~ubuntu-branches/ubuntu/trusty/curl/trusty-updates

Viewing changes to debian/patches/CVE-2014-3707.patch

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2014-11-06 10:53:58 UTC
Revision ID: package-import@ubuntu.com-20141106105358-e90s20tv3eobuukd

Tags: 7.35.0-1ubuntu2.2

* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
  bounds
  - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
    lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
    src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}.
  - CVE-2014-3707

files added:
.pc/CVE-2014-3707.patch

.pc/CVE-2014-3707.patch/lib

.pc/CVE-2014-3707.patch/lib/formdata.c

.pc/CVE-2014-3707.patch/lib/strdup.c

.pc/CVE-2014-3707.patch/lib/strdup.h

.pc/CVE-2014-3707.patch/lib/url.c

.pc/CVE-2014-3707.patch/lib/urldata.h

.pc/CVE-2014-3707.patch/src

.pc/CVE-2014-3707.patch/src/Makefile.inc

.pc/CVE-2014-3707.patch/src/tool_setup.h

.pc/CVE-2014-3707.patch/src/tool_strdup.c

.pc/CVE-2014-3707.patch/src/tool_strdup.h

debian/patches/CVE-2014-3707.patch

src/tool_strdup.c

src/tool_strdup.h

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

lib/formdata.c

lib/strdup.c

lib/strdup.h

lib/url.c

lib/urldata.h

src/Makefile.inc

src/tool_setup.h

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2014-3707.patch

Description: fix sensitive data disclosure via duphandle read out of bounds

Origin: backport, https://github.com/bagder/curl/commit/b3875606925536f82fc61f3114ac42f29eaf6945

Origin: backport, https://github.com/bagder/curl/commit/e8cea8d70fed7ad5e14d8b3e871ebf0ea0bf53b0

Origin: backport, https://github.com/bagder/curl/commit/92e7e346f35b89d89c079403e5aeb16bee0e8836

Origin: backport, https://github.com/bagder/curl/commit/8a2dda312cc916e3ec3d0bc99850d9abe5ae6b92

Index: curl-7.35.0/lib/formdata.c

===================================================================

--- curl-7.35.0.orig/lib/formdata.c 2014-11-06 10:53:04.237756718 -0500

+++ curl-7.35.0/lib/formdata.c 2014-11-06 10:53:04.229756651 -0500

@@ -36,6 +36,7 @@

#include "strequal.h"

#include "curl_memory.h"

#include "sendf.h"

+#include "strdup.h"

#define _MPRINTF_REPLACE /* use our functions only */

#include <curl/mprintf.h>

@@ -214,46 +215,6 @@

/***************************************************************************

- * memdup()

- *

- * Copies the 'source' data to a newly allocated buffer buffer (that is

- * returned). Uses buffer_length if not null, else uses strlen to determine

- * the length of the buffer to be copied

- *

- * Returns the new pointer or NULL on failure.

- *

- ***************************************************************************/

-static char *memdup(const char *src, size_t buffer_length)

- size_t length;

- bool add = FALSE;

- char *buffer;

- if(buffer_length)

- length = buffer_length;

- else if(src) {

- length = strlen(src);

- add = TRUE;

- }

- else

- /* no length and a NULL src pointer! */

- return strdup("");

- buffer = malloc(length+add);

- if(!buffer)

- return NULL; /* fail */

- memcpy(buffer, src, length);

- /* if length unknown do null termination */

- if(add)

- buffer[length] = '\0';

- return buffer;

-/***************************************************************************

- *

* FormAdd()

* Stores a formpost parameter and builds the appropriate linked list.

@@ -682,9 +643,12 @@

(form == first_form) ) {

/* Note that there's small risk that form->name is NULL here if the

app passed in a bad combo, so we better check for that first. */

- if(form->name)

+ if(form->name) {

/* copy name (without strdup; possibly contains null characters) */

- form->name = memdup(form->name, form->namelength);

+ form->name = Curl_memdup(form->name, form->namelength?

+ form->namelength:

+ strlen(form->name)+1);

+ }

if(!form->name) {

return_value = CURL_FORMADD_MEMORY;

break;

@@ -695,7 +659,9 @@

HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |

HTTPPOST_CALLBACK)) ) {

/* copy value (without strdup; possibly contains null characters) */

- form->value = memdup(form->value, form->contentslength);

+ form->value = Curl_memdup(form->value, form->contentslength?

+ form->contentslength:

+ strlen(form->value)+1);

if(!form->value) {

return_value = CURL_FORMADD_MEMORY;

break;

Index: curl-7.35.0/lib/strdup.c

===================================================================

--- curl-7.35.0.orig/lib/strdup.c 2014-11-06 10:53:04.237756718 -0500

+++ curl-7.35.0/lib/strdup.c 2014-11-06 10:53:04.229756651 -0500

@@ -19,12 +19,12 @@

* KIND, either express or implied.

***************************************************************************/

100

-/*

101

- * This file is 'mem-include-scan' clean. See test 1132.

