Package init
This commit is contained in:
dogsheng
parent
46341a033c
commit
986b5720fa
40
CVE-2019-5481.patch
Normal file
40
CVE-2019-5481.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 3 Sep 2019 22:59:32 +0200
|
||||
Subject: [PATCH] security:read_data fix bad realloc()
|
||||
|
||||
... that could end up a double-free
|
||||
|
||||
CVE-2019-5481
|
||||
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
|
||||
---
|
||||
lib/security.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/security.c b/lib/security.c
|
||||
index 550ea2da8d..c5e4e135df 100644
|
||||
--- a/lib/security.c
|
||||
+++ b/lib/security.c
|
||||
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
struct krb5buffer *buf)
|
||||
{
|
||||
int len;
|
||||
- void *tmp = NULL;
|
||||
CURLcode result;
|
||||
|
||||
result = socket_read(fd, &len, sizeof(len));
|
||||
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
if(len) {
|
||||
/* only realloc if there was a length */
|
||||
len = ntohl(len);
|
||||
- tmp = Curl_saferealloc(buf->data, len);
|
||||
+ buf->data = Curl_saferealloc(buf->data, len);
|
||||
}
|
||||
- if(tmp == NULL)
|
||||
+ if(!len || !buf->data)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
- buf->data = tmp;
|
||||
result = socket_read(fd, buf->data, len);
|
||||
if(result)
|
||||
return result;
|
||||
59
CVE-2019-5482.patch
Normal file
59
CVE-2019-5482.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Vegas <>
|
||||
Date: Sat, 31 Aug 2019 17:30:51 +0200
|
||||
Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
|
||||
received
|
||||
|
||||
Fixes potential buffer overflow from 'recvfrom()', should the server
|
||||
return an OACK without blksize.
|
||||
|
||||
Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
|
||||
CVE-2019-5482
|
||||
---
|
||||
lib/tftp.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||
index a7176cec80..346f293dc5 100644
|
||||
--- a/lib/tftp.c
|
||||
+++ b/lib/tftp.c
|
||||
@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||
{
|
||||
tftp_state_data_t *state;
|
||||
int blksize;
|
||||
+ int need_blksize;
|
||||
|
||||
blksize = TFTP_BLKSIZE_DEFAULT;
|
||||
|
||||
@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||
return CURLE_TFTP_ILLEGAL;
|
||||
}
|
||||
|
||||
+ need_blksize = blksize;
|
||||
+ /* default size is the fallback when no OACK is received */
|
||||
+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
|
||||
+ need_blksize = TFTP_BLKSIZE_DEFAULT;
|
||||
+
|
||||
if(!state->rpacket.data) {
|
||||
- state->rpacket.data = calloc(1, blksize + 2 + 2);
|
||||
+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
|
||||
|
||||
if(!state->rpacket.data)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
|
||||
if(!state->spacket.data) {
|
||||
- state->spacket.data = calloc(1, blksize + 2 + 2);
|
||||
+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
|
||||
|
||||
if(!state->spacket.data)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
@@ -1021,7 +1027,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||
state->sockfd = state->conn->sock[FIRSTSOCKET];
|
||||
state->state = TFTP_STATE_START;
|
||||
state->error = TFTP_ERR_NONE;
|
||||
- state->blksize = blksize;
|
||||
+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
|
||||
state->requested_blksize = blksize;
|
||||
|
||||
((struct sockaddr *)&state->local_addr)->sa_family =
|
||||
10
curl.spec
10
curl.spec
@ -7,7 +7,7 @@
|
||||
#Basic Information
|
||||
Name: curl
|
||||
Version: 7.61.1
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: curl is used in command lines or scripts to transfer data
|
||||
License: MIT
|
||||
URL: https://curl.haxx.se/
|
||||
@ -70,6 +70,8 @@ Patch6047: zsh.pl-escape-character.patch
|
||||
Patch6048: examples-postinmemory-Potential-leak-of-memory-point.patch
|
||||
Patch6049: mbedtls-release-sessionid-resources-on-error.patch
|
||||
Patch6050: CVE-2019-5436.patch
|
||||
Patch6051: CVE-2019-5481.patch
|
||||
Patch6052: CVE-2019-5482.patch
|
||||
Patch9000: 0001-fix-double-free-when-multi-perform.patch
|
||||
|
||||
Provides: curl-full = %{version}-%{release} libcurl-full = %{version}-%{release}
|
||||
@ -244,5 +246,11 @@ LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %make_install -C sc
|
||||
%doc docs/TheArtOfHttpScripting docs/TODO
|
||||
|
||||
%changelog
|
||||
* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 7.61.1-4
|
||||
- Type:cves
|
||||
- ID:CVE-2019-5481 CVE-2019-5482
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2019-5481 CVE-2019-5482
|
||||
|
||||
* Wed Sep 18 2019 guanyanjie <guanyanjie@huawei.com> - 7.61.1-3
|
||||
- Init for openEuler
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user