diff options
author | Dan Andresan <Dan.Andresan@enea.com> | 2018-10-29 11:59:42 +0100 |
---|---|---|
committer | Gerrit Code Review <gerrit2@sestogerrit02> | 2018-10-29 11:59:42 +0100 |
commit | 4687669cd351da188c0c23ddecaaf925f6ac44b9 (patch) | |
tree | cbb92ee72ebccbd9aa08e02c2d249facb1848ed8 /recipes-support | |
parent | dc285391f74bfae14fe1967896c141705bbadd4a (diff) | |
parent | 5b1da299fd7359849d2c4ffda796bba999bf8f7e (diff) | |
download | meta-el-common-4687669cd351da188c0c23ddecaaf925f6ac44b9.tar.gz |
Merge "curl: Fix CVEs" into pyro
Diffstat (limited to 'recipes-support')
6 files changed, 274 insertions, 12 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch new file mode 100644 index 0000000..cd44efb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Mon, 22 Oct 2018 13:01:11 +0200 | ||
4 | Subject: [PATCH] FTP: reject path components with control codes | ||
5 | |||
6 | Refuse to operate when given path components featuring byte values lower | ||
7 | than 32. | ||
8 | |||
9 | Previously, inserting a %00 sequence early in the directory part when | ||
10 | using the 'singlecwd' ftp method could make curl write a zero byte | ||
11 | outside of the allocated buffer. | ||
12 | |||
13 | Test case 340 verifies. | ||
14 | |||
15 | CVE-2018-1000120 | ||
16 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch] | ||
17 | |||
18 | Reported-by: Duy Phan Thanh | ||
19 | Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html | ||
20 | |||
21 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
22 | --- | ||
23 | lib/ftp.c | 6 +++--- | ||
24 | tests/data/Makefile.inc | 1 + | ||
25 | tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ | ||
26 | 3 files changed, 44 insertions(+), 3 deletions(-) | ||
27 | create mode 100644 tests/data/test340 | ||
28 | |||
29 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
30 | index cab3699..0e28059 100644 | ||
31 | --- a/lib/ftp.c | ||
32 | +++ b/lib/ftp.c | ||
33 | @@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, | ||
34 | |||
35 | if(!result) | ||
36 | /* get the "raw" path */ | ||
37 | - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); | ||
38 | + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); | ||
39 | if(result) { | ||
40 | /* We can limp along anyway (and should try to since we may already be in | ||
41 | * the error path) */ | ||
42 | @@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) | ||
43 | result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", | ||
44 | slash_pos ? dirlen : 1, | ||
45 | &ftpc->dirs[0], NULL, | ||
46 | - FALSE); | ||
47 | + TRUE); | ||
48 | if(result) { | ||
49 | freedirs(ftpc); | ||
50 | return result; | ||
51 | @@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) | ||
52 | size_t dlen; | ||
53 | char *path; | ||
54 | CURLcode result = | ||
55 | - Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); | ||
56 | + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); | ||
57 | if(result) { | ||
58 | freedirs(ftpc); | ||
59 | return result; | ||
60 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
61 | index 135ba06..31e026f 100644 | ||
62 | --- a/tests/data/Makefile.inc | ||
63 | +++ b/tests/data/Makefile.inc | ||
64 | @@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ | ||
65 | test307 test308 test309 test310 test311 test312 test313 \ | ||
66 | test320 test321 test322 test323 test324 \ | ||
67 | test325 \ | ||
68 | +test340 \ | ||
69 | test350 test351 test352 test353 test354 \ | ||
70 | \ | ||
71 | test400 test401 test402 test403 test404 test405 test406 test407 test408 \ | ||
72 | diff --git a/tests/data/test340 b/tests/data/test340 | ||
73 | new file mode 100644 | ||
74 | index 0000000..d834d76 | ||
75 | --- /dev/null | ||
76 | +++ b/tests/data/test340 | ||
77 | @@ -0,0 +1,40 @@ | ||
