diff options
Diffstat (limited to 'external/curl/CVE-2017-1000254.patch')
-rw-r--r-- | external/curl/CVE-2017-1000254.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/external/curl/CVE-2017-1000254.patch b/external/curl/CVE-2017-1000254.patch new file mode 100644 index 000000000000..2e2af20f7258 --- /dev/null +++ b/external/curl/CVE-2017-1000254.patch @@ -0,0 +1,50 @@ +From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Sep 2017 00:35:22 +0200 +Subject: [PATCH] FTP: zero terminate the entry path even on bad input + +... a single double quote could leave the entry path buffer without a zero +terminating byte. CVE-2017-1000254 + +Test 1152 added to verify. + +Reported-by: Max Dymond +Bug: https://curl.haxx.se/docs/adv_20171004.html +--- + lib/ftp.c | 7 ++++-- + tests/data/Makefile.inc | 1 + + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1152 + +diff -urN curl.org/lib/ftp.c curl/lib/ftp.c +--- curl.org/lib/ftp.c 2016-12-19 09:15:11.000000000 +0100 ++++ curl/lib/ftp.c 2018-09-10 05:52:32.148633155 +0200 +@@ -2825,6 +2825,7 @@ + char *ptr=&data->state.buffer[4]; /* start on the first letter */ + char *dir; + char *store; ++ bool entry_extracted = FALSE; + + dir = malloc(nread + 1); + if(!dir) +@@ -2856,7 +2857,7 @@ + } + else { + /* end of path */ +- *store = '\0'; /* zero terminate */ ++ entry_extracted = TRUE; + break; /* get out of this loop */ + } + } +@@ -2865,7 +2866,9 @@ + store++; + ptr++; + } +- ++ *store = '\0'; /* zero terminate */ ++ } ++ if(entry_extracted) { + /* If the path name does not look like an absolute path (i.e.: it + does not start with a '/'), we probably need some server-dependent + adjustments. For example, this is the case when connecting to |