author | jenny.yung@oracle.com <jenny.yung@oracle.com> |
Tue, 16 Jun 2015 10:14:56 -0700 | |
branch | s11-update |
changeset 4489 | 2713cbca9e1e |
parent 2850 | ad06f0bc7b53 |
permissions | -rw-r--r-- |
2850
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2012-0804 - Fix proxy response parser |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
|
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
If proxy sends overlong HTTP vesion string, the string will be copied |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
to unallocatd space (write_buf) causing heap overflow. |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
This patch fixes it by ignoring the HTTP version string and checking |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
the response line has been parsed correctly. |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
|
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
details. |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
|
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
--- cvs-1.12.13/src/client.c.orig 2013-12-09 13:26:55.209065160 -0800 |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
+++ cvs-1.12.13/src/client.c 2013-12-09 13:32:25.632884394 -0800 |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
@@ -3558,9 +3558,9 @@ |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
* code. |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
*/ |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
read_line_via (from_server, to_server, &read_buf); |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
- sscanf (read_buf, "%s %d", write_buf, &codenum); |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
+ count = sscanf (read_buf, "%*s %d", &codenum); |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
|
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
- if ((codenum / 100) != 2) |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
+ if (count != 1 || (codenum / 100) != 2) |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
error (1, 0, "proxy server %s:%d does not support http tunnelling", |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
root->proxy_hostname, proxy_port_number); |
ad06f0bc7b53
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
free (read_buf); |