Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
curl.36283
curl-CVE-2024-7264.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2024-7264.patch of Package curl.36283
From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 30 Jul 2024 10:05:17 +0200 Subject: [PATCH] x509asn1: clean up GTime2str Co-authored-by: Stefan Eissing Reported-by: Dov Murik Closes #14307 --- lib/vtls/x509asn1.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) Index: curl-8.0.1/lib/vtls/x509asn1.c =================================================================== --- curl-8.0.1.orig/lib/vtls/x509asn1.c +++ curl-8.0.1/lib/vtls/x509asn1.c @@ -543,7 +543,7 @@ static const char *GTime2str(const char /* Convert an ASN.1 Generalized time to a printable string. Return the dynamically allocated string, or NULL if an error occurs. */ - for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++) + for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++) ; /* Get seconds digits. */ @@ -562,32 +562,44 @@ static const char *GTime2str(const char return NULL; } - /* Scan for timezone, measure fractional seconds. */ + /* timezone follows optional fractional seconds. */ tzp = fracp; - fracl = 0; + fracl = 0; /* no fractional seconds detected so far */ if(fracp < end && (*fracp == '.' || *fracp == ',')) { - fracp++; - do + /* Have fractional seconds, e.g. "[.,]\d+". How many? */ + fracp++; /* should be a digit char or BAD ARGUMENT */ + tzp = fracp; + while(tzp < end && ISDIGIT(*tzp)) tzp++; - while(tzp < end && *tzp >= '0' && *tzp <= '9'); - /* Strip leading zeroes in fractional seconds. */ - for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) - ; + if(tzp == fracp) /* never looped, no digit after [.,] */ + return CURLE_BAD_FUNCTION_ARGUMENT; + fracl = tzp - fracp; /* number of fractional sec digits */ + DEBUGASSERT(fracl > 0); + /* Strip trailing zeroes in fractional seconds. + * May reduce fracl to 0 if only '0's are present. */ + while(fracl && fracp[fracl - 1] == '0') + fracl--; } /* Process timezone. */ - if(tzp >= end) - ; /* Nothing to do. */ + if(tzp >= end) { + tzp = ""; + tzl = 0; + } else if(*tzp == 'Z') { - tzp = " GMT"; - end = tzp + 4; + sep = " "; + tzp = "GMT"; + tzl = 3; + } + else if((*tzp == '+') || (*tzp == '-')) { + sep = " UTC"; + tzl = end - tzp; } else { sep = " "; - tzp++; + tzl = end - tzp; } - tzl = end - tzp; return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s", beg, beg + 4, beg + 6, beg + 8, beg + 10, sec1, sec2, @@ -595,6 +607,15 @@ static const char *GTime2str(const char sep, (int)tzl, tzp); } +#ifdef UNITTESTS +/* used by unit1656.c */ +CURLcode Curl_x509_GTime2str(struct dynbuf *store, + const char *beg, const char *end) +{ + return GTime2str(store, beg, end); +} +#endif + /* * Convert an ASN.1 UTC time to a printable string. * Return the dynamically allocated string, or NULL if an error occurs. Index: curl-8.0.1/lib/vtls/x509asn1.h =================================================================== --- curl-8.0.1.orig/lib/vtls/x509asn1.h +++ curl-8.0.1/lib/vtls/x509asn1.h @@ -76,6 +76,17 @@ CURLcode Curl_extract_certinfo(struct Cu const char *beg, const char *end); CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data, const char *beg, const char *end); + +#ifdef UNITTESTS +#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ + defined(USE_MBEDTLS) + +/* used by unit1656.c */ +CURLcode Curl_x509_GTime2str(struct dynbuf *store, + const char *beg, const char *end); +#endif +#endif + #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL * or USE_SECTRANSP */ #endif /* HEADER_CURL_X509ASN1_H */ Index: curl-8.0.1/tests/data/Makefile.inc =================================================================== --- curl-8.0.1.orig/tests/data/Makefile.inc +++ curl-8.0.1/tests/data/Makefile.inc @@ -209,7 +209,7 @@ test1620 test1621 \ \ test1630 test1631 test1632 test1633 test1634 test1635 \ \ -test1650 test1651 test1652 test1653 test1654 test1655 \ +test1650 test1651 test1652 test1653 test1654 test1655 test1656 \ test1660 test1661 test1662 \ \ test1670 test1671 \ Index: curl-8.0.1/tests/data/test1656 =================================================================== --- /dev/null +++ curl-8.0.1/tests/data/test1656 @@ -0,0 +1,22 @@ +<testcase> +<info> +<keywords> +unittest +Curl_x509_GTime2str +</keywords> +</info> + +# +# Client-side +<client> +<server> +none +</server> +<features> +unittest +</features> +<name> +Curl_x509_GTime2str unit tests +</name> +</client> +</testcase> Index: curl-8.0.1/tests/unit/Makefile.inc =================================================================== --- curl-8.0.1.orig/tests/unit/Makefile.inc +++ curl-8.0.1/tests/unit/Makefile.inc @@ -36,7 +36,7 @@ UNITPROGS = unit1300 unit1302 u unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \ unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \ unit1620 unit1621 \ - unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \ + unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \ unit1660 unit1661 \ unit2600 \ unit3200 @@ -121,6 +121,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE unit1655_SOURCES = unit1655.c $(UNITFILES) +unit1656_SOURCES = unit1656.c $(UNITFILES) + unit1660_SOURCES = unit1660.c $(UNITFILES) unit1661_SOURCES = unit1661.c $(UNITFILES) Index: curl-8.0.1/tests/unit/unit1656.c =================================================================== --- /dev/null +++ curl-8.0.1/tests/unit/unit1656.c @@ -0,0 +1,133 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +#include "curlcheck.h" + +#include "vtls/x509asn1.h" + +static CURLcode unit_setup(void) +{ + return CURLE_OK; +} + +static void unit_stop(void) +{ + +} + +#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ + defined(USE_MBEDTLS) + +#ifndef ARRAYSIZE +#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0])) +#endif + +struct test_spec { + const char *input; + const char *exp_output; + CURLcode exp_result; +}; + +static struct test_spec test_specs[] = { + { "190321134340", "1903-21-13 43:40:00", CURLE_OK }, + { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, + { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, + { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, + { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, + { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, + { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, + { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK }, + { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK }, + { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK }, + { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK }, + { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK }, + { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK }, + { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK }, + { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK }, + { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK }, + { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK }, + { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK }, + { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK }, + { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK }, + { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK }, + { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK }, + { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK }, + { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK }, + { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK }, + { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK }, +}; + +static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf) +{ + CURLcode result; + const char *in = spec->input; + + Curl_dyn_reset(dbuf); + result = Curl_x509_GTime2str(dbuf, in, in + strlen(in)); + if(result != spec->exp_result) { + fprintf(stderr, "test %zu: expect result %d, got %d\n", + i, spec->exp_result, result); + return FALSE; + } + else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) { + fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n", + i, in, spec->exp_output, Curl_dyn_ptr(dbuf)); + return FALSE; + } + + return TRUE; +} + +UNITTEST_START +{ + size_t i; + struct dynbuf dbuf; + bool all_ok = TRUE; + + Curl_dyn_init(&dbuf, 32*1024); + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { + fprintf(stderr, "curl_global_init() failed\n"); + return TEST_ERR_MAJOR_BAD; + } + + for(i = 0; i < ARRAYSIZE(test_specs); ++i) { + if(!do_test(&test_specs[i], i, &dbuf)) + all_ok = FALSE; + } + fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails"); + + Curl_dyn_free(&dbuf); + curl_global_cleanup(); +} +UNITTEST_STOP + +#else + +UNITTEST_START +{ + puts("not tested since Curl_x509_GTime2str() is not built-in"); +} +UNITTEST_STOP + +#endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
