curl: Drop CVE patches

curl was upgraded to 7.58.0 on upstream poky rocko branch and this version already contains all our CVE patches. Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Martin Borg <martin.borg@enea.com> 2018-05-03 14:29:23 +0200
committer: Martin Borg <martin.borg@enea.com> 2018-05-03 14:29:23 +0200
commit: 8c928bbadf6ae0e6dc2705ed57c89eb2e6810197 (patch)
tree: a317199e3cac1f517359a49e11b73a159fb4f295
parent: 1c3a21479972cb4b868b1e57b80dc607ef398d8d (diff)
download: meta-el-common-8c928bbadf6ae0e6dc2705ed57c89eb2e6810197.tar.gz
5 files changed, 0 insertions, 292 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-1000257.patch b/recipes-support/curl/curl/CVE-2017-1000257.patch
deleted file mode 100644
index de0dc3a..0000000
--- a/recipes-support/curl/curl/CVE-2017-1000257.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sat, 7 Oct 2017 00:11:31 +0200
-Subject: [PATCH] imap: if a FETCH response has no size, don't call write
- callback
-CVE: CVE-2017-1000257
-Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000257.patch]
-Reported-by: Brian Carpenter and 0xd34db347
-Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- lib/imap.c | 5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/lib/imap.c b/lib/imap.c
-index 954d18f37..baa31a2f8 100644
--- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -1124,10 +1124,15 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode,
- 
-       if(chunk > (size_t)size)
-         /* The conversion from curl_off_t to size_t is always fine here */
-         chunk = (size_t)size;
- 
-+      if(!chunk) {
-+        /* no size, we're done with the data */
-+        state(conn, IMAP_STOP);
-+        return CURLE_OK;
-+      }
-       result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk);
-       if(result)
-         return result;
- 
-       data->req.bytecount += chunk;
-- 
-2.15.0.rc1
diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch
deleted file mode 100644
index 9b957ce..0000000
--- a/recipes-support/curl/curl/CVE-2017-8816.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 6 Nov 2017 23:51:52 +0100
-Subject: [PATCH] ntlm: avoid integer overflow for malloc size
-Reported-by: Alex Nichols
-Assisted-by: Kamil Dudka and Max Dymond
-CVE: CVE-2017-8816
-Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch]
-Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
-index 1309bf0d9..e8962769c 100644
--- a/lib/curl_ntlm_core.c
-+++ b/lib/curl_ntlm_core.c
-@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
-   Curl_HMAC_final(ctxt, output);
- 
-   return CURLE_OK;
- }
- 
-+#ifndef SIZE_T_MAX
-+/* some limits.h headers have this defined, some don't */
-+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
-+#define SIZE_T_MAX 18446744073709551615U
-+#else
-+#define SIZE_T_MAX 4294967295U
-+#endif
-+#endif
-+
- /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
-  * (uppercase UserName + Domain) as the data
-  */
- CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
-                                        const char *domain, size_t domlen,
-                                        unsigned char *ntlmhash,
-                                        unsigned char *ntlmv2hash)
- {
-   /* Unicode representation */
-  size_t identity_len = (userlen + domlen) * 2;
-  unsigned char *identity = malloc(identity_len);
-+  size_t identity_len;
-+  unsigned char *identity;
-   CURLcode result = CURLE_OK;
- 
-+  /* we do the length checks below separately to avoid integer overflow risk
-+     on extreme data lengths */
-+  if((userlen > SIZE_T_MAX/2) ||
-+     (domlen > SIZE_T_MAX/2) ||
-+     ((userlen + domlen) > SIZE_T_MAX/2))
-+    return CURLE_OUT_OF_MEMORY;
-+
-+  identity_len = (userlen + domlen) * 2;
-+  identity = malloc(identity_len);
-+
-   if(!identity)
-     return CURLE_OUT_OF_MEMORY;
- 
-   ascii_uppercase_to_unicode_le(identity, user, userlen);
-   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
-- 
-2.15.0
diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch
deleted file mode 100644
index e8429b2..0000000
--- a/recipes-support/curl/curl/CVE-2017-8817.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 438a9ebfe9c4dc850ca2ed858bf5b8c31ce15ef5 Mon Sep 17 00:00:00 2001
-From: Sona Sarmadi <sona.sarmadi@enea.com>
-Date: Fri, 2 Mar 2018 08:48:05 +0100
-Subject: [PATCH] curl: fix for CVE-2017-8817
-wildcardmatch: fix heap buffer overflow in setcharset
-The code would previous read beyond the end of the pattern string if the
-match pattern ends with an open bracket when the default pattern
-matching function is used.