78 | +<testcase> | ||
79 | +<info> | ||
80 | +<keywords> | ||
81 | +FTP | ||
82 | +PASV | ||
83 | +CWD | ||
84 | +--ftp-method | ||
85 | +singlecwd | ||
86 | +</keywords> | ||
87 | +</info> | ||
88 | +# | ||
89 | +# Server-side | ||
90 | +<reply> | ||
91 | +</reply> | ||
92 | + | ||
93 | +# Client-side | ||
94 | +<client> | ||
95 | +<server> | ||
96 | +ftp | ||
97 | +</server> | ||
98 | + <name> | ||
99 | +FTP using %00 in path with singlecwd | ||
100 | + </name> | ||
101 | + <command> | ||
102 | +--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 | ||
103 | +</command> | ||
104 | +</client> | ||
105 | + | ||
106 | +# Verify data after the test has been "shot" | ||
107 | +<verify> | ||
108 | +<protocol> | ||
109 | +USER anonymous | ||
110 | +PASS ftp@example.com | ||
111 | +PWD | ||
112 | +</protocol> | ||
113 | +<errorcode> | ||
114 | +3 | ||
115 | +</errorcode> | ||
116 | +</verify> | ||
117 | +</testcase> | ||
118 | |||
119 | |||
diff --git a/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch new file mode 100644 index 0000000..488d457 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 9889db043393092e9d4b5a42720bba0b3d58deba Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 6 Mar 2018 23:02:16 +0100 | ||
4 | Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL | ||
5 | before using | ||
6 | |||
7 | CVE-2018-1000121 | ||
8 | Reported-by: Dario Weisser | ||
9 | Bug: https://curl.haxx.se/docs/adv_2018-97a2.html | ||
10 | |||
11 | CVE: CVE-2018-1000121 | ||
12 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000121.patch] | ||
13 | |||
14 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
15 | --- | ||
16 | lib/openldap.c | 8 ++++---- | ||
17 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/lib/openldap.c b/lib/openldap.c | ||
20 | index f2ffdfe..6927275 100644 | ||
21 | --- a/lib/openldap.c | ||
22 | +++ b/lib/openldap.c | ||
23 | @@ -473,7 +473,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, | ||
24 | |||
25 | for(ent = ldap_first_message(li->ld, msg); ent; | ||
26 | ent = ldap_next_message(li->ld, ent)) { | ||
27 | - struct berval bv, *bvals, **bvp = &bvals; | ||
28 | + struct berval bv, *bvals; | ||
29 | int binary = 0, msgtype; | ||
30 | CURLcode writeerr; | ||
31 | |||
32 | @@ -535,9 +535,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, | ||
33 | } | ||
34 | data->req.bytecount += bv.bv_len + 5; | ||
35 | |||
36 | - for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); | ||
37 | - rc == LDAP_SUCCESS; | ||
38 | - rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { | ||
39 | + for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); | ||
40 | + (rc == LDAP_SUCCESS) && bvals; | ||
41 | + rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { | ||
42 | int i; | ||
43 | |||
44 | if(bv.bv_val == NULL) break; | ||
45 | -- | ||
46 | 2.7.4 | ||
47 | |||
diff --git a/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch new file mode 100644 index 0000000..488d2fb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 8 Mar 2018 10:33:16 +0100 | ||
4 | Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end | ||
5 | |||
6 | CVE-2018-1000122 | ||
7 | Bug: https://curl.haxx.se/docs/adv_2018-b047.html | ||
8 | |||
9 | Detected by OSS-fuzz | ||
10 | |||
11 | CVE: CVE-2018-1000122 | ||
12 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000122.patch] | ||
13 | |||
14 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
15 | --- | ||
16 | lib/transfer.c | 9 +++++++-- | ||
17 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
20 | index c46ac25..fd9af31 100644 | ||
21 | --- a/lib/transfer.c | ||
22 | +++ b/lib/transfer.c | ||
23 | @@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, | ||
24 | |||
25 | } /* if(!header and data to read) */ | ||
26 | |||
