Security fix for CVE-2013-0249, smtp_state_authdigest_resp()

buffer overflow vulnerability. Backported from upstream git. ok naddy@ (MAINTAINER)
2013-02-08 16:27:12 +00:00 · 2013-02-08 16:27:12 +00:00 · d3be0ce8b6
commit d3be0ce8b6
parent 0d6f4f57ca
2 changed files with 50 additions and 1 deletions
--- a/net/curl/Makefile
+++ b/net/curl/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.84 2012/07/11 22:15:00 naddy Exp $
+# $OpenBSD: Makefile,v 1.85 2013/02/08 16:27:12 jasper Exp $

 COMMENT=	get files from FTP, Gopher, HTTP or HTTPS servers

 DISTNAME=	curl-7.26.0
+REVISION=	0
 SHARED_LIBS=	curl                 23.0     # .6.0
 CATEGORIES=	net
 MASTER_SITES=	http://curl.haxx.se/download/ \
--- a/net/curl/patches/patch-lib_smtp_c
+++ b/net/curl/patches/patch-lib_smtp_c
@ -0,0 +1,48 @@
+$OpenBSD: patch-lib_smtp_c,v 1.2 2013/02/08 16:27:12 jasper Exp $
+
+Security fix for CVE-2013-0249, smtp_state_authdigest_resp()
+buffer overflow vulnerability.
+
+Advisory:
+http://curl.haxx.se/docs/adv_20130206.html
+
+Backported from:
+http://curl.haxx.se/curl-sasl.patch
+
+--- lib/smtp.c.orig	Tue May 22 23:36:17 2012
+++ lib/smtp.c	Fri Feb  8 13:28:22 2013
+@@ -964,7 +964,7 @@ static CURLcode smtp_state_authdigest_resp(struct conn
+     snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
+ 
+   /* Orepare URL string, append realm to the protocol */
+-  strcat(uri, realm);
+  strlcat(uri, realm, sizeof(uri));
+ 
+   /* Calculate H(A2) */
+   ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
+@@ -1008,20 +1008,11 @@ static CURLcode smtp_state_authdigest_resp(struct conn
+   for(i = 0; i < MD5_DIGEST_LEN; i++)
+     snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
+ 
+-  strcpy(response, "username=\"");
+-  strcat(response, conn->user);
+-  strcat(response, "\",realm=\"");
+-  strcat(response, realm);
+-  strcat(response, "\",nonce=\"");
+-  strcat(response, nonce);
+-  strcat(response, "\",cnonce=\"");
+-  strcat(response, cnonce);
+-  strcat(response, "\",nc=");
+-  strcat(response, nonceCount);
+-  strcat(response, ",digest-uri=\"");
+-  strcat(response, uri);
+-  strcat(response, "\",response=");
+-  strcat(response, resp_hash_hex);
+  snprintf(response, sizeof(response),
+           "username=\"%s\",realm=\"%s\",nonce=\"%s\","
+           "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
+           conn->user, realm, nonce,
+           cnonce, nonceCount, uri, resp_hash_hex);
+ 
+   /* Encode it to base64 and send it */
+   result = Curl_base64_encode(data, response, 0, &rplyb64, &len);