-Detected by OSS-Fuzz:
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
-CVE: CVE-2017-8817
-Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch]
-Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- lib/curl_fnmatch.c      |  9 +++------
- tests/data/Makefile.inc |  2 +-
- tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 56 insertions(+), 7 deletions(-)
- create mode 100644 tests/data/test1163
-diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
-index 46d3ada..5dd5323 100644
--- a/lib/curl_fnmatch.c
-+++ b/lib/curl_fnmatch.c
-@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset)
-   unsigned char c;
-   for(;;) {
-     c = **p;
-+    if(!c)
-+      return SETCHARSET_FAIL;
-+
-     switch(state) {
-     case CURLFNM_SCHS_DEFAULT:
-       if(ISALNUM(c)) { /* ASCII value */
-@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
-         else
-           return SETCHARSET_FAIL;
-       }
-      else if(c == '\0') {
-        return SETCHARSET_FAIL;
-      }
-       else {
-         charset[c] = 1;
-         (*p)++;
-@@ -277,9 +277,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
-       else if(c == ']') {
-         return SETCHARSET_OK;
-       }
-      else if(c == '\0') {
-        return SETCHARSET_FAIL;
-      }
-       else if(ISPRINT(c)) {
-         charset[c] = 1;
-         (*p)++;
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 5284654..942f9ee 100644
--- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -122,7 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
- test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
- test1144 test1145 test1146 \
- test1152 \
-\
-+test1163 \
- test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
- test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
- test1216 test1217 test1218 test1219 \
-diff --git a/tests/data/test1163 b/tests/data/test1163
-new file mode 100644
-index 0000000..3266fa8
--- /dev/null
-+++ b/tests/data/test1163
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+RETR
-+LIST
-+wildcardmatch
-+ftplistparser
-+flaky
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+</data>
-+</reply>
-+
-+# Client-side
-+<client>
-+<server>
-+ftp
-+</server>
-+<tool>
-+lib576
-+</tool>
-+<name>
-+FTP wildcard with pattern ending with an open-bracket
-+</name>
-+<command>
-+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
-+</command>
-+</client>
-+<verify>
-+<protocol>
-+USER anonymous
-+PASS ftp@example.com
-+PWD
-+CWD fully_simulated
-+CWD DOS
-+EPSV
-+TYPE A
-+LIST
-+QUIT
-+</protocol>
-+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
-+<errorcode>
-+78
-+</errorcode>
-+</verify>
-+</testcase>
-- 
-1.9.1
diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch
deleted file mode 100644
index 200ef16..0000000
--- a/recipes-support/curl/curl/CVE-2018-1000005.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
-From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
-Date: Wed, 10 Jan 2018 10:12:18 -0800
-Subject: [PATCH] http2: fix incorrect trailer buffer size
-Prior to this change the stored byte count of each trailer was
-miscalculated and 1 less than required. It appears any trailer
-after the first that was passed to Curl_client_write would be truncated
-or corrupted as well as the size. Potentially the size of some
-subsequent trailer could be erroneously extracted from the contents of
-that trailer, and since that size is used by client write an
-out-of-bounds read could occur and cause a crash or be otherwise
-processed by client write.
-The bug appears to have been born in 0761a51 (precedes 7.49.0).
