OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 23-Feb-2005 15:15:06
Branch: HEAD Handle: 2005022314150500
Added files:
openpkg-src/curl curl.patch
Modified files:
openpkg-src/curl curl.spec
Log:
Security Bugfixes (CAN-2005-0490)
Summary:
Revision Changes Path
1.9 +245 -0 openpkg-src/curl/curl.patch
1.66 +3 -1 openpkg-src/curl/curl.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/curl/curl.patch
============================================================================
$ cvs diff -u -r0 -r1.9 curl.patch
--- /dev/null 2005-02-23 15:15:03 +0100
+++ curl.patch 2005-02-23 15:15:06 +0100
@@ -0,0 +1,245 @@
+Security Bugfixes (CAN-2005-0490)
+http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities
+http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
+
+Index: lib/base64.c
+--- lib/base64.c.orig 2004-12-15 02:38:25 +0100
++++ lib/base64.c 2005-02-23 13:26:01 +0100
+@@ -79,7 +79,7 @@
+ * Given a base64 string at src, decode it into the memory pointed to by
+ * dest. Returns the length of the decoded data.
+ */
+-size_t Curl_base64_decode(const char *src, char *dest)
++size_t Curl_base64_decode(const char *src, unsigned char **outptr)
+ {
+ int length = 0;
+ int equalsTerm = 0;
+@@ -87,6 +87,9 @@
+ int numQuantums;
+ unsigned char lastQuantum[3];
+ size_t rawlen=0;
++ unsigned char *newstr;
++
++ *outptr = NULL;
+
+ while((src[length] != '=') && src[length])
+ length++;
+@@ -97,15 +100,22 @@
+
+ rawlen = (numQuantums * 3) - equalsTerm;
+
++ newstr = malloc(rawlen+1);
++ if(!newstr)
++ return 0;
++
++ *outptr = newstr;
++
+ for(i = 0; i < numQuantums - 1; i++) {
+- decodeQuantum((unsigned char *)dest, src);
+- dest += 3; src += 4;
++ decodeQuantum((unsigned char *)newstr, src);
++ newstr += 3; src += 4;
+ }
+
+ decodeQuantum(lastQuantum, src);
+ for(i = 0; i < 3 - equalsTerm; i++)
+- dest[i] = lastQuantum[i];
++ newstr[i] = lastQuantum[i];
+
++ newstr[i] = 0; /* zero terminate */
+ return rawlen;
+ }
+
+Index: lib/base64.h
+--- lib/base64.h.orig 2004-11-29 13:11:46 +0100
++++ lib/base64.h 2005-02-23 13:26:01 +0100
+@@ -23,5 +23,5 @@
+ * $Id: curl.patch,v 1.9 2005/02/23 14:15:05 rse Exp $
+
***************************************************************************/
+ size_t Curl_base64_encode(const char *input, size_t size, char **str);
+-size_t Curl_base64_decode(const char *source, char *dest);
++size_t Curl_base64_decode(const char *source, unsigned char **outptr);
+ #endif
+Index: lib/http_negotiate.c
+--- lib/http_negotiate.c.orig 2004-08-05 20:52:54 +0200
++++ lib/http_negotiate.c 2005-02-23 13:26:01 +0100
+@@ -166,12 +166,7 @@
+
+ len = strlen(header);
+ if (len > 0) {
+- int rawlen;
+- input_token.length = (len+3)/4 * 3;
+- input_token.value = malloc(input_token.length);
+- if (input_token.value == NULL)
+- return ENOMEM;
+- rawlen = Curl_base64_decode(header, input_token.value);
++ int rawlen = Curl_base64_decode(header, &input_token.value);
+ if (rawlen < 0)
+ return -1;
+ input_token.length = rawlen;
+Index: lib/http_ntlm.c
+--- lib/http_ntlm.c.orig 2004-12-08 00:09:41 +0100
++++ lib/http_ntlm.c 2005-02-23 13:26:01 +0100
+@@ -103,7 +103,6 @@
+ header++;
+
+ if(checkprefix("NTLM", header)) {
+- unsigned char buffer[256];
+ header += strlen("NTLM");
+
+ while(*header && isspace((int)*header))
+@@ -123,17 +122,22 @@
+ (40) Target Information (optional) security buffer(*)
+ 32 (48) start of data block
+ */
+-
+- size_t size = Curl_base64_decode(header, (char *)buffer);
++ size_t size;
++ unsigned char *buffer;
++ size = Curl_base64_decode(header, &buffer);
++ if(!buffer)
++ return CURLNTLM_BAD;
+
+ ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
+
+ if(size >= 48)
+ /* the nonce of interest is index [24 .. 31], 8 bytes */
+ memcpy(ntlm->nonce, &buffer[24], 8);
++ /* FIX: add an else here! */
+
+ /* at index decimal 20, there's a 32bit NTLM flag field */
