diff options
author | Xin LI <delphij@FreeBSD.org> | 2013-07-02 07:43:02 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2013-07-02 07:43:02 +0000 |
commit | a4c3e0313f0786b33c7765d4dba55afeb3f09ea9 (patch) | |
tree | 38eb9277e13d77c5220e5de74180b47372746043 /ftp | |
parent | cb56fdd0ba70e80a13e8bff3a1bcf2a5c9e34f2d (diff) | |
download | ports-a4c3e0313f0786b33c7765d4dba55afeb3f09ea9.tar.gz ports-a4c3e0313f0786b33c7765d4dba55afeb3f09ea9.zip |
Notes
Diffstat (limited to 'ftp')
-rw-r--r-- | ftp/curl/Makefile | 2 | ||||
-rw-r--r-- | ftp/curl/files/patch-CVE-2013-2174 | 38 |
2 files changed, 39 insertions, 1 deletions
diff --git a/ftp/curl/Makefile b/ftp/curl/Makefile index b0e19f34bba8..1af72f646e15 100644 --- a/ftp/curl/Makefile +++ b/ftp/curl/Makefile @@ -3,7 +3,7 @@ PORTNAME= curl PORTVERSION= 7.24.0 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= ftp ipv6 www MASTER_SITES= http://curl.haxx.se/download/ \ LOCAL/sunpoet diff --git a/ftp/curl/files/patch-CVE-2013-2174 b/ftp/curl/files/patch-CVE-2013-2174 new file mode 100644 index 000000000000..e0386e951b79 --- /dev/null +++ b/ftp/curl/files/patch-CVE-2013-2174 @@ -0,0 +1,38 @@ +From 6032f0ff672f09babf69d9d42bcde6eb9eeb5bea Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 19 May 2013 23:24:29 +0200 +Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer + +Security problem: CVE-2013-2174 + +If a program would give a string like "%" to curl_easy_unescape(), it +would still consider the % as start of an encoded character. The +function then not only read beyond the buffer but it would also deduct +the *unsigned* counter variable for how many more bytes there's left to +read in the buffer by two, making the counter wrap. Continuing this, the +function would go on reading beyond the buffer and soon writing beyond +the allocated target buffer... + +Bug: http://curl.haxx.se/docs/adv_20130622.html +Reported-by: Timo Sirainen +--- + lib/escape.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git lib/escape.c lib/escape.c +index 6a26cf8..aa7db2c 100644 +--- lib/escape.c ++++ lib/escape.c +@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data, + + while(--alloc > 0) { + in = *string; +- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { ++ if(('%' == in) && (alloc > 2) && ++ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { + /* this is two hexadecimal digits following a '%' */ + char hexstr[3]; + char *ptr; +-- +1.7.10.4 + |