~alpine/aports

[alpine-aports] [PATCH edge] main/curl: security fixes #7133

Sergei Lukin <sergej.lukin@gmail.com>
Details
Message ID
<20170414084940.15232-1-sergej.lukin@gmail.com>
Sender timestamp
1492159780
DKIM signature
missing
Download raw message
7 years ago
Patch: +206 -3 
CVE-2017-7407: write-out out of buffer read
---
 main/curl/APKBUILD            |  12 ++-
 main/curl/CVE-2017-7407.patch | 197 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 206 insertions(+), 3 deletions(-)
 create mode 100644 main/curl/CVE-2017-7407.patch

diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 2135768bc3..fc506bea71 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -1,19 +1,24 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.53.1
pkgrel=1
pkgrel=2
pkgdesc="An URL retrival utility and library"
url="http://curl.haxx.se"
arch="all"
license="MIT"
depends="ca-certificates"
makedepends="zlib-dev libressl-dev libssh2-dev groff perl"
source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2"
source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2
	CVE-2017-7407.patch
	"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"

# secfixes:
#   7.53.1-r2:
#       CVE-2017-7407
#   7.53.0:
#     - CVE-2017-2629
#   7.52.1:
@@ -76,4 +81,5 @@ libcurl() {
	mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}

sha512sums="c668494d0e795f34b00505ca68ab41fbb475a1bccbcac1d0bbacbbbafa40a994472e100be18a0c10f8fa21b5b9bd3f4e66c1e68ff5423b13b82d829cbaefcd52  curl-7.53.1.tar.bz2"
sha512sums="c668494d0e795f34b00505ca68ab41fbb475a1bccbcac1d0bbacbbbafa40a994472e100be18a0c10f8fa21b5b9bd3f4e66c1e68ff5423b13b82d829cbaefcd52  curl-7.53.1.tar.bz2
05ab29bef14abef013f2df9dee9ad5a449a0b24838f1376d4f53db9bb428c3769e264302ac9098563e9a2cc57b56c6fba9805581cae7f4a115d8be9f623714e3  CVE-2017-7407.patch"
diff --git a/main/curl/CVE-2017-7407.patch b/main/curl/CVE-2017-7407.patch
new file mode 100644
index 0000000000..d3cdf0aa5a
--- /dev/null
+++ b/main/curl/CVE-2017-7407.patch
@@ -0,0 +1,197 @@
From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Sat, 11 Mar 2017 10:59:34 +0100
Subject: [PATCH] CVE-2017-7407: fixed

Bug: https://curl.haxx.se/docs/adv_20170403.html

Reported-by: Brian Carpenter
---
 src/tool_writeout.c     |  6 +++---
 tests/data/Makefile.inc |  2 +-
 tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
 tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
 tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
 5 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 tests/data/test1440
 create mode 100644 tests/data/test1441
 create mode 100644 tests/data/test1442

diff --git a/src/tool_writeout.c b/src/tool_writeout.c
index 2fb77742a..5d92bd278 100644
--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
@@ -3,11 +3,11 @@
  *  Project                     ___| | | |  _ \| |
  *                             / __| | | | |_) | |
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
  * are also available at https://curl.haxx.se/docs/copyright.html.
  *
@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
   char *stringp = NULL;
   long longinfo;
   double doubleinfo;
 
   while(ptr && *ptr) {
-    if('%' == *ptr) {
+    if('%' == *ptr && ptr[1]) {
       if('%' == ptr[1]) {
         /* an escaped %-letter */
         fputc('%', stream);
         ptr += 2;
       }
@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
           fputc(ptr[1], stream);
           ptr += 2;
         }
       }
     }
-    else if('\\' == *ptr) {
+    else if('\\' == *ptr && ptr[1]) {
       switch(ptr[1]) {
       case 'r':
         fputc('\r', stream);
         break;
       case 'n':
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 8251ab9a4..267ff6aef 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -149,11 +149,11 @@ test1396 test1397 test1398 \
 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
 test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
 test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
 test1424 \
 test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
-test1436 test1437 test1438 test1439 \
+test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
 test1516 test1517 \
 \
diff --git a/tests/data/test1440 b/tests/data/test1440
new file mode 100644
index 000000000..7ed0c4d5f
--- /dev/null
+++ b/tests/data/test1440
@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %{
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%{'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%{
+</stdout>
+</verify>
+</testcase>
diff --git a/tests/data/test1441 b/tests/data/test1441
new file mode 100644
index 000000000..6e253a690
--- /dev/null
+++ b/tests/data/test1441
@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%
+</stdout>
+</verify>
+</testcase>
diff --git a/tests/data/test1442 b/tests/data/test1442
new file mode 100644
index 000000000..255a4c9ff
--- /dev/null
+++ b/tests/data/test1442
@@ -0,0 +1,35 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+FILE
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing \
+</name>
+<command>
+file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
+</command>
+</client>
+
+# Verify data
+<verify>
+<errorcode>
+37
+</errorcode>
+<stdout nonewline="yes">
+\
+</stdout>
+</verify>
+</testcase>
-- 
2.11.0

-- 
2.12.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)