17335413 Problem with library/curl s11-update
authorRich Burridge <rich.burridge@oracle.com>
Tue, 27 Aug 2013 05:46:53 -0700
branchs11-update
changeset 2753 14e5111571b5
parent 2752 f28f87b37d67
child 2754 da1498ba96f6
17335413 Problem with library/curl
components/curl/patches/009-CVE-2013-2174.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/009-CVE-2013-2174.patch	Tue Aug 27 05:46:53 2013 -0700
@@ -0,0 +1,33 @@
+CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function
+in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote
+attackers to cause a denial of service (application crash) or possibly
+execute arbitrary code via a crafted string ending in a "%" (percent)
+character.
+
+CVE webpage for this problem:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
+
+Relevant upstream patch at:
+https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737
+
+--- lib/escape.c.orig	2013-08-27 05:41:07.197713748 -0700
++++ lib/escape.c	2013-08-27 05:42:54.003927843 -0700
[email protected]@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
[email protected]@ -165,7 +165,8 @@
+ 
+   while(--alloc > 0) {
+     in = *string;
+-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
++    if(('%' == in) && (alloc > 2) &&
++       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+       /* this is two hexadecimal digits following a '%' */
+       char hexstr[3];
+       char *ptr;