[Security report]: Patches for CVEs found in reused component curl by using V1SCAN

[ltcdCai]

Contact me:

[email protected]

CVEs and affected files:

CVE-2018-1000120 in the file /external/curl/ftp.c
CVE-2018-1000122 in the file /external/curl/transfer.c
CVE-2018-1000301 in the file /external/curl/http.c

References:

NVD descriptions:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000120
https://nvd.nist.gov/vuln/detail/CVE-2018-1000122
https://nvd.nist.gov/vuln/detail/CVE-2018-1000301

GitHub Security Advisories:
Advisory for CVE-2018-1000120
Advisory for CVE-2018-1000122
Advisory for CVE-2018-1000301

** Github commits:**
Commit for CVE-2018-1000120
Commit for CVE-2018-1000122
Commit for CVE-2018-1000301

Patch suggestions:

CVE-2018-1000120 & CVE-2018-1000122:
Since it seems that the two reused files are from the older version of curl, it is recommended to update the two files to the latest version or just apply the above commits for CVE-2018-1000120 & CVE-2018-1000122.

CVE-2018-1000301:
Since it seems that this file /external/curl/http.c is reused with a lot of modifications for customized features, we suggest to apply the following patch:

1. After the code struct SingleRequest *k = &data->req; at line 2963, insert the following two lines:

ssize_t onread = *nread;
char *ostr = k->str;

2. Replace the code *nread = (ssize_t)rest_length; at line 3028 with the following three lines:

*nread = onread;
k->str = ostr;
return CURLE_OK;

[sunghan-chang]

@jylee9613 Could you check it?