smtp: use the upload buffer size for scratch buffer malloc ... not the read buffer size, as that can be set smaller and thus cause a buffer overflow! CVE-2018-0500
Reported-by: Peter Wu Bug: https://curl.haxx.se/docs/adv_2018-70a2.html Affects curl >= 7.54.1 && curl <= 7.60.0 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> --- meta/recipes-support/curl/curl/CVE-2018-0500.patch | 39 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.58.0.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2018-0500.patch diff --git a/meta/recipes-support/curl/curl/CVE-2018-0500.patch b/meta/recipes-support/curl/curl/CVE-2018-0500.patch new file mode 100644 index 0000000..4395a3c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-0500.patch @@ -0,0 +1,39 @@ +From ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Wed, 13 Jun 2018 12:24:40 +0200 +Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc + +... not the read buffer size, as that can be set smaller and thus cause +a buffer overflow! CVE-2018-0500 + +Reported-by: Peter Wu +Bug: https://curl.haxx.se/docs/adv_2018-70a2.html + +CVE: CVE-2018-0500 +Upstream-Status: Backport [https://github.com/curl/curl/commit/ba1dbd78e5f1e.patch] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> +--- + lib/smtp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/smtp.c b/lib/smtp.c +index e6872badb8..ecf10a41ac 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) + if(!scratch || data->set.crlf) { + oldscratch = scratch; + +- scratch = newscratch = malloc(2 * data->set.buffer_size); ++ scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE); + if(!newscratch) { + failf(data, "Failed to alloc scratch buffer!"); + + return CURLE_OUT_OF_MEMORY; + } + } ++ DEBUGASSERT(UPLOAD_BUFSIZE >= nread); + + /* Have we already sent part of the EOB? */ + eob_sent = smtp->eob; diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb index 4376bb3..7dc5381 100644 --- a/meta/recipes-support/curl/curl_7.58.0.bb +++ b/meta/recipes-support/curl/curl_7.58.0.bb @@ -9,6 +9,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ file://CVE-2018-1000300.patch \ file://CVE-2018-1000301.patch \ + file://CVE-2018-0500.patch \ " -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core