-Closes https://github.com/curl/curl/pull/2231
-Upstream-Status: Backport
-CVE: CVE-2018-1000005
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- lib/http2.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/lib/http2.c b/lib/http2.c
-index 8e2fc71996..699287940e 100644
--- a/lib/http2.c
-+++ b/lib/http2.c
-@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
- 
-   if(stream->bodystarted) {
-     /* This is trailer fields. */
-    /* 3 is for ":" and "\r\n". */
-    uint32_t n = (uint32_t)(namelen + valuelen + 3);
-+    /* 4 is for ": " and "\r\n". */
-+    uint32_t n = (uint32_t)(namelen + valuelen + 4);
- 
-     DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
-                  value));
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
deleted file mode 100644
index d30e613..0000000
--- a/recipes-support/curl/curl_%.bbappend
+++ /dev/null
@@ -1,8 +0,0 @@
-# look for files in the layer first
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://CVE-2017-1000257.patch \
-            file://CVE-2017-8816.patch \
-            file://CVE-2017-8817.patch \
-            file://CVE-2018-1000005.patch \
-           "
author	Martin Borg <martin.borg@enea.com>	2018-05-03 14:29:23 +0200
committer	Martin Borg <martin.borg@enea.com>	2018-05-03 14:29:23 +0200
commit	8c928bbadf6ae0e6dc2705ed57c89eb2e6810197 (patch)
tree	a317199e3cac1f517359a49e11b73a159fb4f295
parent	1c3a21479972cb4b868b1e57b80dc607ef398d8d (diff)
download	meta-el-common-8c928bbadf6ae0e6dc2705ed57c89eb2e6810197.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2017-1000257.patch b/recipes-support/curl/curl/CVE-2017-1000257.patch deleted file mode 100644 index de0dc3a..0000000 --- a/recipes-support/curl/curl/CVE-2017-1000257.patch +++ /dev/null
@@ -1,39 +0,0 @@
1	From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001
2	From: Daniel Stenberg <daniel@haxx.se>
3	Date: Sat, 7 Oct 2017 00:11:31 +0200
4	Subject: [PATCH] imap: if a FETCH response has no size, don't call write
5	callback
6
7	CVE: CVE-2017-1000257
8	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000257.patch]
9
10	Reported-by: Brian Carpenter and 0xd34db347
11	Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13	---
14	lib/imap.c \| 5 +++++
15	1 file changed, 5 insertions(+)
16
17	diff --git a/lib/imap.c b/lib/imap.c
18	index 954d18f37..baa31a2f8 100644
19	--- a/lib/imap.c
20	+++ b/lib/imap.c
21	@@ -1124,10 +1124,15 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode,
22
23	if(chunk > (size_t)size)
24	/* The conversion from curl_off_t to size_t is always fine here */
25	chunk = (size_t)size;
26
27	+ if(!chunk) {
28	+ /* no size, we're done with the data */
29	+ state(conn, IMAP_STOP);
30	+ return CURLE_OK;
31	+ }
32	result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk);
33	if(result)
34	return result;
35
36	data->req.bytecount += chunk;
37	--
38	2.15.0.rc1
39


diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch deleted file mode 100644 index 9b957ce..0000000 --- a/recipes-support/curl/curl/CVE-2017-8816.patch +++ /dev/null
@@ -1,69 +0,0 @@
1	From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
2	From: Daniel Stenberg <daniel@haxx.se>
3	Date: Mon, 6 Nov 2017 23:51:52 +0100
4	Subject: [PATCH] ntlm: avoid integer overflow for malloc size
5
6	Reported-by: Alex Nichols
7	Assisted-by: Kamil Dudka and Max Dymond
8
9	CVE: CVE-2017-8816
10	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch]
11
12	Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
13	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
14	---
15	lib/curl_ntlm_core.c \| 23 +++++++++++++++++++++--
16	1 file changed, 21 insertions(+), 2 deletions(-)
17
