author | Rich Burridge <rich.burridge@oracle.com> |
Tue, 27 Aug 2013 05:46:53 -0700 | |
branch | s11-update |
changeset 2753 | 14e5111571b5 |
permissions | -rw-r--r-- |
2753
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
attackers to cause a denial of service (application crash) or possibly |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
execute arbitrary code via a crafted string ending in a "%" (percent) |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
character. |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
|
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
CVE webpage for this problem: |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
Relevant upstream patch at: |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737 |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
|
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
--- lib/escape.c.orig 2013-08-27 05:41:07.197713748 -0700 |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
+++ lib/escape.c 2013-08-27 05:42:54.003927843 -0700 |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
@@ -5,7 +5,7 @@ |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
* | (__| |_| | _ <| |___ |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
* \___|\___/|_| \_\_____| |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
* |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al. |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al. |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
* |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
* This software is licensed as described in the file COPYING, which |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
* you should have received as part of this distribution. The terms |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
@@ -165,7 +165,8 @@ |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
|
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
while(--alloc > 0) { |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
in = *string; |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
+ if(('%' == in) && (alloc > 2) && |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
/* this is two hexadecimal digits following a '%' */ |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
char hexstr[3]; |
14e5111571b5
17335413 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
char *ptr; |