author | Rich Burridge <rich.burridge@oracle.com> |
Wed, 21 Aug 2013 02:37:44 -0700 | |
changeset 1449 | d430caca2495 |
permissions | -rw-r--r-- |
1449
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
attackers to cause a denial of service (application crash) or possibly |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
execute arbitrary code via a crafted string ending in a "%" (percent) |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
character. |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
|
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
CVE webpage for this problem: |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
Relevant upstream patch at: |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737 |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
|
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
--- lib/escape.c.orig 2013-08-20 17:09:51.197431224 -0700 |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
+++ lib/escape.c 2013-08-20 17:10:43.746809478 -0700 |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
@@ -5,7 +5,7 @@ |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
* | (__| |_| | _ <| |___ |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
* \___|\___/|_| \_\_____| |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
* |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <[email protected]>, et al. |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al. |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
* |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
* This software is licensed as described in the file COPYING, which |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
* you should have received as part of this distribution. The terms |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
@@ -159,7 +159,8 @@ |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
|
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
while(--alloc > 0) { |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
in = *string; |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
+ if(('%' == in) && (alloc > 2) && |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
/* this is two hexadecimal digits following a '%' */ |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
char hexstr[3]; |
d430caca2495
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
char *ptr; |