Fix CVE-2013-2174 for ftp/curl with a patch from vendor for
now so that users can build the port, per popular demands on mailing list. The upgrade patch found in ports/172325 is currently under exp-run. The changes in this commit against ftp/curl can be safely reverted before applying that patch, as it's shipped with new curl release. Approved by: portmgr (miwi)
This commit is contained in:
Xin LI
parent
cb56fdd0ba
commit
a4c3e0313f
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=322159
@ -3,7 +3,7 @@
|
||||
|
||||
PORTNAME= curl
|
||||
PORTVERSION= 7.24.0
|
||||
PORTREVISION= 3
|
||||
PORTREVISION= 4
|
||||
CATEGORIES= ftp ipv6 www
|
||||
MASTER_SITES= http://curl.haxx.se/download/ \
|
||||
LOCAL/sunpoet
|
||||
|
||||
38
ftp/curl/files/patch-CVE-2013-2174
Normal file
38
ftp/curl/files/patch-CVE-2013-2174
Normal file
@ -0,0 +1,38 @@
|
||||
From 6032f0ff672f09babf69d9d42bcde6eb9eeb5bea Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 19 May 2013 23:24:29 +0200
|
||||
Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
|
||||
|
||||
Security problem: CVE-2013-2174
|
||||
|
||||
If a program would give a string like "%" to curl_easy_unescape(), it
|
||||
would still consider the % as start of an encoded character. The
|
||||
function then not only read beyond the buffer but it would also deduct
|
||||
the *unsigned* counter variable for how many more bytes there's left to
|
||||
read in the buffer by two, making the counter wrap. Continuing this, the
|
||||
function would go on reading beyond the buffer and soon writing beyond
|
||||
the allocated target buffer...
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20130622.html
|
||||
Reported-by: Timo Sirainen
|
||||
---
|
||||
lib/escape.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git lib/escape.c lib/escape.c
|
||||
index 6a26cf8..aa7db2c 100644
|
||||
--- lib/escape.c
|
||||
+++ lib/escape.c
|
||||
@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
|
||||
|
||||
while(--alloc > 0) {
|
||||
in = *string;
|
||||
- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
|
||||
+ if(('%' == in) && (alloc > 2) &&
|
||||
+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
|
||||
/* this is two hexadecimal digits following a '%' */
|
||||
char hexstr[3];
|
||||
char *ptr;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
@ -209,7 +209,7 @@ Note: Please add new entries to the beginning of this file.
|
||||
<affects>
|
||||
<package>
|
||||
<name>curl</name>
|
||||
<range><ge>7.7</ge><lt>7.31.0</lt></range>
|
||||
<range><ge>7.7</ge><lt>7.24.0_4</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
@ -257,6 +257,7 @@ Note: Please add new entries to the beginning of this file.
|
||||
<dates>
|
||||
<discovery>2013-06-22</discovery>
|
||||
<entry>2013-06-23</entry>
|
||||
<modified>2013-07-01</modified>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user