Date: Tue, 2 Jul 2013 07:43:03 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r322159 - in head: ftp/curl ftp/curl/files security/vuxml Message-ID: <201307020743.r627h3Gw044199@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Jul 2 07:43:02 2013 New Revision: 322159 URL: http://svnweb.freebsd.org/changeset/ports/322159 Log: Fix CVE-2013-2174 for ftp/curl with a patch from vendor for now so that users can build the port, per popular demands on mailing list. The upgrade patch found in ports/172325 is currently under exp-run. The changes in this commit against ftp/curl can be safely reverted before applying that patch, as it's shipped with new curl release. Approved by: portmgr (miwi) Added: head/ftp/curl/files/patch-CVE-2013-2174 (contents, props changed) Modified: head/ftp/curl/Makefile head/security/vuxml/vuln.xml Modified: head/ftp/curl/Makefile ============================================================================== --- head/ftp/curl/Makefile Tue Jul 2 07:15:49 2013 (r322158) +++ head/ftp/curl/Makefile Tue Jul 2 07:43:02 2013 (r322159) @@ -3,7 +3,7 @@ PORTNAME= curl PORTVERSION= 7.24.0 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= ftp ipv6 www MASTER_SITES= http://curl.haxx.se/download/ \ LOCAL/sunpoet Added: head/ftp/curl/files/patch-CVE-2013-2174 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/ftp/curl/files/patch-CVE-2013-2174 Tue Jul 2 07:43:02 2013 (r322159) @@ -0,0 +1,38 @@ +From 6032f0ff672f09babf69d9d42bcde6eb9eeb5bea Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 19 May 2013 23:24:29 +0200 +Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer + +Security problem: CVE-2013-2174 + +If a program would give a string like "%" to curl_easy_unescape(), it +would still consider the % as start of an encoded character. The +function then not only read beyond the buffer but it would also deduct +the *unsigned* counter variable for how many more bytes there's left to +read in the buffer by two, making the counter wrap. Continuing this, the +function would go on reading beyond the buffer and soon writing beyond +the allocated target buffer... + +Bug: http://curl.haxx.se/docs/adv_20130622.html +Reported-by: Timo Sirainen +--- + lib/escape.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git lib/escape.c lib/escape.c +index 6a26cf8..aa7db2c 100644 +--- lib/escape.c ++++ lib/escape.c +@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data, + + while(--alloc > 0) { + in = *string; +- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { ++ if(('%' == in) && (alloc > 2) && ++ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { + /* this is two hexadecimal digits following a '%' */ + char hexstr[3]; + char *ptr; +-- +1.7.10.4 + Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jul 2 07:15:49 2013 (r322158) +++ head/security/vuxml/vuln.xml Tue Jul 2 07:43:02 2013 (r322159) @@ -209,7 +209,7 @@ Note: Please add new entries to the beg <affects> <package> <name>curl</name> - <range><ge>7.7</ge><lt>7.31.0</lt></range> + <range><ge>7.7</ge><lt>7.24.0_4</lt></range> </package> </affects> <description> @@ -257,6 +257,7 @@ Note: Please add new entries to the beg <dates> <discovery>2013-06-22</discovery> <entry>2013-06-23</entry> + <modified>2013-07-01</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307020743.r627h3Gw044199>