102

- */

103

#include "curl_setup.h"

104

105

#include "strdup.h"

106

+#include "curl_memory.h"

107

108

+/* The last #include file should be: */

109

+#include "memdebug.h"

110

111

#ifndef HAVE_STRDUP

112

char *curlx_strdup(const char *str)

113

@@ -50,3 +50,24 @@

114

115

}

116

#endif

117

118

+/***************************************************************************

119

+ *

120

+ * Curl_memdup(source, length)

121

+ *

122

+ * Copies the 'source' data to a newly allocated buffer (that is

123

+ * returned). Copies 'length' bytes.

124

+ *

125

+ * Returns the new pointer or NULL on failure.

126

+ *

127

+ ***************************************************************************/

128

+char *Curl_memdup(const char *src, size_t length)

129

130

+ char *buffer = malloc(length);

131

+ if(!buffer)

132

+ return NULL; /* fail */

133

134

+ memcpy(buffer, src, length);

135

136

+ return buffer;

137

138

Index: curl-7.35.0/lib/strdup.h

139

===================================================================

140

--- curl-7.35.0.orig/lib/strdup.h 2014-11-06 10:53:04.237756718 -0500

141

+++ curl-7.35.0/lib/strdup.h 2014-11-06 10:53:04.229756651 -0500

142

@@ -26,5 +26,6 @@

143

#ifndef HAVE_STRDUP

144

extern char *curlx_strdup(const char *str);

145

#endif

146

+char *Curl_memdup(const char *src, size_t buffer_length);

147

148

#endif /* HEADER_CURL_STRDUP_H */

149

Index: curl-7.35.0/lib/url.c

150

===================================================================

151

--- curl-7.35.0.orig/lib/url.c 2014-11-06 10:53:04.237756718 -0500

152

+++ curl-7.35.0/lib/url.c 2014-11-06 10:53:04.233756684 -0500

153

@@ -125,6 +125,7 @@

154

#include "multihandle.h"

155

#include "pipeline.h"

156

#include "dotdot.h"

157

+#include "strdup.h"

158

159

#define _MPRINTF_REPLACE /* use our functions only */

160

#include <curl/mprintf.h>

161

@@ -270,8 +271,9 @@

162

{

163

/* Free all dynamic strings stored in the data->set substructure. */

164

enum dupstring i;

165

- for(i=(enum dupstring)0; i < STRING_LAST; i++)

166

+ for(i=(enum dupstring)0; i < STRING_LAST; i++) {

167

Curl_safefree(data->set.str[i]);

168

+ }

169

170

if(data->change.referer_alloc) {

171

Curl_safefree(data->change.referer);

172

@@ -351,14 +353,25 @@

173

memset(dst->set.str, 0, STRING_LAST * sizeof(char *));

174

175

/* duplicate all strings */

176

- for(i=(enum dupstring)0; i< STRING_LAST; i++) {

177

+ for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {

178

r = setstropt(&dst->set.str[i], src->set.str[i]);

179

if(r != CURLE_OK)

180

- break;

181

+ return r;

182

}

183

184

- /* If a failure occurred, freeing has to be performed externally. */

185

- return r;

186

+ /* duplicate memory areas pointed to */

187

+ i = STRING_COPYPOSTFIELDS;

188

+ if(src->set.postfieldsize && src->set.str[i]) {

189

+ /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */

190

+ dst->set.str[i] = Curl_memdup(src->set.str[i],

191

+ curlx_sotouz(src->set.postfieldsize));

192

+ if(!dst->set.str[i])

193

+ return CURLE_OUT_OF_MEMORY;

194

+ /* point to the new copy */

195

+ dst->set.postfields = dst->set.str[i];

196

+ }

197

198

+ return CURLE_OK;

199

}

200

201

202

Index: curl-7.35.0/lib/urldata.h

203

===================================================================

204

--- curl-7.35.0.orig/lib/urldata.h 2014-11-06 10:53:04.237756718 -0500

205

+++ curl-7.35.0/lib/urldata.h 2014-11-06 10:53:04.233756684 -0500

206

@@ -1334,7 +1334,6 @@

207

STRING_KRB_LEVEL, /* krb security level */

208

STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find

209

$HOME/.netrc */

210

- STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */

211

STRING_PROXY, /* proxy to use */

212

STRING_SET_RANGE, /* range, if used */

213

STRING_SET_REFERER, /* custom string for the HTTP referer field */

214

@@ -1376,7 +1375,15 @@

215

216

STRING_BEARER, /* <bearer>, if used */

217

218

- /* -- end of strings -- */

219

+ /* -- end of zero-terminated strings -- */

220

221

+ STRING_LASTZEROTERMINATED,

222

223

+ /* -- below this are pointers to binary data that cannot be strdup'ed.

