curl: apply CVE 2017-8816 and 2017-8817 security patches

This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2025-01-03 12:34:19 +00:00 · 2017-12-03 12:09:20 +01:00 · 2017-12-03 12:09:20 +01:00 · 060b7f1fbb
commit 060b7f1fbb
parent 4b5861c47d
3 changed files with 209 additions and 1 deletions
--- a/package/network/utils/curl/Makefile
+++ b/package/network/utils/curl/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=5
+PKG_RELEASE:=6

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
--- a/package/network/utils/curl/patches/105-CVE-2017-8816.patch
+++ b/package/network/utils/curl/patches/105-CVE-2017-8816.patch
@ -0,0 +1,67 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
+@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+   Curl_HMAC_final(ctxt, output);
+ 
+   return CURLE_OK;
+ }
+ 
+#ifndef SIZE_T_MAX
+/* some limits.h headers have this defined, some don't */
+#if defined(_LP64) || defined(_I32LPx)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+#endif
+
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+                                        const char *domain, size_t domlen,
+                                        unsigned char *ntlmhash,
+                                        unsigned char *ntlmv2hash)
+ {
+   /* Unicode representation */
+-  size_t identity_len = (userlen + domlen) * 2;
+-  unsigned char *identity = malloc(identity_len);
+  size_t identity_len;
+  unsigned char *identity;
+   CURLcode result = CURLE_OK;
+ 
+  /* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
+  if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
+   if(!identity)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   ascii_uppercase_to_unicode_le(identity, user, userlen);
+   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+-- 
+2.15.0
+
--- a/package/network/utils/curl/patches/106-CVE-2017-8817.patch
+++ b/package/network/utils/curl/patches/106-CVE-2017-8817.patch
@ -0,0 +1,141 @@
+From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Nov 2017 08:52:45 +0100
+Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
+
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+CVE-2017-8817
+
+Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+---
+ lib/curl_fnmatch.c      |  9 +++------
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/test1163
+
+diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
+index da83393b4..8a1e106c4 100644
+--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
+@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+   unsigned char lastchar   = 0;
+   bool something_found = FALSE;
+   unsigned char c;
+   for(;;) {
+     c = **p;
+    if(!c)
+      return SETCHARSET_FAIL;
+
+     switch(state) {
+     case CURLFNM_SCHS_DEFAULT:
+       if(ISALNUM(c)) { /* ASCII value */
+         rangestart = c;
+         charset[c] = 1;
+@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+           (*p)++;
+         }
+         else
+           return SETCHARSET_FAIL;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else {
+         charset[c] = 1;
+         (*p)++;
+         something_found = TRUE;
+       }
+@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+         (*p)++;
+       }
+       else if(c == ']') {
+         return SETCHARSET_OK;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else if(ISPRINT(c)) {
+         charset[c] = 1;
+         (*p)++;
+         state = CURLFNM_SCHS_DEFAULT;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index dc1cc03bc..6eb37d81d 100644
+--- a/tests/data/Makefile.inc.1	2017-11-29 20:00:26.126452486 +0000
+++ b/tests/data/Makefile.inc	2017-11-29 20:01:13.057783732 +0000
+@@ -121,6 +121,7 @@
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 \
+test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1163 b/tests/data/test1163
+new file mode 100644
+index 000000000..a109b511b
+--- /dev/null
+++ b/tests/data/test1163
+@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+FTP
+RETR
+LIST
+wildcardmatch
+ftplistparser
+flaky
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<tool>
+lib576
+</tool>
+<name>
+FTP wildcard with pattern ending with an open-bracket
+</name>
+<command>
+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
+</command>
+</client>
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD fully_simulated
+CWD DOS
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
+<errorcode>
+78
+</errorcode>
+</verify>
+</testcase>
+-- 
+2.15.0
+