27 | - if(conn->handler->readwrite && | ||
28 | - (excess > 0 && !conn->bits.stream_was_rewound)) { | ||
29 | + if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { | ||
30 | /* Parse the excess data */ | ||
31 | k->str += nread; | ||
32 | + | ||
33 | + if(&k->str[excess] > &k->buf[data->set.buffer_size]) { | ||
34 | + /* the excess amount was too excessive(!), make sure | ||
35 | + it doesn't read out of buffer */ | ||
36 | + excess = &k->buf[data->set.buffer_size] - k->str; | ||
37 | + } | ||
38 | nread = (ssize_t)excess; | ||
39 | |||
40 | result = conn->handler->readwrite(data, conn, &nread, &readmore); | ||
41 | -- | ||
42 | 2.7.4 | ||
43 | |||
diff --git a/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch new file mode 100644 index 0000000..cf5a596 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Sat, 24 Mar 2018 23:47:41 +0100 | ||
4 | Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed | ||
5 | |||
6 | ... leaving the k->str could lead to buffer over-reads later on. | ||
7 | |||
8 | Assisted-by: Max Dymond | ||
9 | |||
10 | Detected by OSS-Fuzz. | ||
11 | Bug: https://curl.haxx.se/docs/adv_2018-b138.html | ||
12 | Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 | ||
13 | |||
14 | CVE: CVE-2018-1000301 | ||
15 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000301.patch] | ||
16 | |||
17 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
18 | --- | ||
19 | lib/http.c | 6 +++++- | ||
20 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/lib/http.c b/lib/http.c | ||
23 | index 1a313b4..e080ae5 100644 | ||
24 | --- a/lib/http.c | ||
25 | +++ b/lib/http.c | ||
26 | @@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, | ||
27 | { | ||
28 | CURLcode result; | ||
29 | struct SingleRequest *k = &data->req; | ||
30 | + ssize_t onread = *nread; | ||
31 | + char *ostr = k->str; | ||
32 | |||
33 | /* header line within buffer loop */ | ||
34 | do { | ||
35 | @@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, | ||
36 | else { | ||
37 | /* this was all we read so it's all a bad header */ | ||
38 | k->badheader = HEADER_ALLBAD; | ||
39 | - *nread = (ssize_t)rest_length; | ||
40 | + *nread = onread; | ||
41 | + k->str = ostr; | ||
42 | + return CURLE_OK; | ||
43 | } | ||
44 | break; | ||
45 | } | ||
46 | -- | ||
47 | 2.7.4 | ||
48 | |||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend deleted file mode 100644 index 3727bea..0000000 --- a/recipes-support/curl/curl_%.bbappend +++ /dev/null | |||
@@ -1,12 +0,0 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://CVE-2017-7407.patch \ | ||
5 | file://CVE-2017-7468.patch \ | ||
6 | file://CVE-2017-9502.patch \ | ||
7 | file://CVE-2017-1000254.patch \ | ||
8 | file://CVE-2017-1000257.patch \ | ||
9 | file://CVE-2017-8816.patch \ | ||
10 | file://CVE-2017-8817.patch \ | ||
11 | file://CVE-2018-1000005.patch \ | ||
12 | " | ||
diff --git a/recipes-support/curl/curl_7.53.1.bbappend b/recipes-support/curl/curl_7.53.1.bbappend new file mode 100644 index 0000000..ad7241c --- /dev/null +++ b/recipes-support/curl/curl_7.53.1.bbappend | |||
@@ -0,0 +1,17 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += " \ | ||
5 | file://CVE-2017-7407.patch \ | ||
6 | file://CVE-2017-7468.patch \ | ||
7 | file://CVE-2017-9502.patch \ | ||
8 | file://CVE-2017-1000254.patch \ | ||
9 | file://CVE-2017-1000257.patch \ | ||
10 | file://CVE-2017-8816.patch \ | ||
11 | file://CVE-2017-8817.patch \ | ||
12 | file://CVE-2018-1000005.patch \ | ||
13 | file://CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch \ | ||
14 | file://CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch \ | ||
15 | file://CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch \ | ||
16 | file://CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch \ | ||
17 | " | ||