224

+ Each such pointer must be added manually to Curl_dupset() --- */

225

226

+ STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */

227

228

STRING_LAST /* not used, just an end-of-list marker */

229

};

230

231

Index: curl-7.35.0/src/Makefile.inc

232

===================================================================

233

--- curl-7.35.0.orig/src/Makefile.inc 2014-11-06 10:53:04.237756718 -0500

234

+++ curl-7.35.0/src/Makefile.inc 2014-11-06 10:53:04.233756684 -0500

235

@@ -11,7 +11,6 @@

236

# the official API, but we re-use the code here to avoid duplication.

237

CURLX_ONES = \

238

../lib/strtoofft.c \

239

- ../lib/strdup.c \

240

../lib/rawstr.c \

241

../lib/nonblock.c

242

243

@@ -46,6 +45,7 @@

244

tool_panykey.c \

245

tool_paramhlp.c \

246

tool_parsecfg.c \

247

+ tool_strdup.c \

248

tool_setopt.c \

249

tool_sleep.c \

250

tool_urlglob.c \

251

@@ -90,6 +90,7 @@

252

tool_setopt.h \

253

tool_setup.h \

254

tool_sleep.h \

255

+ tool_strdup.h \

256

tool_urlglob.h \

257

tool_util.h \

258

tool_version.h \

259

Index: curl-7.35.0/src/tool_setup.h

260

===================================================================

261

--- curl-7.35.0.orig/src/tool_setup.h 2014-11-06 10:53:04.237756718 -0500

262

+++ curl-7.35.0/src/tool_setup.h 2014-11-06 10:53:04.233756684 -0500

263

@@ -67,8 +67,7 @@

264

#endif

265

266

#ifndef HAVE_STRDUP

267

-# include "strdup.h"

268

-# define strdup(ptr) curlx_strdup(ptr)

269

+# include "tool_strdup.h"

270

#endif

271

272

#endif /* HEADER_CURL_TOOL_SETUP_H */

273

Index: curl-7.35.0/src/tool_strdup.c

274

===================================================================

275

--- /dev/null 1970-01-01 00:00:00.000000000 +0000

276

+++ curl-7.35.0/src/tool_strdup.c 2014-11-06 10:53:04.233756684 -0500

277

@@ -0,0 +1,47 @@

278

+/***************************************************************************

279

+ * _ _ ____ _

280

+ * Project ___| | | | _ \| |

281

+ * / __| | | | |_) | |

282

+ * | (__| |_| | _ <| |___

283

+ * \___|\___/|_| \_\_____|

284

+ *

285

286

+ *

287

+ * This software is licensed as described in the file COPYING, which

288

+ * you should have received as part of this distribution. The terms

289

+ * are also available at http://curl.haxx.se/docs/copyright.html.

290

+ *

291

+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell

292

+ * copies of the Software, and permit persons to whom the Software is

293

+ * furnished to do so, under the terms of the COPYING file.

294

+ *

295

+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY

296

+ * KIND, either express or implied.

297

+ *

298

+ ***************************************************************************/

299

+#include "tool_strdup.h"

300

301

+#ifndef HAVE_STRDUP

302

+char *strdup(const char *str)

303

304

+ size_t len;

305

+ char *newstr;

306

307

+ if(!str)

308

+ return (char *)NULL;

309

310

+ len = strlen(str);

311

312

+ if(len >= ((size_t)-1) / sizeof(char))

313

+ return (char *)NULL;

314

315

+ newstr = malloc((len+1)*sizeof(char));

316

+ if(!newstr)

317

+ return (char *)NULL;

318

319

+ memcpy(newstr,str,(len+1)*sizeof(char));

320

321

+ return newstr;

322

323

324

+#endif

325

Index: curl-7.35.0/src/tool_strdup.h

326

===================================================================

327

--- /dev/null 1970-01-01 00:00:00.000000000 +0000

328

+++ curl-7.35.0/src/tool_strdup.h 2014-11-06 10:53:04.233756684 -0500

329

@@ -0,0 +1,30 @@

330

+#ifndef HEADER_TOOL_STRDUP_H

331

+#define HEADER_TOOL_STRDUP_H

332

+/***************************************************************************

333

+ * _ _ ____ _

334

+ * Project ___| | | | _ \| |

335

+ * / __| | | | |_) | |

336

+ * | (__| |_| | _ <| |___

337

+ * \___|\___/|_| \_\_____|

338

+ *

339

340

+ *

341

+ * This software is licensed as described in the file COPYING, which

342

+ * you should have received as part of this distribution. The terms

343

+ * are also available at http://curl.haxx.se/docs/copyright.html.

344

+ *

345

+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell

346

+ * copies of the Software, and permit persons to whom the Software is

347

+ * furnished to do so, under the terms of the COPYING file.

348

+ *

349

+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY

350

+ * KIND, either express or implied.

351

+ *

352

+ ***************************************************************************/

353

+#include "tool_setup.h"

354

355

+#ifndef HAVE_STRDUP

356

+extern char *strdup(const char *str);

357

+#endif

358

359

+#endif /* HEADER_TOOL_STRDUP_H */

Older »