aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/curl/curl/CVE-2016-8621.patch
blob: 55062776b684d3ade0e2a457b10f5a31746f4898 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 16:59:38 +0200
Subject: [PATCH] parsedate: handle cut off numbers better
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

... and don't read outside of the given buffer!

CVE-2016-8621

bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn

Upstream-Status: Backport
https://curl.haxx.se/CVE-2016-8621.patch
CVE: CVE-2016-8621
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>

---
 lib/parsedate.c        | 12 +++++++-----
 tests/data/test517     |  6 ++++++
 tests/libtest/lib517.c |  8 +++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

Index: curl-7.44.0/lib/parsedate.c
===================================================================
--- curl-7.44.0.orig/lib/parsedate.c
+++ curl-7.44.0/lib/parsedate.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -386,15 +386,17 @@ static int parsedate(const char *date, t
       /* a digit */
       int val;
       char *end;
+      int len=0;
       if((secnum == -1) &&
-         (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {
+         (3 == sscanf(date, "%02d:%02d:%02d%n",
+                      &hournum, &minnum, &secnum, &len))) {
         /* time stamp! */
-        date += 8;
+        date += len;
       }
       else if((secnum == -1) &&
-              (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {
+              (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {
         /* time stamp without seconds */
-        date += 5;
+        date += len;
         secnum = 0;
       }
       else {
Index: curl-7.44.0/tests/data/test517
===================================================================
--- curl-7.44.0.orig/tests/data/test517
+++ curl-7.44.0/tests/data/test517
@@ -116,6 +116,12 @@ nothing
 81: 20111323 12:34:56 => -1
 82: 20110623 12:34:79 => -1
 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
+84: 20110623 12:3 => 1308830580
+85: 20110623 1:3 => 1308790980
+86: 20110623 1:30 => 1308792600
+87: 20110623 12:12:3 => 1308831123
+88: 20110623 01:12:3 => 1308791523
+89: 20110623 01:99:30 => -1
 </stdout>
 
 # This test case previously tested an overflow case ("2094 Nov 6 =>
Index: curl-7.44.0/tests/libtest/lib517.c
===================================================================
--- curl-7.44.0.orig/tests/libtest/lib517.c
+++ curl-7.44.0/tests/libtest/lib517.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -116,6 +116,12 @@ static const char * const dates[]={
   "20111323 12:34:56",
   "20110623 12:34:79",
   "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
+  "20110623 12:3",
+  "20110623 1:3",
+  "20110623 1:30",
+  "20110623 12:12:3",
+  "20110623 01:12:3",
+  "20110623 01:99:30",
   NULL
 };