diff options
Diffstat (limited to 'package/network/utils/curl/patches/105-CVE-2017-1000254.patch')
-rw-r--r-- | package/network/utils/curl/patches/105-CVE-2017-1000254.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/105-CVE-2017-1000254.patch b/package/network/utils/curl/patches/105-CVE-2017-1000254.patch new file mode 100644 index 0000000000..56b0235583 --- /dev/null +++ b/package/network/utils/curl/patches/105-CVE-2017-1000254.patch @@ -0,0 +1,49 @@ +From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Sep 2017 00:35:22 +0200 +Subject: [PATCH] FTP: zero terminate the entry path even on bad input + +... a single double quote could leave the entry path buffer without a zero +terminating byte. CVE-2017-1000254 + +Test 1152 added to verify. + +Reported-by: Max Dymond +Bug: https://curl.haxx.se/docs/adv_20171004.html +--- + lib/ftp.c | 7 ++++-- + tests/data/Makefile.inc | 1 + + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1152 + +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct + char *ptr=&data->state.buffer[4]; /* start on the first letter */ + char *dir; + char *store; ++ bool entry_extracted = FALSE; + + dir = malloc(nread + 1); + if(!dir) +@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct + } + else { + /* end of path */ +- *store = '\0'; /* zero terminate */ ++ entry_extracted = TRUE; + break; /* get out of this loop */ + } + } +@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct + store++; + ptr++; + } +- ++ *store = '\0'; /* zero terminate */ ++ } ++ if(entry_extracted) { + /* If the path name does not look like an absolute path (i.e.: it + does not start with a '/'), we probably need some server-dependent + adjustments. For example, this is the case when connecting to |