aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 07:55:20 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 07:56:17 +0000
commitc64caaa6d0cf04cf1a2a90b1b751edef900fd849 (patch)
treeed5ef97e80d4f253b930cab2e60a6a351022e849
parentb8ed9736efcaee1cfb71d1c71773d8e62ee169d8 (diff)
downloadaports-c64caaa6d0cf04cf1a2a90b1b751edef900fd849.tar.gz
aports-c64caaa6d0cf04cf1a2a90b1b751edef900fd849.tar.bz2
aports-c64caaa6d0cf04cf1a2a90b1b751edef900fd849.tar.xz
main/curl: security fixes (CVE-2019-5481, CVE-2019-5482)
ref #10793
-rw-r--r--main/curl/APKBUILD12
-rw-r--r--main/curl/CVE-2019-5481.patch40
-rw-r--r--main/curl/CVE-2019-5482.patch50
3 files changed, 100 insertions, 2 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 9c805f3588..dc80fab933 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.61.1
-pkgrel=2
+pkgrel=3
pkgdesc="URL retrival utility and library"
url="https://curl.haxx.se"
arch="all"
@@ -23,10 +23,16 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
CVE-2018-16890.patch
CVE-2019-3822.patch
CVE-2019-3823.patch
+ CVE-2019-5481.patch
+ CVE-2019-5482.patch
"
+
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 7.61.1-r3:
+# - CVE-2019-5481
+# - CVE-2019-5482
# 7.61.1-r2:
# - CVE-2018-16890
# - CVE-2019-3822
@@ -131,4 +137,6 @@ c1a684f17267b08f77625064ac62e4f06989c552d6d501565f8bebf31d3a96a613f0683376ec7cc1
dcaca036eafaaae66eba99808d00ff6bed3c9e59c2c1239ca1ddcf54c9e1c53edabd543dc6925ded3cdf9efd39c0968353527ae5ed0b986cefba333fbc7fd1af CVE-2018-16842.patch
573b896bd78e404002398bdf38d952ec6247af551ef7d6e34d52acbf004f8f4de60299e3a8f83be75e22dfb8731e466aea0253efec7116282afab32dbb1f66e8 CVE-2018-16890.patch
959a55237752b254bc5f58308607f3cf0475e207a7400ff6be7942c48131787f1dec4c05be5b76865ae0adf81ebae77774085ad0c19dd342fb0307cfcfe24b6c CVE-2019-3822.patch
-73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69 CVE-2019-3823.patch"
+73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69 CVE-2019-3823.patch
+37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf CVE-2019-5481.patch
+6a048e3794415792a4554651bc55b71c22735f58293db584e9c822af9faad22f27c730b5d649d4bf1fb8d2c251f8d6e2f67249929bb7b3a76495c1f36a898ce7 CVE-2019-5482.patch"
diff --git a/main/curl/CVE-2019-5481.patch b/main/curl/CVE-2019-5481.patch
new file mode 100644
index 0000000000..2aa4952cee
--- /dev/null
+++ b/main/curl/CVE-2019-5481.patch
@@ -0,0 +1,40 @@
+From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2da8d..c5e4e135df 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+ struct krb5buffer *buf)
+ {
+ int len;
+- void *tmp = NULL;
+ CURLcode result;
+
+ result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+ if(len) {
+ /* only realloc if there was a length */
+ len = ntohl(len);
+- tmp = Curl_saferealloc(buf->data, len);
++ buf->data = Curl_saferealloc(buf->data, len);
+ }
+- if(tmp == NULL)
++ if(!len || !buf->data)
+ return CURLE_OUT_OF_MEMORY;
+
+- buf->data = tmp;
+ result = socket_read(fd, buf->data, len);
+ if(result)
+ return result;
diff --git a/main/curl/CVE-2019-5482.patch b/main/curl/CVE-2019-5482.patch
new file mode 100644
index 0000000000..2cd32ef179
--- /dev/null
+++ b/main/curl/CVE-2019-5482.patch
@@ -0,0 +1,50 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index a7176cec80..346f293dc5 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+ tftp_state_data_t *state;
+ int blksize;
++ int need_blksize;
+
+ blksize = TFTP_BLKSIZE_DEFAULT;
+
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ return CURLE_TFTP_ILLEGAL;
+ }
+
++ need_blksize = blksize;
++ /* default size is the fallback when no OACK is received */
++ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++ need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+ if(!state->rpacket.data) {
+- state->rpacket.data = calloc(1, blksize + 2 + 2);
++ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+
+ if(!state->rpacket.data)
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+ if(!state->spacket.data) {
+- state->spacket.data = calloc(1, blksize + 2 + 2);
++ state->spacket.data = calloc(1, need_blksize + 2 + 2);
+
+ if(!state->spacket.data)
+ return CURLE_OUT_OF_MEMORY;