Version in base suite: 7.64.0-4

Base version: curl_7.64.0-4
Target version: curl_7.64.0-4+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.64.0-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.64.0-4+deb10u1.dsc

 changelog                      |   10 ++++++
 patches/18_CVE-2019-5481.patch |   40 +++++++++++++++++++++++++++
 patches/19_CVE-2019-5482.patch |   59 +++++++++++++++++++++++++++++++++++++++++
 patches/series                 |    2 +
 4 files changed, 111 insertions(+)

diff -Nru curl-7.64.0/debian/changelog curl-7.64.0/debian/changelog
--- curl-7.64.0/debian/changelog	2019-06-14 18:23:32.000000000 +0000
+++ curl-7.64.0/debian/changelog	2020-02-22 15:01:46.000000000 +0000
@@ -1,3 +1,13 @@
+curl (7.64.0-4+deb10u1) buster-security; urgency=high
+
+  * Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
+    https://curl.haxx.se/docs/CVE-2019-5481.html
+  * Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
+    (Closes: #940010)
+    https://curl.haxx.se/docs/CVE-2019-5482.html
+
+ -- Alessandro Ghedini <ghedo@debian.org>  Sat, 22 Feb 2020 15:01:46 +0000
+
 curl (7.64.0-4) unstable; urgency=medium
 
   * Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
diff -Nru curl-7.64.0/debian/patches/18_CVE-2019-5481.patch curl-7.64.0/debian/patches/18_CVE-2019-5481.patch
--- curl-7.64.0/debian/patches/18_CVE-2019-5481.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.64.0/debian/patches/18_CVE-2019-5481.patch	2020-02-22 15:01:46.000000000 +0000
@@ -0,0 +1,40 @@
+From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2da8db..c5e4e135df7 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
diff -Nru curl-7.64.0/debian/patches/19_CVE-2019-5482.patch curl-7.64.0/debian/patches/19_CVE-2019-5482.patch
--- curl-7.64.0/debian/patches/19_CVE-2019-5482.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.64.0/debian/patches/19_CVE-2019-5482.patch	2020-02-22 15:01:46.000000000 +0000
@@ -0,0 +1,59 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index a7176cec80c..346f293dc59 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1021,7 +1027,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
diff -Nru curl-7.64.0/debian/patches/series curl-7.64.0/debian/patches/series
--- curl-7.64.0/debian/patches/series	2019-06-14 18:23:32.000000000 +0000
+++ curl-7.64.0/debian/patches/series	2020-02-22 15:01:46.000000000 +0000
@@ -9,6 +9,8 @@
 15_connection_check-restore-original-conn-data-after-th.patch
 16_tftp-use-the-current-blksize-for-recvfrom.patch
 17_CURL_MAX_INPUT_LENGTH-largest-acceptable-string-inpu.patch
+18_CVE-2019-5481.patch
+19_CVE-2019-5482.patch
 
 # do not add patches below
 90_gnutls.patch