+
++ free(buffer);
+ }
+ else {
+ if(ntlm->state >= NTLMSTATE_TYPE1)
+Index: lib/krb4.c
+--- lib/krb4.c.orig 2004-11-11 17:34:24 +0100
++++ lib/krb4.c 2005-02-23 13:26:01 +0100
+@@ -199,7 +199,8 @@
+ {
+ int ret;
+ char *p;
+- int len;
++ unsigned char *ptr;
++ size_t len;
+ KTEXT_ST adat;
+ MSG_DAT msg_data;
+ int checksum;
+@@ -275,11 +276,17 @@
+ return AUTH_ERROR;
+ }
+ p += 5;
+- len = Curl_base64_decode(p, (char *)adat.dat);
+- if(len < 0) {
++ len = Curl_base64_decode(p, &ptr);
++ if(len > sizeof(adat.dat)-1) {
++ free(ptr);
++ len=0;
++ }
++ if(!len || !ptr) {
+ Curl_failf(data, "Failed to decode base64 from server");
+ return AUTH_ERROR;
+ }
++ memcpy((char *)adat.dat, ptr, len);
++ free(ptr);
+ adat.length = len;
+ ret = krb_rd_safe(adat.dat, adat.length, &d->key,
+ (struct sockaddr_in *)hisctladdr,
+@@ -317,10 +324,11 @@
+ char *name;
+ char *p;
+ char passwd[100];
+- int tmp;
++ size_t tmp;
+ ssize_t nread;
+ int save;
+ CURLcode result;
++ unsigned char *ptr;
+
+ save = Curl_set_command_prot(conn, prot_private);
+
+@@ -346,12 +354,18 @@
+ }
+
+ p += 2;
+- tmp = Curl_base64_decode(p, (char *)tkt.dat);
+- if(tmp < 0) {
++ tmp = Curl_base64_decode(p, &ptr);
++ if(tmp >= sizeof(tkt.dat)) {
++ free(ptr);
++ tmp=0;
++ }
++ if(!tmp || !ptr) {
+ Curl_failf(conn->data, "Failed to decode base64 in reply.\n");
+ Curl_set_command_prot(conn, save);
+ return CURLE_FTP_WEIRD_SERVER_REPLY;
+ }
++ memcpy((char *)tkt.dat, ptr, tmp);
++ free(ptr);
+ tkt.length = tmp;
+ tktcopy.length = tkt.length;
+
+Index: lib/security.c
+--- lib/security.c.orig 2004-12-15 03:32:04 +0100
++++ lib/security.c 2005-02-23 13:26:01 +0100
+@@ -297,13 +297,15 @@
+ Curl_sec_read_msg(struct connectdata *conn, char *s, int level)
+ {
+ int len;
+- char *buf;
++ unsigned char *buf;
+ int code;
+
+- buf = malloc(strlen(s));
+- len = Curl_base64_decode(s + 4, buf); /* XXX */
++ len = Curl_base64_decode(s + 4, &buf); /* XXX */
++ if(len > 0)
++ len = (conn->mech->decode)(conn->app_data, buf, len, level, conn);
++ else
++ return -1;
+
+- len = (conn->mech->decode)(conn->app_data, buf, len, level, conn);
+ if(len < 0) {
+ free(buf);
+ return -1;
+@@ -314,10 +316,10 @@
+ if(buf[3] == '-')
+ code = 0;
+ else
+- sscanf(buf, "%d", &code);
++ sscanf((char *)buf, "%d", &code);
+ if(buf[len-1] == '\n')
+ buf[len-1] = '\0';
+- strcpy(s, buf);
++ strcpy(s, (char *)buf);
+ free(buf);
+ return code;
+ }
+Index: tests/server/getpart.c
+--- tests/server/getpart.c.orig 2004-11-29 22:44:23 +0100
++++ tests/server/getpart.c 2005-02-23 13:26:01 +0100
+@@ -61,11 +61,11 @@
+ {
+ size_t len = strlen(buffer);
+ size_t needed_len = len + *stringlen + 1;
+- char buf64[256]; /* big enough? */
++ unsigned char *buf64=NULL;
+
+ if(base64) {
+ /* decode the given buffer first */
+- len = Curl_base64_decode(buffer, buf64); /* updated len */
++ len = Curl_base64_decode(buffer, &buf64); /* updated len */
+ buffer = buf64;
+ needed_len = len + *stringlen + 1; /* recalculate */
+ }
+@@ -87,6 +87,9 @@
+ *stringlen += len;
+ string[*stringlen]=0;
+
++ if(buf64)
++ free(buf64);
++
+ return string;
+ }
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/curl/curl.spec
============================================================================
$ cvs diff -u -r1.65 -r1.66 curl.spec
--- openpkg-src/curl/curl.spec 1 Feb 2005 18:47:16 -0000 1.65
+++ openpkg-src/curl/curl.spec 23 Feb 2005 14:15:05 -0000 1.66
@@ -34,7 +34,7 @@
Group: Web
License: GPL
Version: 7.13.0
-Release: 20050201
+Release: 20050223
# package options
%option with_ssl yes
@@ -43,6 +43,7 @@
# list of sources
Source0: http://curl.haxx.se/download/curl-%{version}.tar.bz2
+Patch0: curl.patch
# build information
Prefix: %{l_prefix}
@@ -80,6 +81,7 @@
%prep
%setup -q
+ %patch -p0
%build
%{l_shtool} subst \
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
