curl: fix CVE-2018-1000005/1000007

* don't upgrade to new release, no idea how the new windows
build system likes targeting Win XP which is still supported in 5.4

Change-Id: I4fbd7f1c5f1f0563895f6f8ede10063621d10a4b
Reviewed-on: https://gerrit.libreoffice.org/48542
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Eike Rathke <erack@redhat.com>
(cherry picked from commit ed497921314ebd41fce3483c92ca433b502628ca)

3 files changed, 148 insertions, 0 deletions

diff --git a/external/curl/CVE-2018-1000005.patch b/external/curl/CVE-2018-1000005.patch
new file mode 100644
index 000000000000..7b5578b1aacc
--- /dev/null
+++ b/external/curl/CVE-2018-1000005.patch
@@ -0,0 +1,36 @@
+From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
+From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
+Date: Wed, 10 Jan 2018 10:12:18 -0800
+Subject: [PATCH] http2: fix incorrect trailer buffer size
+
+Prior to this change the stored byte count of each trailer was
+miscalculated and 1 less than required. It appears any trailer
+after the first that was passed to Curl_client_write would be truncated
+or corrupted as well as the size. Potentially the size of some
+subsequent trailer could be erroneously extracted from the contents of
+that trailer, and since that size is used by client write an
+out-of-bounds read could occur and cause a crash or be otherwise
+processed by client write.
+
+The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+Closes https://github.com/curl/curl/pull/2231
+---
+ lib/http2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 8e2fc71996..699287940e 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+ 
+   if(stream->bodystarted) {
+     /* This is trailer fields. */
+-    /* 3 is for ":" and "\r\n". */
+-    uint32_t n = (uint32_t)(namelen + valuelen + 3);
++    /* 4 is for ": " and "\r\n". */
++    uint32_t n = (uint32_t)(namelen + valuelen + 4);
+ 
+     DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
+                  value));
diff --git a/external/curl/CVE-2018-1000007.patch b/external/curl/CVE-2018-1000007.patch
new file mode 100644
index 000000000000..c474370c78ad
--- /dev/null
+++ b/external/curl/CVE-2018-1000007.patch
@@ -0,0 +1,110 @@
+From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Jan 2018 13:19:25 +0100
+Subject: [PATCH] http: prevent custom Authorization headers in redirects
+
+... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+curl already handles Authorization headers created internally.
+
+Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+Added test 317 and 318 to verify.
+
+Reported-by: Craig de Stigter
+Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+---
+ docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++-
+ lib/http.c                             | 10 +++-
+ lib/setopt.c                           |  2 +-
+ lib/urldata.h                          |  2 +-
+ tests/data/Makefile.inc                |  2 +-
+ tests/data/test317                     | 94 +++++++++++++++++++++++++++++++++
+ tests/data/test318                     | 95 ++++++++++++++++++++++++++++++++++
+ 7 files changed, 212 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test317
+ create mode 100644 tests/data/test318
+
+diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+index c5ccb1a53d..c9f29e393e 100644
+--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to leak.
+ 
+ Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
+ intend them to get sent.
++
++Custom headers are sent in all requests done by the easy handles, which
++implies that if you tell libcurl to follow redirects
++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
++in the subsequent request. Redirects can of course go to other hosts and thus
++those servers will get all the contents of your custom headers too.
++
++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
++from being sent to other hosts than the first used one, unless specifically
++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
+ .SH DEFAULT
+ NULL
+ .SH PROTOCOLS
+diff --git a/lib/http.c b/lib/http.c
+index c1cdf2da02..a5007670d7 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn,
+   if(!data->state.this_is_a_follow ||
+      conn->bits.netrc ||
+      !data->state.first_host ||
+-     data->set.http_disable_hostname_check_before_authentication ||
++     data->set.allow_auth_to_other_hosts ||
+      strcasecompare(data->state.first_host, conn->host.name)) {
+     result = output_auth_headers(conn, authhost, request, path, FALSE);
+   }
+@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
+                   checkprefix("Transfer-Encoding:", headers->data))
+             /* HTTP/2 doesn't support chunked requests */
+             ;
++          else if(checkprefix("Authorization:", headers->data) &&
++                  /* be careful of sending this potentially sensitive header to
++                     other hosts */
++                  (data->state.this_is_a_follow &&
++                   data->state.first_host &&
++                   !data->set.allow_auth_to_other_hosts &&
++                   !strcasecompare(data->state.first_host, conn->host.name)))
++            ;
+           else {
+             CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
+                                                headers->data);
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 66f30ea653..a5ef75c722 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+      * Send authentication (user+password) when following locations, even when
+      * hostname changed.
+      */
+-    data->set.http_disable_hostname_check_before_authentication =
++    data->set.allow_auth_to_other_hosts =
+       (0 != va_arg(param, long)) ? TRUE : FALSE;
+     break;
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 4dcd1a322c..5c04ad1720 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1599,7 +1599,7 @@ struct UserDefined {
+   bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
+   bool http_follow_location; /* follow HTTP redirects */
+   bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
+-  bool http_disable_hostname_check_before_authentication;
++  bool allow_auth_to_other_hosts;
+   bool include_header;   /* include received protocol headers in data output */
+   bool http_set_referer; /* is a custom referer used */
+   bool http_auto_referer; /* set "correct" referer when following location: */
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 1359340e7881..19d4ccd4bf2e 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -25,6 +25,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
 	external/curl/curl-7.26.0_win-proxy.patch \
 	external/curl/curl-xp.patch.1 \
 	external/curl/CVE-2017-8816.patch \
+	external/curl/CVE-2018-1000005.patch \
+	external/curl/CVE-2018-1000007.patch \
 ))
 
 ifeq ($(SYSTEM_NSS),)