keepalived patches

5b69ee5f · Abhijith PA · 785f6905 · 5b69ee5f
Commit 5b69ee5f authored 6 years ago by Abhijith PA
--- a/keepalived_deb8u1.debdiff
+++ b/keepalived_deb8u1.debdiff
+diff -Nru keepalived-1.2.13/debian/changelog keepalived-1.2.13/debian/changelog
+--- keepalived-1.2.13/debian/changelog	2014-05-28 09:01:40.000000000 +0200
+++ keepalived-1.2.13/debian/changelog	2018-11-14 18:42:02.000000000 +0100
+@@ -1,3 +1,11 @@
+keepalived (1:1.2.13-1+deb8u1) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-19115: heap-based buffer overflow when parsing HTTP
+    status codes
+
+ -- Abhijith PA <abhijith@disroot.org>  Wed, 14 Nov 2018 23:12:02 +0530
+
+ keepalived (1:1.2.13-1) unstable; urgency=medium
+   * [1e9c32b] Imported Upstream version 1.2.11
+diff -Nru keepalived-1.2.13/debian/patches/CVE-2018-19115.patch keepalived-1.2.13/debian/patches/CVE-2018-19115.patch
+--- keepalived-1.2.13/debian/patches/CVE-2018-19115.patch	1970-01-01 01:00:00.000000000 +0100
+++ keepalived-1.2.13/debian/patches/CVE-2018-19115.patch	2018-11-14 18:42:02.000000000 +0100
+@@ -0,0 +1,47 @@
+Description: CVE-2018-19115
+ a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or
+ possibly unspecified other impact, because extract_status_code in lib/html.c
+ has no validation of the status code and instead writes an unlimited amount of
+ data to the heap.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/acassen/keepalived/pull/961/commits/f28015671a4b04785859d1b4b1327b367b6a10e9
+Bug: https://bugzilla.suse.com/show_bug.cgi?id=1015141
+Last-Update: 2018-11-14
+
+--- keepalived-1.2.13.orig/lib/html.c
++++ keepalived-1.2.13/lib/html.c
+@@ -60,23 +60,19 @@ int extract_content_length(char *buffer,
+  */
+ int extract_status_code(char *buffer, int size)
+ {
+-	char *buf_code;
+-	char *begin;
+ 	char *end = buffer + size;
+-	int inc = 0;
+-
+-	/* Allocate the room */
+-	buf_code = (char *)MALLOC(10);
++	unsigned long code;
+ 
+ 	/* Status-Code extraction */
+-	while (buffer < end && *buffer++ != ' ') ;
+-	begin = buffer;
+-	while (buffer < end && *buffer++ != ' ')
+-		inc++;
+-	strncat(buf_code, begin, inc);
+-	inc = atoi(buf_code);
+-	FREE(buf_code);
+-	return inc;
++	while (buffer < end && *buffer != ' ' && *buffer != '\r')
++		buffer++;
++	buffer++;
++	if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ')
++		return 0;
++	code = strtoul(buffer, &end, 10);
++	if (buffer + 3 != end)
++		return 0;
++	return code;
+ }
+ 
+ /* simple function returning a pointer to the html buffer begin */
+diff -Nru keepalived-1.2.13/debian/patches/series keepalived-1.2.13/debian/patches/series
+--- keepalived-1.2.13/debian/patches/series	2014-05-28 08:23:59.000000000 +0200
+++ keepalived-1.2.13/debian/patches/series	2018-11-14 18:42:02.000000000 +0100
+@@ -0,0 +1 @@
+CVE-2018-19115.patch