18	diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
19	index 1309bf0d9..e8962769c 100644
20	--- a/lib/curl_ntlm_core.c
21	+++ b/lib/curl_ntlm_core.c
22	@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
23	Curl_HMAC_final(ctxt, output);
24
25	return CURLE_OK;
26	}
27
28	+#ifndef SIZE_T_MAX
29	+/* some limits.h headers have this defined, some don't */
30	+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
31	+#define SIZE_T_MAX 18446744073709551615U
32	+#else
33	+#define SIZE_T_MAX 4294967295U
34	+#endif
35	+#endif
36	+
37	/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
38	* (uppercase UserName + Domain) as the data
39	*/
40	CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
41	const char *domain, size_t domlen,
42	unsigned char *ntlmhash,
43	unsigned char *ntlmv2hash)
44	{
45	/* Unicode representation */
46	- size_t identity_len = (userlen + domlen) * 2;
47	- unsigned char *identity = malloc(identity_len);
48	+ size_t identity_len;
49	+ unsigned char *identity;
50	CURLcode result = CURLE_OK;
51
52	+ /* we do the length checks below separately to avoid integer overflow risk
53	+ on extreme data lengths */
54	+ if((userlen > SIZE_T_MAX/2) \|\|
55	+ (domlen > SIZE_T_MAX/2) \|\|
56	+ ((userlen + domlen) > SIZE_T_MAX/2))
57	+ return CURLE_OUT_OF_MEMORY;
58	+
59	+ identity_len = (userlen + domlen) * 2;
60	+ identity = malloc(identity_len);
61	+
62	if(!identity)
63	return CURLE_OUT_OF_MEMORY;
64
65	ascii_uppercase_to_unicode_le(identity, user, userlen);
66	ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
67	--
68	2.15.0
69


diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch deleted file mode 100644 index e8429b2..0000000 --- a/recipes-support/curl/curl/CVE-2017-8817.patch +++ /dev/null
@@ -1,135 +0,0 @@
1	From 438a9ebfe9c4dc850ca2ed858bf5b8c31ce15ef5 Mon Sep 17 00:00:00 2001
2	From: Sona Sarmadi <sona.sarmadi@enea.com>
3	Date: Fri, 2 Mar 2018 08:48:05 +0100
4	Subject: [PATCH] curl: fix for CVE-2017-8817
5
6	wildcardmatch: fix heap buffer overflow in setcharset
7
8	The code would previous read beyond the end of the pattern string if the
9	match pattern ends with an open bracket when the default pattern
10	matching function is used.
11
12	Detected by OSS-Fuzz:
13	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
14
15	CVE: CVE-2017-8817
16	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch]
17
18	Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
19
20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
21	---
22	lib/curl_fnmatch.c \| 9 +++------
23	tests/data/Makefile.inc \| 2 +-
24	tests/data/test1163 \| 52 +++++++++++++++++++++++++++++++++++++++++++++++++
25	3 files changed, 56 insertions(+), 7 deletions(-)
26	create mode 100644 tests/data/test1163
27
28	diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
29	index 46d3ada..5dd5323 100644
30	--- a/lib/curl_fnmatch.c
31	+++ b/lib/curl_fnmatch.c
32	@@ -133,6 +133,9 @@ static int setcharset(unsigned char *p, unsigned char charset)
33	unsigned char c;
34	for(;;) {
35	c = **p;
36	+ if(!c)
37	+ return SETCHARSET_FAIL;
38	+
39	switch(state) {
40	case CURLFNM_SCHS_DEFAULT:
41	if(ISALNUM(c)) { /* ASCII value */
42	@@ -196,9 +199,6 @@ static int setcharset(unsigned char *p, unsigned char charset)
43	else
44	return SETCHARSET_FAIL;
45	}
46	- else if(c == '\0') {
47	- return SETCHARSET_FAIL;
48	- }
49	else {
50	charset[c] = 1;
51	(*p)++;
52	@@ -277,9 +277,6 @@ static int setcharset(unsigned char *p, unsigned char charset)
53	else if(c == ']') {
54	return SETCHARSET_OK;
55	}
56	- else if(c == '\0') {
57	- return SETCHARSET_FAIL;
58	- }
59	else if(ISPRINT(c)) {
60	charset[c] = 1;
61	(*p)++;
62	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
63	index 5284654..942f9ee 100644
