From e4508a351889de3907032b80fcf7697c9d88c90b Mon Sep 17 00:00:00 2001 From: Josef Schlehofer Date: Sun, 1 Sep 2019 17:39:15 +0200 Subject: [PATCH 1/2] keepalived: Update to version 1.4.5 - Use HTTPS for PKG_SOURCE_URL and as well for URL in description Signed-off-by: Josef Schlehofer --- net/keepalived/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/keepalived/Makefile b/net/keepalived/Makefile index e4cae206c..4f0aeb3f1 100644 --- a/net/keepalived/Makefile +++ b/net/keepalived/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=keepalived -PKG_VERSION:=1.4.4 +PKG_VERSION:=1.4.5 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=http://www.keepalived.org/software -PKG_HASH:=147c2b3b782223128551fd0a1564eaa30ed84a94b68c50ec5087747941314704 +PKG_SOURCE_URL:=https://www.keepalived.org/software +PKG_HASH:=c7be18f6f90c8da6cc18cd8a90971b7a7da3823df091fcc7500d130fdb010c4d PKG_LICENSE:=GPL-2.0+ PKG_LICENSE_FILES:=COPYING @@ -29,7 +29,7 @@ define Package/keepalived SECTION:=net CATEGORY:=Network TITLE:=Failover and monitoring daemon for LVS clusters - URL:=http://www.keepalived.org/ + URL:=https://www.keepalived.org/ DEPENDS:= \ +PACKAGE_libnl-genl:libnl-genl \ +libopenssl \ From 2d9a3eff4798e1f2fcb9db17d8fa810e4df21b43 Mon Sep 17 00:00:00 2001 From: Josef Schlehofer Date: Sun, 1 Sep 2019 17:40:55 +0200 Subject: [PATCH 2/2] keepalived: add patch for CVE-2018-19115 Signed-off-by: Josef Schlehofer --- ...ffer-overflow-in-extract_status_code.patch | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 net/keepalived/patches/010-Fix-buffer-overflow-in-extract_status_code.patch diff --git a/net/keepalived/patches/010-Fix-buffer-overflow-in-extract_status_code.patch b/net/keepalived/patches/010-Fix-buffer-overflow-in-extract_status_code.patch new file mode 100644 index 000000000..a7f2f67a6 --- /dev/null +++ b/net/keepalived/patches/010-Fix-buffer-overflow-in-extract_status_code.patch @@ -0,0 +1,57 @@ +From f28015671a4b04785859d1b4b1327b367b6a10e9 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Tue, 24 Jul 2018 09:28:43 +0100 +Subject: [PATCH] Fix buffer overflow in extract_status_code() + +Issue #960 identified that the buffer allocated for copying the +HTTP status code could overflow if the http response was corrupted. + +This commit changes the way the status code is read, avoids copying +data, and also ensures that the status code is three digits long, +is non-negative and occurs on the first line of the response. + +Signed-off-by: Quentin Armitage +--- + lib/html.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/lib/html.c b/lib/html.c +index 5a3eaeac..69d3bd2d 100644 +--- a/lib/html.c ++++ b/lib/html.c +@@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size) + */ + int extract_status_code(char *buffer, size_t size) + { +- char *buf_code; +- char *begin; + char *end = buffer + size; +- size_t inc = 0; +- int code; +- +- /* Allocate the room */ +- buf_code = (char *)MALLOC(10); ++ unsigned long code; + + /* Status-Code extraction */ +- while (buffer < end && *buffer++ != ' ') ; +- begin = buffer; +- while (buffer < end && *buffer++ != ' ') +- inc++; +- strncat(buf_code, begin, inc); +- code = atoi(buf_code); +- FREE(buf_code); ++ while (buffer < end && *buffer != ' ' && *buffer != '\r') ++ buffer++; ++ buffer++; ++ if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ') ++ return 0; ++ code = strtoul(buffer, &end, 10); ++ if (buffer + 3 != end) ++ return 0; + return code; + } + +-- +2.20.1 +