diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-10-03 10:55:29 +0200 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-10-04 09:58:01 +0200 |
| commit | dd659758deef67be170cd8916a3cfa788e79ad0d (patch) | |
| tree | 0d54a2ad3a67700fe38c888117532cd7e8e4be77 | |
| parent | cd8e084d9f7bb118f3d87a943852eef0f1a263d9 (diff) | |
| download | meta-el-common-dd659758deef67be170cd8916a3cfa788e79ad0d.tar.gz | |
curl: CVE-2017-1000100
TFTP sends more than buffer size
Reference:
https://curl.haxx.se/docs/adv_20170809B.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
| -rw-r--r-- | recipes-support/curl/curl/CVE-2017-1000100.patch | 59 | ||||
| -rw-r--r-- | recipes-support/curl/curl_%.bbappend | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-1000100.patch b/recipes-support/curl/curl/CVE-2017-1000100.patch new file mode 100644 index 0000000..02ae6cc --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-1000100.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Tue, 1 Aug 2017 17:16:46 +0200 | ||
| 4 | Subject: [PATCH] tftp: reject file name lengths that don't fit | ||
| 5 | |||
| 6 | ... and thereby avoid telling send() to send off more bytes than the | ||
| 7 | size of the buffer! | ||
| 8 | |||
| 9 | CVE-2017-1000100 | ||
| 10 | |||
| 11 | Bug: https://curl.haxx.se/docs/adv_20170809B.html | ||
| 12 | Reported-by: Even Rouault | ||
| 13 | |||
| 14 | Credit to OSS-Fuzz for the discovery | ||
| 15 | |||
| 16 | CVE: CVE-2017-1000100 | ||
| 17 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000100.patch] | ||
| 18 | |||
| 19 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 20 | --- | ||
| 21 | lib/tftp.c | 7 ++++++- | ||
| 22 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
| 23 | |||
| 24 | diff --git a/lib/tftp.c b/lib/tftp.c | ||
| 25 | index 02bd84242..f6f4bce5b 100644 | ||
| 26 | --- a/lib/tftp.c | ||
| 27 | +++ b/lib/tftp.c | ||
| 28 | @@ -3,11 +3,11 @@ | ||
| 29 | * Project ___| | | | _ \| | | ||
| 30 | * / __| | | | |_) | | | ||
| 31 | * | (__| |_| | _ <| |___ | ||
| 32 | * \___|\___/|_| \_\_____| | ||
| 33 | * | ||
| 34 | - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
| 35 | + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
| 36 | * | ||
| 37 | * This software is licensed as described in the file COPYING, which | ||
| 38 | * you should have received as part of this distribution. The terms | ||
| 39 | * are also available at https://curl.haxx.se/docs/copyright.html. | ||
| 40 | * | ||
| 41 | @@ -489,10 +489,15 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) | ||
| 42 | result = Curl_urldecode(data, &state->conn->data->state.path[1], 0, | ||
| 43 | &filename, NULL, FALSE); | ||
| 44 | if(result) | ||
| 45 | return result; | ||
| 46 | |||
| 47 | + if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { | ||
| 48 | + failf(data, "TFTP file name too long\n"); | ||
| 49 | + return CURLE_TFTP_ILLEGAL; /* too long file name field */ | ||
| 50 | + } | ||
| 51 | + | ||
| 52 | snprintf((char *)state->spacket.data+2, | ||
| 53 | state->blksize, | ||
| 54 | "%s%c%s%c", filename, '\0', mode, '\0'); | ||
| 55 | sbytes = 4 + strlen(filename) + strlen(mode); | ||
| 56 | |||
| 57 | -- | ||
| 58 | 2.13.3 | ||
| 59 | |||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 15e74ba..f915ba1 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend | |||
| @@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | |||
| 3 | 3 | ||
| 4 | SRC_URI += "file://CVE-2017-7468.patch \ | 4 | SRC_URI += "file://CVE-2017-7468.patch \ |
| 5 | file://CVE-2017-9502.patch \ | 5 | file://CVE-2017-9502.patch \ |
| 6 | file://CVE-2017-1000100.patch \ | ||
| 6 | " | 7 | " |