external/curl/CVE-2017-8816.patch | 67 ++++++++++++++++++++
external/curl/CVE-2018-1000005.patch | 36 +++++++++++
external/curl/CVE-2018-1000007.patch | 110 ++++++++++++++++++++++++++++++++++
external/curl/UnpackedTarball_curl.mk | 3
4 files changed, 216 insertions(+)
New commits:
commit db7d2a81bd0cb9b25dd239fa30a7005d0b69462f
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Jan 24 22:24:03 2018 +0100
curl: fix CVE-2018-1000005/1000007
* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
Change-Id: I4fbd7f1c5f1f0563895f6f8ede10063621d10a4b
Reviewed-on: https://gerrit.libreoffice.org/48542
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Eike Rathke <er...@redhat.com>
(cherry picked from commit ed497921314ebd41fce3483c92ca433b502628ca)
diff --git a/external/curl/CVE-2018-1000005.patch
b/external/curl/CVE-2018-1000005.patch
new file mode 100644
index 000000000000..7b5578b1aacc
--- /dev/null
+++ b/external/curl/CVE-2018-1000005.patch
@@ -0,0 +1,36 @@
+From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
+From: Zhouyihai Ding <ddyi...@ddyihai.svl.corp.google.com>
+Date: Wed, 10 Jan 2018 10:12:18 -0800
+Subject: [PATCH] http2: fix incorrect trailer buffer size
+
+Prior to this change the stored byte count of each trailer was
+miscalculated and 1 less than required. It appears any trailer
+after the first that was passed to Curl_client_write would be truncated
+or corrupted as well as the size. Potentially the size of some
+subsequent trailer could be erroneously extracted from the contents of
+that trailer, and since that size is used by client write an
+out-of-bounds read could occur and cause a crash or be otherwise
+processed by client write.
+
+The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+Closes https://github.com/curl/curl/pull/2231
+---
+ lib/http2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 8e2fc71996..699287940e 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const
nghttp2_frame *frame,
+
+ if(stream->bodystarted) {
+ /* This is trailer fields. */
+- /* 3 is for ":" and "\r\n". */
+- uint32_t n = (uint32_t)(namelen + valuelen + 3);
++ /* 4 is for ": " and "\r\n". */
++ uint32_t n = (uint32_t)(namelen + valuelen + 4);
+
+ DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
+ value));
diff --git a/external/curl/CVE-2018-1000007.patch
b/external/curl/CVE-2018-1000007.patch
new file mode 100644
index 000000000000..c474370c78ad
--- /dev/null
+++ b/external/curl/CVE-2018-1000007.patch
@@ -0,0 +1,110 @@
+From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Fri, 19 Jan 2018 13:19:25 +0100
+Subject: [PATCH] http: prevent custom Authorization headers in redirects
+
+... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+curl already handles Authorization headers created internally.
+
+Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+Added test 317 and 318 to verify.
+
+Reported-by: Craig de Stigter
+Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+---
+ docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++-
+ lib/http.c | 10 +++-
+ lib/setopt.c | 2 +-
+ lib/urldata.h | 2 +-
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test317 | 94 +++++++++++++++++++++++++++++++++
+ tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++
+ 7 files changed, 212 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test317
+ create mode 100644 tests/data/test318
+
+diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+index c5ccb1a53d..c9f29e393e 100644
+--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <dan...@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to
leak.
+
+ Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
+ intend them to get sent.
++
++Custom headers are sent in all requests done by the easy handles, which
++implies that if you tell libcurl to follow redirects
++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
++in the subsequent request. Redirects can of course go to other hosts and thus
++those servers will get all the contents of your custom headers too.
