curl: CVE-2017-9502

URL file scheme drive letter buffer overflow References: https://curl.haxx.se/docs/adv_20170614.html https://curl.haxx.se/CVE-2017-9502.patch Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-21 13:57:05 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-26 15:38:41 +0200
commit: 7218e2df932a95309e9d089d979f4280b0d10e40 (patch)
tree: 79e809c02bae89212a161979716b5fedb3624414
parent: a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 (diff)
download: meta-el-common-7218e2df932a95309e9d089d979f4280b0d10e40.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-9502.patch b/recipes-support/curl/curl/CVE-2017-9502.patch
new file mode 100644
index 0000000..c205568
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-9502.patch
@@ -0,0 +1,69 @@
+From 5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 7 Jun 2017 00:21:04 +0200
+Subject: [PATCH] url: fix buffer overwrite with file protocol (CVE-2017-9502)
+Bug: https://github.com/curl/curl/issues/1540
+Advisory: https://curl.haxx.se/docs/adv_20170614.html
+CVE: CVE-2017-9502
+Upstream-Status: Backport [backport from curl-7_54_1]
+Assisted-by: Ray Satiro
+Reported-by: Marcel Raad
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/url.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 84822d9..87446db 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ #endif
+ 
+     protop = "file"; /* protocol string */
+    *prot_missing = !url_has_scheme;
+   }
+   else {
+     /* clear path */
+@@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+     size_t plen = strlen(path); /* new path, should be 1 byte longer than
+                                    the original */
+-    size_t urllen = strlen(data->change.url); /* original URL length */
+-
+     size_t prefixlen = strlen(conn->host.name);
+ 
+-    if(!*prot_missing)
+-      prefixlen += strlen(protop) + strlen("://");
+    if(!*prot_missing) {
+      size_t protolen = strlen(protop);
+
+      if(curl_strnequal(protop, data->change.url, protolen))
+        prefixlen += protolen;
+      else {
+        failf(data, "<url> malformed");
+        return CURLE_URL_MALFORMAT;
+      }
+
+      if(curl_strnequal("://", &data->change.url[protolen], 3))
+        prefixlen += 3;
+      /* only file: is allowed to omit one or both slashes */
+      else if(curl_strnequal("file:", data->change.url, 5))
+        prefixlen += 1 + (data->change.url[5] == '/');
+      else {
+        failf(data, "<url> malformed");
+        return CURLE_URL_MALFORMAT;
+      }
+    }
+ 
+-    reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */
+    reurl = malloc(prefixlen + plen + 1);
+     if(!reurl)
+       return CURLE_OUT_OF_MEMORY;
+ 
+-- 
+1.9.1
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index ec4f997..15e74ba 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -2,4 +2,5 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2017-7468.patch \
+            file://CVE-2017-9502.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-21 13:57:05 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-26 15:38:41 +0200
commit	7218e2df932a95309e9d089d979f4280b0d10e40 (patch)
tree	79e809c02bae89212a161979716b5fedb3624414
parent	a6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 (diff)
download	meta-el-common-7218e2df932a95309e9d089d979f4280b0d10e40.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2017-9502.patch b/recipes-support/curl/curl/CVE-2017-9502.patch new file mode 100644 index 0000000..c205568 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-9502.patch
@@ -0,0 +1,69 @@
		1	From 5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Wed, 7 Jun 2017 00:21:04 +0200
		4	Subject: [PATCH] url: fix buffer overwrite with file protocol (CVE-2017-9502)
		5
		6	Bug: https://github.com/curl/curl/issues/1540
		7	Advisory: https://curl.haxx.se/docs/adv_20170614.html
		8
		9	CVE: CVE-2017-9502
		10	Upstream-Status: Backport [backport from curl-7_54_1]
		11
		12	Assisted-by: Ray Satiro
		13	Reported-by: Marcel Raad
		14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		15	---
		16	lib/url.c \| 27 ++++++++++++++++++++++-----
		17	1 file changed, 22 insertions(+), 5 deletions(-)
		18
		19	diff --git a/lib/url.c b/lib/url.c
		20	index 84822d9..87446db 100644
		21	--- a/lib/url.c
		22	+++ b/lib/url.c
		23	@@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		24	#endif
		25
		26	protop = "file"; /* protocol string */
		27	+ *prot_missing = !url_has_scheme;
		28	}
		29	else {
		30	/* clear path */
		31	@@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		32
		33	size_t plen = strlen(path); /* new path, should be 1 byte longer than
		34	the original */
		35	- size_t urllen = strlen(data->change.url); /* original URL length */
		36	-
		37	size_t prefixlen = strlen(conn->host.name);
		38
		39	- if(!*prot_missing)
		40	- prefixlen += strlen(protop) + strlen("://");
		41	+ if(!*prot_missing) {
		42	+ size_t protolen = strlen(protop);
		43	+
		44	+ if(curl_strnequal(protop, data->change.url, protolen))
		45	+ prefixlen += protolen;
		46	+ else {
		47	+ failf(data, "<url> malformed");
		48	+ return CURLE_URL_MALFORMAT;
		49	+ }
		50	+
		51	+ if(curl_strnequal("://", &data->change.url[protolen], 3))
		52	+ prefixlen += 3;
		53	+ /* only file: is allowed to omit one or both slashes */
		54	+ else if(curl_strnequal("file:", data->change.url, 5))
		55	+ prefixlen += 1 + (data->change.url[5] == '/');
		56	+ else {
		57	+ failf(data, "<url> malformed");
		58	+ return CURLE_URL_MALFORMAT;
		59	+ }
		60	+ }
		61
		62	- reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */
		63	+ reurl = malloc(prefixlen + plen + 1);
		64	if(!reurl)
		65	return CURLE_OUT_OF_MEMORY;
		66
		67	--
		68	1.9.1
		69


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index ec4f997..15e74ba 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend
@@ -2,4 +2,5 @@
2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3		3
4	SRC_URI += "file://CVE-2017-7468.patch \	4	SRC_URI += "file://CVE-2017-7468.patch \
		5	file://CVE-2017-9502.patch \
5	"	6	"