curl: CVE-2017-7407

--write-out out of buffer read
Reference:
https://curl.haxx.se/docs/adv_20170403.html

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>

2 files changed, 202 insertions, 1 deletions

diff --git a/recipes-support/curl/curl/CVE-2017-7407.patch b/recipes-support/curl/curl/CVE-2017-7407.patch
new file mode 100644
index 0000000..6dbe71c
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-7407.patch
@@ -0,0 +1,200 @@
+From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH] CVE-2017-7407: fixed
+
+Bug: https://curl.haxx.se/docs/adv_20170403.html
+
+CVE: CVE-2017-7407
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-7407.patch]
+
+Reported-by: Brian Carpenter
+---
+ src/tool_writeout.c     |  6 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
+ 5 files changed, 101 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test1440
+ create mode 100644 tests/data/test1441
+ create mode 100644 tests/data/test1442
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 2fb77742a..5d92bd278 100644
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -3,11 +3,11 @@
+  *  Project                     ___| | | |  _ \| |
+  *                             / __| | | | |_) | |
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at https://curl.haxx.se/docs/copyright.html.
+  *
+@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+   char *stringp = NULL;
+   long longinfo;
+   double doubleinfo;
+ 
+   while(ptr && *ptr) {
+-    if('%' == *ptr) {
++    if('%' == *ptr && ptr[1]) {
+       if('%' == ptr[1]) {
+         /* an escaped %-letter */
+         fputc('%', stream);
+         ptr += 2;
+       }
+@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+           fputc(ptr[1], stream);
+           ptr += 2;
+         }
+       }
+     }
+-    else if('\\' == *ptr) {
++    else if('\\' == *ptr && ptr[1]) {
+       switch(ptr[1]) {
+       case 'r':
+         fputc('\r', stream);
+         break;
+       case 'n':
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8251ab9a4..267ff6aef 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -149,11 +149,11 @@ test1396 test1397 test1398 \
+ test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
+ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 test1438 test1439 \
++test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+ test1516 test1517 \
+ \
+diff --git a/tests/data/test1440 b/tests/data/test1440
+new file mode 100644
+index 000000000..7ed0c4d5f
+--- /dev/null
++++ b/tests/data/test1440
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %{
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%{'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%{
++</stdout>
++</verify>
++</testcase>
+diff --git a/tests/data/test1441 b/tests/data/test1441
+new file mode 100644
+index 000000000..6e253a690
+--- /dev/null
++++ b/tests/data/test1441
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%
++</stdout>
++</verify>
++</testcase>
+diff --git a/tests/data/test1442 b/tests/data/test1442
+new file mode 100644
+index 000000000..255a4c9ff
+--- /dev/null
++++ b/tests/data/test1442
+@@ -0,0 +1,35 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++FILE
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing \
++</name>
++<command>
++file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
++</command>
++</client>
++
++# Verify data
++<verify>
++<errorcode>
++37
++</errorcode>
++<stdout nonewline="yes">
++\
++</stdout>
++</verify>
++</testcase>
+-- 
+2.11.0
+
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index 72cd405..6ce316a 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -1,7 +1,8 @@
 # look for files in the layer first
 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 
-SRC_URI += "file://CVE-2017-7468.patch \
+SRC_URI += "file://CVE-2017-7407.patch \
+            file://CVE-2017-7468.patch \
             file://CVE-2017-9502.patch \
             file://CVE-2017-1000100.patch \
             file://CVE-2017-1000101.patch \