64	--- a/tests/data/Makefile.inc
65	+++ b/tests/data/Makefile.inc
66	@@ -122,7 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
67	test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
68	test1144 test1145 test1146 \
69	test1152 \
70	-\
71	+test1163 \
72	test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
73	test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
74	test1216 test1217 test1218 test1219 \
75	diff --git a/tests/data/test1163 b/tests/data/test1163
76	new file mode 100644
77	index 0000000..3266fa8
78	--- /dev/null
79	+++ b/tests/data/test1163
80	@@ -0,0 +1,52 @@
81	+<testcase>
82	+<info>
83	+<keywords>
84	+FTP
85	+RETR
86	+LIST
87	+wildcardmatch
88	+ftplistparser
89	+flaky
90	+</keywords>
91	+</info>
92	+
93	+#
94	+# Server-side
95	+<reply>
96	+<data>
97	+</data>
98	+</reply>
99	+
100	+# Client-side
101	+<client>
102	+<server>
103	+ftp
104	+</server>
105	+<tool>
106	+lib576
107	+</tool>
108	+<name>
109	+FTP wildcard with pattern ending with an open-bracket
110	+</name>
111	+<command>
112	+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
113	+</command>
114	+</client>
115	+<verify>
116	+<protocol>
117	+USER anonymous
118	+PASS ftp@example.com
119	+PWD
120	+CWD fully_simulated
121	+CWD DOS
122	+EPSV
123	+TYPE A
124	+LIST
125	+QUIT
126	+</protocol>
127	+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
128	+<errorcode>
129	+78
130	+</errorcode>
131	+</verify>
132	+</testcase>
133	--
134	1.9.1
135


diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch deleted file mode 100644 index 200ef16..0000000 --- a/recipes-support/curl/curl/CVE-2018-1000005.patch +++ /dev/null
@@ -1,41 +0,0 @@
1	From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
2	From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
3	Date: Wed, 10 Jan 2018 10:12:18 -0800
4	Subject: [PATCH] http2: fix incorrect trailer buffer size
5
6	Prior to this change the stored byte count of each trailer was
7	miscalculated and 1 less than required. It appears any trailer
8	after the first that was passed to Curl_client_write would be truncated
9	or corrupted as well as the size. Potentially the size of some
10	subsequent trailer could be erroneously extracted from the contents of
11	that trailer, and since that size is used by client write an
12	out-of-bounds read could occur and cause a crash or be otherwise
13	processed by client write.
14
15	The bug appears to have been born in 0761a51 (precedes 7.49.0).
16
17	Closes https://github.com/curl/curl/pull/2231
18
19	Upstream-Status: Backport
20	CVE: CVE-2018-1000005
21
22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23	---
24	lib/http2.c \| 4 ++--
25	1 file changed, 2 insertions(+), 2 deletions(-)
26
27	diff --git a/lib/http2.c b/lib/http2.c
28	index 8e2fc71996..699287940e 100644
29	--- a/lib/http2.c
30	+++ b/lib/http2.c
31	@@ -925,8 +925,8 @@ static int on_header(nghttp2_session session, const nghttp2_frame frame,
32
33	if(stream->bodystarted) {
34	/* This is trailer fields. */
35	- /* 3 is for ":" and "\r\n". */
36	- uint32_t n = (uint32_t)(namelen + valuelen + 3);
37	+ /* 4 is for ": " and "\r\n". */
38	+ uint32_t n = (uint32_t)(namelen + valuelen + 4);
39
40	DEBUGF(infof(data_s, "h2 trailer: %.s: %.s\n", namelen, name, valuelen,
41	value));


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend deleted file mode 100644 index d30e613..0000000 --- a/recipes-support/curl/curl_%.bbappend +++ /dev/null
@@ -1,8 +0,0 @@
1	# look for files in the layer first
2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4	SRC_URI += "file://CVE-2017-1000257.patch \
5	file://CVE-2017-8816.patch \
6	file://CVE-2017-8817.patch \
7	file://CVE-2018-1000005.patch \
8	"