-5482.html +CVE-2019-5482 + +Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index 8ab9d71..af3b288 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -961,6 +961,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + CURLcode code; + tftp_state_data_t *state; + int blksize, rc; ++ int need_blksize; + + blksize = TFTP_BLKSIZE_DEFAULT; + +@@ -979,15 +980,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + return CURLE_TFTP_ILLEGAL; + } + ++ need_blksize = blksize; ++ /* default size is the fallback when no OACK is received */ ++ if(need_blksize < TFTP_BLKSIZE_DEFAULT) ++ need_blksize = TFTP_BLKSIZE_DEFAULT; ++ + if(!state->rpacket.data) { +- state->rpacket.data = calloc(1, blksize + 2 + 2); ++ state->rpacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->rpacket.data) + return CURLE_OUT_OF_MEMORY; + } + + if(!state->spacket.data) { +- state->spacket.data = calloc(1, blksize + 2 + 2); ++ state->spacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->spacket.data) + return CURLE_OUT_OF_MEMORY; +@@ -1001,7 +1007,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + state->sockfd = state->conn->sock[FIRSTSOCKET]; + state->state = TFTP_STATE_START; + state->error = TFTP_ERR_NONE; +- state->blksize = blksize; ++ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ + state->requested_blksize = blksize; + + ((struct sockaddr *)&state->local_addr)->sa_family = +-- +2.20.1 + diff --git a/SOURCES/0073-curl-7.29.0-post-cdev.patch b/SOURCES/0073-curl-7.29.0-post-cdev.patch new file mode 100644 index 0000000..18c82d6 --- /dev/null +++ b/SOURCES/0073-curl-7.29.0-post-cdev.patch @@ -0,0 +1,39 @@ +From f4ae40a0e8a35d18a7b8560980b9408d7b06ba8c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 4 Mar 2013 15:20:22 +0100 +Subject: [PATCH] AddFormData: prevent only directories from being posted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a +bug fix that introduced a regression in that while trying to avoid +allowing directory names, it also forbade "special" files like character +devices and more. like "/dev/null" as was used by Oliver who reported +this regression. + +Reported by: Oliver Gondža +Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html + +Upstream-commit: 26eaa8383001219e7cd14a153dff95ea9274be6e +Signed-off-by: Kamil Dudka +--- + lib/formdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/formdata.c b/lib/formdata.c +index 0da6de3..28f9a32 100644 +--- a/lib/formdata.c ++++ b/lib/formdata.c +@@ -796,7 +796,7 @@ static CURLcode AddFormData(struct FormData **formp, + file */ + if(!strequal("-", newform->line)) { + struct_stat file; +- if(!stat(newform->line, &file) && S_ISREG(file.st_mode)) ++ if(!stat(newform->line, &file) && !S_ISDIR(file.st_mode)) + *size += file.st_size; + else + return CURLE_BAD_FUNCTION_ARGUMENT; +-- +2.20.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 46496d1..d08d6ca 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.29.0 -Release: 56%{?dist} +Release: 58%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -217,9 +217,15 @@ Patch69: 0069-curl-7.29.0-file-limit-rate.patch # fix TFTP receive buffer overflow (CVE-2019-5436) Patch70: 0070-curl-7.29.0-CVE-2019-5436.patch +# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) +Patch71: 0071-curl-7.29.0-CVE-2019-5482.patch + # fix auth failure with duplicated WWW-Authenticate header (#1754736) Patch72: 0072-curl-7.29.0-dup-auth-header.patch +# allow curl to POST from a char device (#1769307) +Patch73: 0073-curl-7.29.0-post-cdev.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.29.0-multilib.patch @@ -420,7 +426,9 @@ documentation of the library, too. %patch68 -p1 %patch69 -p1 %patch70 -p1 +%patch71 -p1 %patch72 -p1 +%patch73 -p1 # regenerate Makefile.in files aclocal -I m4 @@ -536,6 +544,12 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Mon Mar 23 2020 Kamil Dudka - 7.29.0-58 +- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) + +* Wed Nov 27 2019 Kamil Dudka - 7.29.0-57 +- allow curl to POST from a char device (#1769307) + * Tue Oct 01 2019 Kamil Dudka - 7.29.0-56 - fix auth failure with duplicated WWW-Authenticate header (#1754736)