base/SOURCES/0044-curl-7.29.0-CVE-2016-7...

From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 8 Sep 2016 22:59:54 +0200
Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input

CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html

Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/escape.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/escape.c b/lib/escape.c
index 40338a9..c6aa3b9 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -80,15 +80,21 @@ char *curl_unescape(const char *string, int length)
 
 char *curl_easy_escape(CURL *handle, const char *string, int inlength)
 {
-  size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
+  size_t alloc;
   char *ns;
   char *testing_ptr = NULL;
   unsigned char in; /* we need to treat the characters unsigned */
-  size_t newlen = alloc;
+  size_t newlen;
   size_t strindex=0;
   size_t length;
   CURLcode res;
 
+  if(inlength < 0)
+    return NULL;
+
+  alloc = (inlength?(size_t)inlength:strlen(string))+1;
+  newlen = alloc;
+
   ns = malloc(alloc);
   if(!ns)
     return NULL;
-- 
2.7.4


From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 13 Sep 2016 23:00:50 +0200
Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input

CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html

Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/escape.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/escape.c b/lib/escape.c
index c6aa3b9..808ac6c 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -219,14 +219,16 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
                          int *olen)
 {
   char *str = NULL;
-  size_t inputlen = length;
-  size_t outputlen;
-  CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
-                                FALSE);
-  if(res)
-    return NULL;
-  if(olen)
-    *olen = curlx_uztosi(outputlen);
+  if(length >= 0) {
+    size_t inputlen = length;
+    size_t outputlen;
+    CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
+                                  FALSE);
+    if(res)
+      return NULL;
+    if(olen)
+      *olen = curlx_uztosi(outputlen);
+  }
   return str;
 }
 
-- 
2.7.4
curl package update Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org> 6 years ago			`From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Thu, 8 Sep 2016 22:59:54 +0200`
			`Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input`

			`CVE-2016-7167`

			`Bug: https://curl.haxx.se/docs/adv_20160914.html`

			`Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/escape.c \| 10 ++++++++--`
			`1 file changed, 8 insertions(+), 2 deletions(-)`

			`diff --git a/lib/escape.c b/lib/escape.c`
			`index 40338a9..c6aa3b9 100644`
			`--- a/lib/escape.c`
			`+++ b/lib/escape.c`
			`@@ -80,15 +80,21 @@ char curl_unescape(const char string, int length)`

			`char curl_easy_escape(CURL handle, const char *string, int inlength)`
			`{`
			`- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;`
			`+ size_t alloc;`
			`char *ns;`
			`char *testing_ptr = NULL;`
			`unsigned char in; /* we need to treat the characters unsigned */`
			`- size_t newlen = alloc;`
			`+ size_t newlen;`
			`size_t strindex=0;`
			`size_t length;`
			`CURLcode res;`

			`+ if(inlength < 0)`
			`+ return NULL;`
			`+`
			`+ alloc = (inlength?(size_t)inlength:strlen(string))+1;`
			`+ newlen = alloc;`
			`+`
			`ns = malloc(alloc);`
			`if(!ns)`
			`return NULL;`
			`--`
			`2.7.4`


			`From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Tue, 13 Sep 2016 23:00:50 +0200`
			`Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input`

			`CVE-2016-7167`

			`Bug: https://curl.haxx.se/docs/adv_20160914.html`

			`Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/escape.c \| 18 ++++++++++--------`
			`1 file changed, 10 insertions(+), 8 deletions(-)`

			`diff --git a/lib/escape.c b/lib/escape.c`
			`index c6aa3b9..808ac6c 100644`
			`--- a/lib/escape.c`
			`+++ b/lib/escape.c`
			`@@ -219,14 +219,16 @@ char curl_easy_unescape(CURL handle, const char *string, int length,`
			`int *olen)`
			`{`
			`char *str = NULL;`
			`- size_t inputlen = length;`
			`- size_t outputlen;`
			`- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,`
			`- FALSE);`
			`- if(res)`
			`- return NULL;`
			`- if(olen)`
			`- *olen = curlx_uztosi(outputlen);`
			`+ if(length >= 0) {`
			`+ size_t inputlen = length;`
			`+ size_t outputlen;`
			`+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,`
			`+ FALSE);`
			`+ if(res)`
			`+ return NULL;`
			`+ if(olen)`
			`+ *olen = curlx_uztosi(outputlen);`
			`+ }`
			`return str;`
			`}`

			`--`
			`2.7.4`