From b77fa2226959933b28b88ca21a46b6ff5128f4f9 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Tue, 17 Sep 2019 07:55:20 +0000
Subject: main/curl: security fixes (CVE-2019-5481, CVE-2019-5482)

closes #10793
---
 main/curl/APKBUILD            | 12 +++++++++--
 main/curl/CVE-2019-5481.patch | 40 ++++++++++++++++++++++++++++++++++
 main/curl/CVE-2019-5482.patch | 50 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+), 2 deletions(-)
 create mode 100644 main/curl/CVE-2019-5481.patch
 create mode 100644 main/curl/CVE-2019-5482.patch

diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 1cadc70048..33e0dd44c0 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.61.1
-pkgrel=2
+pkgrel=3
 pkgdesc="URL retrival utility and library"
 url="https://curl.haxx.se"
 arch="all"
@@ -21,10 +21,16 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
 	CVE-2018-16890.patch
 	CVE-2019-3822.patch
 	CVE-2019-3823.patch
+	CVE-2019-5481.patch
+	CVE-2019-5482.patch
 	"
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   7.61.1-r3:
+#     - CVE-2019-5481
+#     - CVE-2019-5482
 #   7.61.1-r2:
 #     - CVE-2018-16890
 #     - CVE-2019-3822
@@ -127,4 +133,6 @@ c1a684f17267b08f77625064ac62e4f06989c552d6d501565f8bebf31d3a96a613f0683376ec7cc1
 dcaca036eafaaae66eba99808d00ff6bed3c9e59c2c1239ca1ddcf54c9e1c53edabd543dc6925ded3cdf9efd39c0968353527ae5ed0b986cefba333fbc7fd1af  CVE-2018-16842.patch
 573b896bd78e404002398bdf38d952ec6247af551ef7d6e34d52acbf004f8f4de60299e3a8f83be75e22dfb8731e466aea0253efec7116282afab32dbb1f66e8  CVE-2018-16890.patch
 959a55237752b254bc5f58308607f3cf0475e207a7400ff6be7942c48131787f1dec4c05be5b76865ae0adf81ebae77774085ad0c19dd342fb0307cfcfe24b6c  CVE-2019-3822.patch
-73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69  CVE-2019-3823.patch"
+73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69  CVE-2019-3823.patch
+37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf  CVE-2019-5481.patch
+6a048e3794415792a4554651bc55b71c22735f58293db584e9c822af9faad22f27c730b5d649d4bf1fb8d2c251f8d6e2f67249929bb7b3a76495c1f36a898ce7  CVE-2019-5482.patch"
diff --git a/main/curl/CVE-2019-5481.patch b/main/curl/CVE-2019-5481.patch
new file mode 100644
index 0000000000..2aa4952cee
--- /dev/null
+++ b/main/curl/CVE-2019-5481.patch
@@ -0,0 +1,40 @@
+From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2da8d..c5e4e135df 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
diff --git a/main/curl/CVE-2019-5482.patch b/main/curl/CVE-2019-5482.patch
new file mode 100644
index 0000000000..2cd32ef179
--- /dev/null
+++ b/main/curl/CVE-2019-5482.patch
@@ -0,0 +1,50 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index a7176cec80..346f293dc5 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
-- 
cgit v1.2.3