diff options
Diffstat (limited to 'curl-7.15.5-CVE-2013-2174.patch')
-rw-r--r-- | curl-7.15.5-CVE-2013-2174.patch | 268 |
1 files changed, 268 insertions, 0 deletions
diff --git a/curl-7.15.5-CVE-2013-2174.patch b/curl-7.15.5-CVE-2013-2174.patch new file mode 100644 index 0000000..553b7d0 --- /dev/null +++ b/curl-7.15.5-CVE-2013-2174.patch @@ -0,0 +1,268 @@ +From ab181f4e1116322b13db55969fc5162e6a7c0114 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sat, 4 Aug 2007 20:47:59 +0000 +Subject: [PATCH 1/4] Patrick Monnerat fixed curl_easy_escape() and curlx_strtoll() to work on non-ASCII systems. + +[upstream commit 1926f4573d43f35f33b524d120e847ea819cc7c7] + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/escape.c | 29 ++++++++++++++++++++++------- + 1 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index 18ae2e1..e0e696a 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -75,9 +75,27 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) + length = alloc-1; + while(length--) { + in = *string; +- if(!(in >= 'a' && in <= 'z') && +- !(in >= 'A' && in <= 'Z') && +- !(in >= '0' && in <= '9')) { ++ ++ /* Portable character check (remember EBCDIC). Do not use isalnum() because ++ its behavior is altered by the current locale. */ ++ ++ switch (in) { ++ case '0': case '1': case '2': case '3': case '4': ++ case '5': case '6': case '7': case '8': case '9': ++ case 'a': case 'b': case 'c': case 'd': case 'e': ++ case 'f': case 'g': case 'h': case 'i': case 'j': ++ case 'k': case 'l': case 'm': case 'n': case 'o': ++ case 'p': case 'q': case 'r': case 's': case 't': ++ case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': ++ case 'A': case 'B': case 'C': case 'D': case 'E': ++ case 'F': case 'G': case 'H': case 'I': case 'J': ++ case 'K': case 'L': case 'M': case 'N': case 'O': ++ case 'P': case 'Q': case 'R': case 'S': case 'T': ++ case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': ++ /* just copy this */ ++ ns[strindex++]=in; ++ break; ++ default: + /* encode it */ + newlen += 2; /* the size grows with two, since this'll become a %XX */ + if(newlen > alloc) { +@@ -105,10 +123,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) + snprintf(&ns[strindex], 4, "%%%02X", in); + + strindex+=3; +- } +- else { +- /* just copy this */ +- ns[strindex++]=in; ++ break; + } + string++; + } +-- +1.7.1 + + +From e2a98feff68c5ccc7c5de901f460860fc1b7ca95 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich <dan@coneharvesters.com> +Date: Tue, 9 Sep 2008 21:15:50 +0000 +Subject: [PATCH 2/4] Factored out Curl_isalnum + +[upstream commit c98ab69cc7aae688db604bbaad5bcc8d3fe25cba] + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/escape.c | 47 +++++++++++++++++++++++++++-------------------- + 1 files changed, 27 insertions(+), 20 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index e0e696a..868d56a 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -42,6 +42,30 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++/* Portable character check (remember EBCDIC). Do not use isalnum() because ++its behavior is altered by the current locale. */ ++static bool Curl_isalnum(unsigned char in) ++{ ++ switch (in) { ++ case '0': case '1': case '2': case '3': case '4': ++ case '5': case '6': case '7': case '8': case '9': ++ case 'a': case 'b': case 'c': case 'd': case 'e': ++ case 'f': case 'g': case 'h': case 'i': case 'j': ++ case 'k': case 'l': case 'm': case 'n': case 'o': ++ case 'p': case 'q': case 'r': case 's': case 't': ++ case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': ++ case 'A': case 'B': case 'C': case 'D': case 'E': ++ case 'F': case 'G': case 'H': case 'I': case 'J': ++ case 'K': case 'L': case 'M': case 'N': case 'O': ++ case 'P': case 'Q': case 'R': case 'S': case 'T': ++ case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': ++ return TRUE; ++ default: ++ break; ++ } ++ return FALSE; ++} ++ + /* for ABI-compatibility with previous versions */ + char *curl_escape(const char *string, int inlength) + { +@@ -76,26 +100,10 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) + while(length--) { + in = *string; + +- /* Portable character check (remember EBCDIC). Do not use isalnum() because +- its behavior is altered by the current locale. */ +- +- switch (in) { +- case '0': case '1': case '2': case '3': case '4': +- case '5': case '6': case '7': case '8': case '9': +- case 'a': case 'b': case 'c': case 'd': case 'e': +- case 'f': case 'g': case 'h': case 'i': case 