diff options
Diffstat (limited to 'poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch')
-rw-r--r-- | poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch new file mode 100644 index 0000000000..a4aae69fd0 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-35260.patch @@ -0,0 +1,73 @@ +From 9169e54444bdca7b5e7b44034c463fe5fc801e88 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 4 Oct 2022 14:37:24 +0200 +Subject: [PATCH] netrc: replace fgets with Curl_get_line + +Make the parser only accept complete lines and avoid problems with +overly long lines. + +Reported-by: Hiroki Kurosawa + +Closes #9789 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/curl_get_line.c | 6 +++--- + lib/netrc.c | 5 +++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c +index 6a26bb2..22e3705 100644 +--- a/lib/curl_get_line.c ++++ b/lib/curl_get_line.c +@@ -25,7 +25,7 @@ + #include "curl_setup.h" + + #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ +- !defined(CURL_DISABLE_HSTS) ++ !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) + + #include "curl_get_line.h" + #include "curl_memory.h" +@@ -33,8 +33,8 @@ + #include "memdebug.h" + + /* +- * get_line() makes sure to only return complete whole lines that fit in 'len' +- * bytes and end with a newline. ++ * Curl_get_line() makes sure to only return complete whole lines that fit in ++ * 'len' bytes and end with a newline. + */ + char *Curl_get_line(char *buf, int len, FILE *input) + { +diff --git a/lib/netrc.c b/lib/netrc.c +index 62a6a10..5d17482 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -33,6 +33,7 @@ + #include "netrc.h" + #include "strtok.h" + #include "strcase.h" ++#include "curl_get_line.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -84,7 +85,7 @@ static int parsenetrc(const char *host, + char netrcbuffer[4096]; + int netrcbuffsize = (int)sizeof(netrcbuffer); + +- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { ++ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { + char *tok; + char *tok_end; + bool quoted; +@@ -243,7 +244,7 @@ static int parsenetrc(const char *host, + } /* switch (state) */ + tok = ++tok_end; + } +- } /* while fgets() */ ++ } /* while Curl_get_line() */ + + out: + if(!retcode) { |