From patchwork Mon Jun 24 23:12:54 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gustavo Zacarias <gustavo@zacarias.com.ar>
X-Patchwork-Id: 253990
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from whitealder.osuosl.org (whitealder.osuosl.org
	[140.211.166.138])
	by ozlabs.org (Postfix) with ESMTP id 14D5A2C0098
	for <incoming@patchwork.ozlabs.org>;
	Tue, 25 Jun 2013 09:13:44 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 2C1E98AA35;
	Mon, 24 Jun 2013 23:13:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 3y-ExSLvG+6A; Mon, 24 Jun 2013 23:13:23 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id 20A258C724;
	Mon, 24 Jun 2013 23:13:18 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (whitealder.osuosl.org
	[140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id B8C8B8F79E
	for <buildroot@lists.busybox.net>;
	Mon, 24 Jun 2013 23:13:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 823388C60C
	for <buildroot@lists.busybox.net>;
	Mon, 24 Jun 2013 23:13:15 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id uAay4yjrdzTO for <buildroot@lists.busybox.net>;
	Mon, 24 Jun 2013 23:13:08 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from loknar.toptech.com.ar (loknar.toptech.com.ar [78.46.79.162])
	by whitealder.osuosl.org (Postfix) with ESMTPS id B7E938C66C
	for <buildroot@busybox.net>; Mon, 24 Jun 2013 23:13:03 +0000 (UTC)
Received: from asgard (host17.190-139-225.telecom.net.ar [190.139.225.17])
	(authenticated bits=0)
	by loknar.toptech.com.ar (8.14.7/8.14.7) with ESMTP id r5ONCueF005596
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO); Mon, 24 Jun 2013 23:12:58 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zacarias.com.ar;
	s=dkey; t=1372115580;
	bh=Ojyc0Wfocs9wlKQ4/GDewDDLTANRZ+Mtr2fvQYw36YQ=;
	h=From:To:Cc:Subject:Date;
	b=mklSIfz8jXjIUf3aX6KHaPF+DcELJUr/FCiQYzugaIhvEXvEdUjdlLgRFKImdGEhU
	hbM0E+4eKdp3JMtjVV2C8EaVR6vvcWDSsM9QZWn1wvaVSjiR9Ya2rKv1ASAF76nYrT
	iXNBHLXQcyKj9/WKPXP2FTpvbgqGLlsfstCNsFPk=
Received: by asgard (sSMTP sendmail emulation);
	Mon, 24 Jun 2013 20:12:54 -0300
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
To: buildroot@busybox.net
Date: Mon, 24 Jun 2013 20:12:54 -0300
Message-Id: <1372115574-31827-1-git-send-email-gustavo@zacarias.com.ar>
X-Mailer: git-send-email 1.8.1.5
X-Virus-Scanned: clamav-milter 0.97.7 at loknar
X-Virus-Status: Clean
Subject: [Buildroot] [PATCH] curl: add security patch for CVE-2013-2174
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: buildroot-bounces@busybox.net

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/libcurl/libcurl-03-CVE-2013-2174.patch | 38 ++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 package/libcurl/libcurl-03-CVE-2013-2174.patch

diff --git a/package/libcurl/libcurl-03-CVE-2013-2174.patch b/package/libcurl/libcurl-03-CVE-2013-2174.patch
new file mode 100644
index 0000000..673431f
--- /dev/null
+++ b/package/libcurl/libcurl-03-CVE-2013-2174.patch
@@ -0,0 +1,38 @@
+From 6032f0ff672f09babf69d9d42bcde6eb9eeb5bea Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 19 May 2013 23:24:29 +0200
+Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
+
+Security problem: CVE-2013-2174
+
+If a program would give a string like "%" to curl_easy_unescape(), it
+would still consider the % as start of an encoded character. The
+function then not only read beyond the buffer but it would also deduct
+the *unsigned* counter variable for how many more bytes there's left to
+read in the buffer by two, making the counter wrap. Continuing this, the
+function would go on reading beyond the buffer and soon writing beyond
+the allocated target buffer...
+
+Bug: http://curl.haxx.se/docs/adv_20130622.html
+Reported-by: Timo Sirainen
+---
+ lib/escape.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/escape.c b/lib/escape.c
+index 6a26cf8..aa7db2c 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
+ 
+   while(--alloc > 0) {
+     in = *string;
+-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
++    if(('%' == in) && (alloc > 2) &&
++       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+       /* this is two hexadecimal digits following a '%' */
+       char hexstr[3];
+       char *ptr;
+-- 
+1.7.10.4
+