Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
curl
curl-CVE-2013-2174.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2013-2174.patch of Package curl
commit 45030219bf8b44270d40fc62e8a02411612d00cc Author: Daniel Stenberg <daniel@haxx.se> Date: Sun May 19 23:24:29 2013 +0200 Curl_urldecode: no peaking beyond end of input buffer Security problem: .... If a program would give a string like "%" to curl_easy_unescape(), it would still consider the % as start of an encoded character. The function then not only read beyond the buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Reported-by: Timo Sirainen Index: curl-7.19.0/lib/escape.c =================================================================== --- curl-7.19.0.orig/lib/escape.c 2013-06-13 12:17:06.251345362 +0200 +++ curl-7.19.0/lib/escape.c 2013-06-13 12:17:07.228374970 +0200 @@ -149,7 +149,8 @@ char *curl_easy_unescape(CURL *handle, c while(--alloc > 0) { in = *string; - if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { + if(('%' == in) && (alloc > 2) && + ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { /* this is two hexadecimal digits following a '%' */ char hexstr[3]; char *ptr;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor