openwrt/package/network/utils/curl/patches/111-CVE-2018-1000120.patch

From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 31 Jan 2018 08:40:11 +0100
Subject: [PATCH] FTP: reject path components with control codes

Refuse to operate when given path components featuring byte values lower
than 32.

Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.

Test case 340 verifies.

CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
---
 lib/ftp.c               |  8 ++++----
 tests/data/Makefile.inc |  3 +++
 tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 tests/data/test340

--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -3235,7 +3235,7 @@ static CURLcode ftp_done(struct connectd
 
   if(!result)
     /* get the "raw" path */
-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
+    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
   if(result) {
     /* We can limp along anyway (and should try to since we may already be in
      * the error path) */
@@ -4241,7 +4241,7 @@ CURLcode ftp_parse_url_path(struct conne
       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
                               slash_pos ? dirlen : 1,
                               &ftpc->dirs[0], NULL,
-                              FALSE);
+                              TRUE);
       if(result) {
         freedirs(ftpc);
         return result;
@@ -4349,7 +4349,7 @@ CURLcode ftp_parse_url_path(struct conne
     size_t dlen;
     char *path;
     CURLcode result =
-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
+      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
     if(result) {
       freedirs(ftpc);
       return result;
curl: fix some security problems This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2018-08-10 21:39:06 +02:00			`From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Wed, 31 Jan 2018 08:40:11 +0100`
			`Subject: [PATCH] FTP: reject path components with control codes`

			`Refuse to operate when given path components featuring byte values lower`
			`than 32.`

			`Previously, inserting a %00 sequence early in the directory part when`
			`using the 'singlecwd' ftp method could make curl write a zero byte`
			`outside of the allocated buffer.`

			`Test case 340 verifies.`

			`CVE-2018-1000120`
			`Reported-by: Duy Phan Thanh`
			`Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html`
			`---`
			`lib/ftp.c \| 8 ++++----`
			`tests/data/Makefile.inc \| 3 +++`
			`tests/data/test340 \| 40 ++++++++++++++++++++++++++++++++++++++++`
			`3 files changed, 47 insertions(+), 4 deletions(-)`
			`create mode 100644 tests/data/test340`

			`--- a/lib/ftp.c`
			`+++ b/lib/ftp.c`
			`@@ -3235,7 +3235,7 @@ static CURLcode ftp_done(struct connectd`

			`if(!result)`
			`/* get the "raw" path */`
			`- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);`
			`+ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);`
			`if(result) {`
			`/* We can limp along anyway (and should try to since we may already be in`
			`* the error path) */`
			`@@ -4241,7 +4241,7 @@ CURLcode ftp_parse_url_path(struct conne`
			`result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",`
			`slash_pos ? dirlen : 1,`
			`&ftpc->dirs[0], NULL,`
			`- FALSE);`
			`+ TRUE);`
			`if(result) {`
			`freedirs(ftpc);`
			`return result;`
			`@@ -4349,7 +4349,7 @@ CURLcode ftp_parse_url_path(struct conne`
			`size_t dlen;`
			`char *path;`
			`CURLcode result =`
			`- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);`
			`+ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);`
			`if(result) {`
			`freedirs(ftpc);`
			`return result;`