25241371 problem in LIBRARY/CURL
25241378 problem in LIBRARY/CURL
25241832 problem in LIBRARY/CURL
25241839 problem in LIBRARY/CURL
25241853 problem in LIBRARY/CURL
25241867 problem in LIBRARY/CURL
25241881 problem in LIBRARY/CURL
25241889 problem in LIBRARY/CURL
25241894 problem in LIBRARY/CURL
25241900 problem in LIBRARY/CURL
25306385 problem in LIBRARY/CURL
From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Tue, 4 Oct 2016 16:59:38 +0200
Subject: [PATCH] parsedate: handle cut off numbers better
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
... and don't read outside of the given buffer!
CVE-2016-8621
bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
---
lib/parsedate.c | 12 +++++++-----
tests/data/test517 | 6 ++++++
tests/libtest/lib517.c | 8 +++++++-
3 files changed, 20 insertions(+), 6 deletions(-)
--- lib/parsedate.c
+++ lib/parsedate.c
@@ -3,11 +3,11 @@
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <[email protected]>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <[email protected]>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.haxx.se/docs/copyright.html.
*
@@ -384,19 +384,21 @@ static int parsedate(const char *date, time_t *output)
}
else if(ISDIGIT(*date)) {
/* a digit */
int val;
char *end;
+ int len=0;
if((secnum == -1) &&
- (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {
+ (3 == sscanf(date, "%02d:%02d:%02d%n",
+ &hournum, &minnum, &secnum, &len))) {
/* time stamp! */
- date += 8;
+ date += len;
}
else if((secnum == -1) &&
- (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {
+ (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {
/* time stamp without seconds */
- date += 5;
+ date += len;
secnum = 0;
}
else {
long lval;
int error;
--- tests/data/test517
+++ tests/data/test517
@@ -114,10 +114,16 @@ nothing
79: 20110632 12:34:56 => -1
80: 20110623 56:34:56 => -1
81: 20111323 12:34:56 => -1
82: 20110623 12:34:79 => -1
83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
+84: 20110623 12:3 => 1308830580
+85: 20110623 1:3 => 1308790980
+86: 20110623 1:30 => 1308792600
+87: 20110623 12:12:3 => 1308831123
+88: 20110623 01:12:3 => 1308791523
+89: 20110623 01:99:30 => -1
</stdout>
# This test case previously tested an overflow case ("2094 Nov 6 =>
# 2147483647") for 32bit time_t, but since some systems have 64bit time_t and
# handles this (returning 3939840000), and some 64bit-time_t systems don't
--- tests/libtest/lib517.c
+++ tests/libtest/lib517.c
@@ -3,11 +3,11 @@
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <[email protected]>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <[email protected]>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.haxx.se/docs/copyright.html.
*
@@ -114,10 +114,16 @@ static const char * const dates[]={
"20110632 12:34:56",
"20110623 56:34:56",
"20111323 12:34:56",
"20110623 12:34:79",
"Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
+ "20110623 12:3",
+ "20110623 1:3",
+ "20110623 1:30",
+ "20110623 12:12:3",
+ "20110623 01:12:3",
+ "20110623 01:99:30",
NULL
};
int test(char *URL)
{
--
2.9.3