upstream/oracle/userland-gate: components/cvs/patches/CVE-2012-0804.patch@2713cbca9e1e (annotated)

2850 ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	1	CVE-2012-0804 - Fix proxy response parser
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	2
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	3	If proxy sends overlong HTTP vesion string, the string will be copied
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	4	to unallocatd space (write_buf) causing heap overflow.
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	5
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	6	This patch fixes it by ignoring the HTTP version string and checking
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	7	the response line has been parsed correctly.
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	8
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	9	See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	10	details.
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	11
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	12	--- cvs-1.12.13/src/client.c.orig 2013-12-09 13:26:55.209065160 -0800
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	13	+++ cvs-1.12.13/src/client.c 2013-12-09 13:32:25.632884394 -0800
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	14	@@ -3558,9 +3558,9 @@
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	15	* code.
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	16	*/
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	17	read_line_via (from_server, to_server, &read_buf);
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	18	- sscanf (read_buf, "%s %d", write_buf, &codenum);
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	19	+ count = sscanf (read_buf, "%*s %d", &codenum);
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	20
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	21	- if ((codenum / 100) != 2)
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	22	+ if (count != 1 \|\| (codenum / 100) != 2)
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	23	error (1, 0, "proxy server %s:%d does not support http tunnelling",
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	24	root->proxy_hostname, proxy_port_number);
ad06f0bc7b53 17562742 problem in UTILITY/CVS Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	25	free (read_buf);

author	jenny.yung@oracle.com <jenny.yung@oracle.com>
	Tue, 16 Jun 2015 10:14:56 -0700
branch	s11-update
changeset 4489	2713cbca9e1e
parent 2850	ad06f0bc7b53
permissions	-rw-r--r--