File curl-CVE-2016-8621.patch of Package curl.openSUSE_Leap_42.3_Update
From b49dcc911ba237a878dded67865e536a65bc2d87 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 16:59:38 +0200
Subject: [PATCH] parsedate: handle cut off numbers better
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
... and don't read outside of the given buffer!
Reported-by: Luật Nguyễn
---
lib/parsedate.c | 12 +++++++-----
tests/data/test517 | 6 ++++++
tests/libtest/lib517.c | 8 +++++++-
3 files changed, 20 insertions(+), 6 deletions(-)
Index: curl-7.37.0/lib/parsedate.c
===================================================================
--- curl-7.37.0.orig/lib/parsedate.c 2014-04-25 23:38:47.000000000 +0200
+++ curl-7.37.0/lib/parsedate.c 2016-10-20 15:08:47.592427064 +0200
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -386,15 +386,17 @@ static int parsedate(const char *date, t
/* a digit */
int val;
char *end;
+ int len=0;
if((secnum == -1) &&
- (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {
+ (3 == sscanf(date, "%02d:%02d:%02d%n",
+ &hournum, &minnum, &secnum, &len))) {
/* time stamp! */
- date += 8;
+ date += len;
}
else if((secnum == -1) &&
- (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {
+ (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {
/* time stamp without seconds */
- date += 5;
+ date += len;
secnum = 0;
}
else {
Index: curl-7.37.0/tests/data/test517
===================================================================
--- curl-7.37.0.orig/tests/data/test517 2014-04-25 14:01:03.000000000 +0200
+++ curl-7.37.0/tests/data/test517 2016-10-20 15:08:47.592427064 +0200
@@ -116,6 +116,12 @@ nothing
81: 20111323 12:34:56 => -1
82: 20110623 12:34:79 => -1
83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
+84: 20110623 12:3 => 1308830580
+85: 20110623 1:3 => 1308790980
+86: 20110623 1:30 => 1308792600
+87: 20110623 12:12:3 => 1308831123
+88: 20110623 01:12:3 => 1308791523
+89: 20110623 01:99:30 => -1
</stdout>
# This test case previously tested an overflow case ("2094 Nov 6 =>
Index: curl-7.37.0/tests/libtest/lib517.c
===================================================================
--- curl-7.37.0.orig/tests/libtest/lib517.c 2014-04-25 14:01:03.000000000 +0200
+++ curl-7.37.0/tests/libtest/lib517.c 2016-10-20 15:08:47.592427064 +0200
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -116,6 +116,12 @@ static const char * const dates[]={
"20111323 12:34:56",
"20110623 12:34:79",
"Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
+ "20110623 12:3",
+ "20110623 1:3",
+ "20110623 1:30",
+ "20110623 12:12:3",
+ "20110623 01:12:3",
+ "20110623 01:99:30",
NULL
};