svn commit: r322159 - in head: ftp/curl ftp/curl/files security/vuxml
Xin LI
delphij at FreeBSD.org
Tue Jul 2 07:43:03 UTC 2013
Author: delphij
Date: Tue Jul 2 07:43:02 2013
New Revision: 322159
URL: http://svnweb.freebsd.org/changeset/ports/322159
Log:
Fix CVE-2013-2174 for ftp/curl with a patch from vendor for
now so that users can build the port, per popular demands
on mailing list.
The upgrade patch found in ports/172325 is currently under
exp-run. The changes in this commit against ftp/curl can be
safely reverted before applying that patch, as it's shipped
with new curl release.
Approved by: portmgr (miwi)
Added:
head/ftp/curl/files/patch-CVE-2013-2174 (contents, props changed)
Modified:
head/ftp/curl/Makefile
head/security/vuxml/vuln.xml
Modified: head/ftp/curl/Makefile
==============================================================================
--- head/ftp/curl/Makefile Tue Jul 2 07:15:49 2013 (r322158)
+++ head/ftp/curl/Makefile Tue Jul 2 07:43:02 2013 (r322159)
@@ -3,7 +3,7 @@
PORTNAME= curl
PORTVERSION= 7.24.0
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= ftp ipv6 www
MASTER_SITES= http://curl.haxx.se/download/ \
LOCAL/sunpoet
Added: head/ftp/curl/files/patch-CVE-2013-2174
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/ftp/curl/files/patch-CVE-2013-2174 Tue Jul 2 07:43:02 2013 (r322159)
@@ -0,0 +1,38 @@
+From 6032f0ff672f09babf69d9d42bcde6eb9eeb5bea Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Sun, 19 May 2013 23:24:29 +0200
+Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
+
+Security problem: CVE-2013-2174
+
+If a program would give a string like "%" to curl_easy_unescape(), it
+would still consider the % as start of an encoded character. The
+function then not only read beyond the buffer but it would also deduct
+the *unsigned* counter variable for how many more bytes there's left to
+read in the buffer by two, making the counter wrap. Continuing this, the
+function would go on reading beyond the buffer and soon writing beyond
+the allocated target buffer...
+
+Bug: http://curl.haxx.se/docs/adv_20130622.html
+Reported-by: Timo Sirainen
+---
+ lib/escape.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git lib/escape.c lib/escape.c
+index 6a26cf8..aa7db2c 100644
+--- lib/escape.c
++++ lib/escape.c
+@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
+
+ while(--alloc > 0) {
+ in = *string;
+- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
++ if(('%' == in) && (alloc > 2) &&
++ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+ /* this is two hexadecimal digits following a '%' */
+ char hexstr[3];
+ char *ptr;
+--
+1.7.10.4
+
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jul 2 07:15:49 2013 (r322158)
+++ head/security/vuxml/vuln.xml Tue Jul 2 07:43:02 2013 (r322159)
@@ -209,7 +209,7 @@ Note: Please add new entries to the beg
<affects>
<package>
<name>curl</name>
- <range><ge>7.7</ge><lt>7.31.0</lt></range>
+ <range><ge>7.7</ge><lt>7.24.0_4</lt></range>
</package>
</affects>
<description>
@@ -257,6 +257,7 @@ Note: Please add new entries to the beg
<dates>
<discovery>2013-06-22</discovery>
<entry>2013-06-23</entry>
+ <modified>2013-07-01</modified>
</dates>
</vuln>
More information about the svn-ports-head
mailing list