diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-support/curl')
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000100.patch | 50 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000101.patch | 92 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-support/curl/curl_7.53.1.bb (renamed from import-layers/yocto-poky/meta/recipes-support/curl/curl_7.50.1.bb) | 16 |
3 files changed, 152 insertions, 6 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000100.patch b/import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000100.patch new file mode 100644 index 000000000..508df8c7d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000100.patch @@ -0,0 +1,50 @@ +From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 1 Aug 2017 17:16:46 +0200 +Subject: [PATCH] tftp: reject file name lengths that don't fit + +... and thereby avoid telling send() to send off more bytes than the +size of the buffer! + +CVE-2017-1000100 + +Bug: https://curl.haxx.se/docs/adv_20170809B.html +Reported-by: Even Rouault + +Credit to OSS-Fuzz for the discovery + +Upstream-Status: Backport +https://github.com/curl/curl/commit/358b2b131ad6c095696f20dcfa62b8305263f898 + +CVE: CVE-2017-1000100 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + lib/tftp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +Index: curl-7.53.1/lib/tftp.c +=================================================================== +--- curl-7.53.1.orig/lib/tftp.c ++++ curl-7.53.1/lib/tftp.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_sta + if(result) + return result; + ++ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { ++ failf(data, "TFTP file name too long\n"); ++ return CURLE_TFTP_ILLEGAL; /* too long file name field */ ++ } ++ + snprintf((char *)state->spacket.data+2, + state->blksize, + "%s%c%s%c", filename, '\0', mode, '\0'); diff --git a/import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000101.patch b/import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000101.patch new file mode 100644 index 000000000..9eef5e2a2 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-support/curl/curl/CVE-2017-1000101.patch @@ -0,0 +1,92 @@ +From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 1 Aug 2017 17:16:07 +0200 +Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow + range + +Added test 1289 to verify. + +CVE-2017-1000101 + +Bug: https://curl.haxx.se/docs/adv_20170809A.html +Reported-by: Brian Carpenter + +Upstream-Status: Backport +CVE: CVE-2017-1000101 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/tool_urlglob.c | 5 ++++- + tests/data/Makefile.inc | 2 +- + tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1289 + +Index: curl-7.53.1/src/tool_urlglob.c +=================================================================== +--- curl-7.53.1.orig/src/tool_urlglob.c ++++ curl-7.53.1/src/tool_urlglob.c +@@ -269,7 +269,10 @@ static CURLcode glob_range(URLGlob *glob + } + errno = 0; + max_n = strtoul(pattern, &endp, 10); +- if(errno || (*endp == ':')) { ++ if(errno) ++ /* overflow */ ++ endp = NULL; ++ else if(*endp == ':') { + pattern = endp+1; + errno = 0; + step_n = strtoul(pattern, &endp, 10); +Index: curl-7.53.1/tests/data/Makefile.inc +=================================================================== +--- curl-7.53.1.orig/tests/data/Makefile.inc ++++ curl-7.53.1/tests/data/Makefile.inc +@@ -131,6 +131,7 @@ test1244 test1245 test1246 test1247 test + test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \ + \ + test1280 test1281 test1282 test1283 test1284 test1285 test1286 \ ++test1289 \ + \ + test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ + test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ +Index: curl-7.53.1/tests/data/test1289 +=================================================================== +--- /dev/null ++++ curl-7.53.1/tests/data/test1289 +@@ -0,0 +1,35 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++globbing ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++<name> ++globbing with overflow and bad syntxx ++</name> ++<command> ++http://ur%20[0-60000000000000000000 ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++# curl: (3) [globbing] bad range in column ++<errorcode> ++3 ++</errorcode> ++</verify> ++</testcase> diff --git a/import-layers/yocto-poky/meta/recipes-support/curl/curl_7.50.1.bb b/import-layers/yocto-poky/meta/recipes-support/curl/curl_7.53.1.bb index 653fa2e7a..c3e1f898a 100644 --- a/import-layers/yocto-poky/meta/recipes-support/curl/curl_7.50.1.bb +++ b/import-layers/yocto-poky/meta/recipes-support/curl/curl_7.53.1.bb @@ -12,17 +12,20 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ # curl likes to set -g0 in CFLAGS, so we stop it # from mucking around with debug options # -SRC_URI += " file://configure_ac.patch" +SRC_URI += " file://configure_ac.patch \ + file://CVE-2017-1000100.patch \ + file://CVE-2017-1000101.patch \ + " -SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" -SRC_URI[sha256sum] = "3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156" +SRC_URI[md5sum] = "fb1f03a142236840c1a77c035fa4c542" +SRC_URI[sha256sum] = "1c7207c06d75e9136a944a2e0528337ce76f15b9ec9ae4bb30d703b59bf530e8" CVE_PRODUCT = "libcurl" inherit autotools pkgconfig binconfig multilib_header -PACKAGECONFIG ??= "${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)} gnutls proxy zlib" -PACKAGECONFIG_class-native = "ipv6 proxy ssl zlib" -PACKAGECONFIG_class-nativesdk = "ipv6 proxy ssl zlib" +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls proxy threaded-resolver zlib" +PACKAGECONFIG_class-native = "ipv6 proxy ssl threaded-resolver zlib" +PACKAGECONFIG_class-nativesdk = "ipv6 proxy ssl threaded-resolver zlib" PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" @@ -42,6 +45,7 @@ PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl" PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," +PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver" PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" |