Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
curl-mini.27751
curl-CVE-2022-32208.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2022-32208.patch of Package curl-mini.27751
From 6ecdf5136b52af747e7bda08db9a748256b1cd09 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 9 Jun 2022 09:27:24 +0200 Subject: [PATCH] krb5: return error properly on decode errors Bug: https://curl.se/docs/CVE-2022-32208.html CVE-2022-32208 Reported-by: Harry Sintonen Closes #9051 --- lib/krb5.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) Index: curl-7.66.0/lib/krb5.c =================================================================== --- curl-7.66.0.orig/lib/krb5.c +++ curl-7.66.0/lib/krb5.c @@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, i enc.value = buf; enc.length = len; maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); - if(maj != GSS_S_COMPLETE) { - if(len >= 4) - strcpy(buf, "599 "); + if(maj != GSS_S_COMPLETE) return -1; - } memcpy(buf, dec.value, dec.length); len = curlx_uztosi(dec.length); Index: curl-7.66.0/lib/security.c =================================================================== --- curl-7.66.0.orig/lib/security.c +++ curl-7.66.0/lib/security.c @@ -192,6 +192,7 @@ static CURLcode read_data(struct connect { int len; CURLcode result; + int nread; result = socket_read(fd, &len, sizeof(len)); if(result) @@ -200,7 +201,10 @@ static CURLcode read_data(struct connect if(len) { /* only realloc if there was a length */ len = ntohl(len); - buf->data = Curl_saferealloc(buf->data, len); + if(len > CURL_MAX_INPUT_LENGTH) + len = 0; + else + buf->data = Curl_saferealloc(buf->data, len); } if(!len || !buf->data) return CURLE_OUT_OF_MEMORY; @@ -208,8 +212,11 @@ static CURLcode read_data(struct connect result = socket_read(fd, buf->data, len); if(result) return result; - buf->size = conn->mech->decode(conn->app_data, buf->data, len, - conn->data_prot, conn); + nread = conn->mech->decode(conn->app_data, buf->data, len, + conn->data_prot, conn); + if(nread < 0) + return CURLE_RECV_ERROR; + buf->size = (size_t)nread; buf->index = 0; return CURLE_OK; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