'j': +- case 'k': case 'l': case 'm': case 'n': case 'o': +- case 'p': case 'q': case 'r': case 's': case 't': +- case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': +- case 'A': case 'B': case 'C': case 'D': case 'E': +- case 'F': case 'G': case 'H': case 'I': case 'J': +- case 'K': case 'L': case 'M': case 'N': case 'O': +- case 'P': case 'Q': case 'R': case 'S': case 'T': +- case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': ++ if (Curl_isalnum(in)) { + /* just copy this */ + ns[strindex++]=in; +- break; +- default: ++ } else { + /* encode it */ + newlen += 2; /* the size grows with two, since this'll become a %XX */ + if(newlen > alloc) { +@@ -123,7 +131,6 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) + snprintf(&ns[strindex], 4, "%%%02X", in); + + strindex+=3; +- break; + } + string++; + } +@@ -191,7 +198,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, + } + + /* For operating systems/environments that use different malloc/free +- ssystems for the app and for this library, we provide a free that uses ++ systems for the app and for this library, we provide a free that uses + the library's memory system */ + void curl_free(void *p) + { +-- +1.7.1 + + +From 97aff30c56bde0d8a07ed3eadad5fa6b6bfd07eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 28 Sep 2010 23:46:14 +0200 +Subject: [PATCH 3/4] curl_easy_escape: don't escape "unreserved" characters + +According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be +percent-encoded. + +Reported by: Miguel Diaz +Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html + +[upstream commit 5df13c31735fa089d5344fde13b66ace1ea473d1] + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/escape.c | 9 ++++++--- + tests/data/test58 | 2 +- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index 868d56a..e759607 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -43,8 +43,10 @@ + #include "memdebug.h" + + /* Portable character check (remember EBCDIC). Do not use isalnum() because +-its behavior is altered by the current locale. */ +-static bool Curl_isalnum(unsigned char in) ++ its behavior is altered by the current locale. ++ See http://tools.ietf.org/html/rfc3986#section-2.3 ++*/ ++static bool Curl_isunreserved(unsigned char in) + { + switch (in) { + case '0': case '1': case '2': case '3': case '4': +@@ -59,6 +61,7 @@ static bool Curl_isalnum(unsigned char in) + case 'K': case 'L': case 'M': case 'N': case 'O': + case 'P': case 'Q': case 'R': case 'S': case 'T': + case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': ++ case '-': case '.': case '_': case '~': + return TRUE; + default: + break; +@@ -100,7 +103,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) + while(length--) { + in = *string; + +- if (Curl_isalnum(in)) { ++ if (Curl_isunreserved(in)) { + /* just copy this */ + ns[strindex++]=in; + } else { +diff --git a/tests/data/test58 b/tests/data/test58 +index 32d7731..7b85b0b 100644 +--- a/tests/data/test58 ++++ b/tests/data/test58 +@@ -38,7 +38,7 @@ a few bytes + ^User-Agent:.* + </strip> + <protocol> +-PUT /we/want/58te%5B%5Dst%2Etxt HTTP/1.1
++PUT /we/want/58te%5B%5Dst.txt HTTP/1.1
+ Host: 127.0.0.1:%HTTPPORT
+ Accept: */*
+ Content-Length: 12
+-- +1.7.1 + + +From a2ea27383a6028604540ce6f2e2f6bbc34bd7d5e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 19 May 2013 23:24:29 +0200 +Subject: [PATCH 4/4] Curl_urldecode: no peaking beyond end of input buffer + +Security problem: CVE-2013-2174 + +If a program would give a string like "%" to curl_easy_unescape(), it +would still consider the % as start of an encoded character. The +function then not only read beyond the buffer but it would also deduct +the *unsigned* counter variable for how many more bytes there's left to +read in the buffer by two, making the counter wrap. Continuing this, the +function would go on reading beyond the buffer and soon writing beyond +the allocated target buffer... + +Reported-by: Timo Sirainen + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/escape.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index e759607..c891a22 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -163,7 +163,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, + + while(--alloc > 0) { + in = *string; +- if(('%' == in) && ishex(string[1]) && ishex(string[2])) { ++ if(('%' == in) && (alloc > 2) && ishex(string[1]) && ishex(string[2])) { + /* this is two hexadecimal digits following a '%' */ + char hexstr[3]; + char *ptr; +-- +1.7.1 + |