diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/networking/curl/CVE-2021-22898.patch')
| -rw-r--r-- | nixpkgs/pkgs/tools/networking/curl/CVE-2021-22898.patch | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/networking/curl/CVE-2021-22898.patch b/nixpkgs/pkgs/tools/networking/curl/CVE-2021-22898.patch new file mode 100644 index 000000000000..ea4d2cb37e87 --- /dev/null +++ b/nixpkgs/pkgs/tools/networking/curl/CVE-2021-22898.patch @@ -0,0 +1,25 @@ +From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 26e0658ba9cc..fdd137fb0c04 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); |