++
++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
++from being sent to other hosts than the first used one, unless specifically
++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
+ .SH DEFAULT
+ NULL
+ .SH PROTOCOLS
+diff --git a/lib/http.c b/lib/http.c
+index c1cdf2da02..a5007670d7 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn,
+ if(!data->state.this_is_a_follow ||
+ conn->bits.netrc ||
+ !data->state.first_host ||
+- data->set.http_disable_hostname_check_before_authentication ||
++ data->set.allow_auth_to_other_hosts ||
+ strcasecompare(data->state.first_host, conn->host.name)) {
+ result = output_auth_headers(conn, authhost, request, path, FALSE);
+ }
+@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata
*conn,
+ checkprefix("Transfer-Encoding:", headers->data))
+ /* HTTP/2 doesn't support chunked requests */
+ ;
++ else if(checkprefix("Authorization:", headers->data) &&
++ /* be careful of sending this potentially sensitive header
to
++ other hosts */
++ (data->state.this_is_a_follow &&
++ data->state.first_host &&
++ !data->set.allow_auth_to_other_hosts &&
++ !strcasecompare(data->state.first_host, conn->host.name)))
++ ;
+ else {
+ CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
+ headers->data);
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 66f30ea653..a5ef75c722 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption
option,
+ * Send authentication (user+password) when following locations, even when
+ * hostname changed.
+ */
+- data->set.http_disable_hostname_check_before_authentication =
++ data->set.allow_auth_to_other_hosts =
+ (0 != va_arg(param, long)) ? TRUE : FALSE;
+ break;
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 4dcd1a322c..5c04ad1720 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1599,7 +1599,7 @@ struct UserDefined {
+ bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
+ bool http_follow_location; /* follow HTTP redirects */
+ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
+- bool http_disable_hostname_check_before_authentication;
++ bool allow_auth_to_other_hosts;
+ bool include_header; /* include received protocol headers in data output
*/
+ bool http_set_referer; /* is a custom referer used */
+ bool http_auto_referer; /* set "correct" referer when following location: */
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index 1359340e7881..19d4ccd4bf2e 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -25,6 +25,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-7.26.0_win-proxy.patch \
external/curl/curl-xp.patch.1 \
external/curl/CVE-2017-8816.patch \
+ external/curl/CVE-2018-1000005.patch \
+ external/curl/CVE-2018-1000007.patch \
))
ifeq ($(SYSTEM_NSS),)
commit 30990c147cdc3cdc0f7ec6a8f946b755ce1d46bf
Author: Michael Stahl <mst...@redhat.com>
Date: Wed Nov 29 12:28:03 2017 +0100
curl: fix CVE-2017-8816
* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4
* CVE-2017-8817 doesn't affect LO as CURLOPT_WILDCARDMATCH isn't used
* CVE-2017-8818 doesn't affect the old 7.52 version
Change-Id: I49ddb771ccdb93d5fe8f4b3544f74ab9b171c156
Reviewed-on: https://gerrit.libreoffice.org/45487
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit aa0f44de5b260b2b2a39bdd2de9445d72ab14265)
diff --git a/external/curl/CVE-2017-8816.patch
b/external/curl/CVE-2017-8816.patch
new file mode 100644
index 000000000000..dd4fa677e03f
--- /dev/null
+++ b/external/curl/CVE-2017-8816.patch
@@ -0,0 +1,67 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key,
unsigned int keylen,
+ Curl_HMAC_final(ctxt, output);
+
+ return CURLE_OK;
+ }
+
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+ const char *domain, size_t domlen,
+ unsigned char *ntlmhash,
+ unsigned char *ntlmv2hash)
+ {
+ /* Unicode representation */
+- size_t identity_len = (userlen + domlen) * 2;
+- unsigned char *identity = malloc(identity_len);
++ size_t identity_len;
++ unsigned char *identity;
+ CURLcode result = CURLE_OK;
+
++ /* we do the length checks below separately to avoid integer overflow risk
++ on extreme data lengths */
++ if((userlen > SIZE_T_MAX/2) ||
++ (domlen > SIZE_T_MAX/2) ||
++ ((userlen + domlen) > SIZE_T_MAX/2))
++ return CURLE_OUT_OF_MEMORY;
++
++ identity_len = (userlen + domlen) * 2;
++ identity = malloc(identity_len);
++
+ if(!identity)
+ return CURLE_OUT_OF_MEMORY;
+
+ ascii_uppercase_to_unicode_le(identity, user, userlen);
+ ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+--
+2.15.0
+
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index 546f4aa38aa9..1359340e7881 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -24,6 +24,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-7.26.0_mingw.patch \
external/curl/curl-7.26.0_win-proxy.patch \
external/curl/curl-xp.patch.1 \
+ external/curl/CVE-2017-8816.patch \
))
ifeq ($(SYSTEM_NSS),)
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
