diff options
author | Michael Stahl <mstahl@redhat.com> | 2017-11-29 12:28:03 +0100 |
---|---|---|
committer | Thorsten Behrens <Thorsten.Behrens@CIB.de> | 2018-06-01 15:08:40 +0200 |
commit | 7e3c4a7ea9f3739178019d4a8ceb6159c9476fdd (patch) | |
tree | 1649ceb8bef0d6b0ebdae5d9867d60de4ed5b5dd | |
parent | tdf#117847 Impress: Deselected alignment remained checked (diff) | |
download | core-7e3c4a7ea9f3739178019d4a8ceb6159c9476fdd.tar.gz core-7e3c4a7ea9f3739178019d4a8ceb6159c9476fdd.zip |
curl: fix CVE-2017-8816
* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
* CVE-2017-8817 doesn't affect LO as CURLOPT_WILDCARDMATCH isn't used
* CVE-2017-8818 doesn't affect the old 7.52 version
Change-Id: I49ddb771ccdb93d5fe8f4b3544f74ab9b171c156
Reviewed-on: https://gerrit.libreoffice.org/45487
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit aa0f44de5b260b2b2a39bdd2de9445d72ab14265)
-rw-r--r-- | external/curl/CVE-2017-8816.patch | 67 | ||||
-rw-r--r-- | external/curl/UnpackedTarball_curl.mk | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/external/curl/CVE-2017-8816.patch b/external/curl/CVE-2017-8816.patch new file mode 100644 index 000000000000..dd4fa677e03f --- /dev/null +++ b/external/curl/CVE-2017-8816.patch @@ -0,0 +1,67 @@ +From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 6 Nov 2017 23:51:52 +0100 +Subject: [PATCH] ntlm: avoid integer overflow for malloc size + +Reported-by: Alex Nichols +Assisted-by: Kamil Dudka and Max Dymond + +CVE-2017-8816 + +Bug: https://curl.haxx.se/docs/adv_2017-11e7.html +--- + lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index 1309bf0d9..e8962769c 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + Curl_HMAC_final(ctxt, output); + + return CURLE_OK; + } + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ + CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, + const char *domain, size_t domlen, + unsigned char *ntlmhash, + unsigned char *ntlmv2hash) + { + /* Unicode representation */ +- size_t identity_len = (userlen + domlen) * 2; +- unsigned char *identity = malloc(identity_len); ++ size_t identity_len; ++ unsigned char *identity; + CURLcode result = CURLE_OK; + ++ /* we do the length checks below separately to avoid integer overflow risk ++ on extreme data lengths */ ++ if((userlen > SIZE_T_MAX/2) || ++ (domlen > SIZE_T_MAX/2) || ++ ((userlen + domlen) > SIZE_T_MAX/2)) ++ return CURLE_OUT_OF_MEMORY; ++ ++ identity_len = (userlen + domlen) * 2; ++ identity = malloc(identity_len); ++ + if(!identity) + return CURLE_OUT_OF_MEMORY; + + ascii_uppercase_to_unicode_le(identity, user, userlen); + ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); +-- +2.15.0 + diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index 6a5720d78459..4cabf2f1b80b 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -23,6 +23,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/curl-7.26.0_mingw.patch \ external/curl/curl-7.26.0_win-proxy.patch \ external/curl/curl-xp.patch.1 \ + external/curl/CVE-2017-8816.patch \ )) ifeq ($(SYSTEM_NSS),) |