diff options
author | Martin Borg <martin.borg@enea.com> | 2018-03-01 10:49:49 +0100 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2018-03-01 10:51:32 +0100 |
commit | 41dcb36cac7813c0c2a5a7c1c1535a61caaab233 (patch) | |
tree | 3cbd4a44657d376d6a0a44413c9f182e5b133b46 /recipes-support | |
parent | b6d4cd74cebeded8a49c06c6d7a52c32769f3ed8 (diff) | |
download | meta-el-common-41dcb36cac7813c0c2a5a7c1c1535a61caaab233.tar.gz |
curl: Drop CVE patches
The CVEs have been fixed in upstream poky/rocko.
Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-support')
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-1000254.patch | 139 | ||||
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-7407.patch | 200 | ||||
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-7468.patch | 299 | ||||
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-9502.patch | 69 | ||||
-rw-r--r-- | recipes-support/curl/curl_%.bbappend | 6 |
5 files changed, 1 insertions, 712 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-1000254.patch b/recipes-support/curl/curl/CVE-2017-1000254.patch deleted file mode 100644 index d37b859..0000000 --- a/recipes-support/curl/curl/CVE-2017-1000254.patch +++ /dev/null | |||
@@ -1,139 +0,0 @@ | |||
1 | From f3be14cc3f3c56f612a0ffe1706fca14fe9eaf53 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Mon, 4 Dec 2017 09:38:43 +0100 | ||
4 | Subject: [PATCH] curl: fix for CVE-2017-1000254 | ||
5 | |||
6 | FTP: zero terminate the entry path even on bad input | ||
7 | |||
8 | ... a single double quote could leave the entry path buffer without a zero | ||
9 | terminating byte. | ||
10 | |||
11 | CVE: CVE-2017-1000254 | ||
12 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000254.patch] | ||
13 | |||
14 | Test 1152 added to verify. | ||
15 | |||
16 | Reported-by: Max Dymond | ||
17 | Bug: https://curl.haxx.se/docs/adv_20171004.html | ||
18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
19 | --- | ||
20 | lib/ftp.c | 7 ++++-- | ||
21 | tests/data/Makefile.inc | 1 + | ||
22 | tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ | ||
23 | 3 files changed, 67 insertions(+), 2 deletions(-) | ||
24 | create mode 100644 tests/data/test1152 | ||
25 | |||
26 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
27 | index aa4d5ac..cab3699 100644 | ||
28 | --- a/lib/ftp.c | ||
29 | +++ b/lib/ftp.c | ||
30 | @@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
31 | const size_t buf_size = CURL_BUFSIZE(data->set.buffer_size); | ||
32 | char *dir; | ||
33 | char *store; | ||
34 | + bool entry_extracted = FALSE; | ||
35 | |||
36 | dir = malloc(nread + 1); | ||
37 | if(!dir) | ||
38 | @@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
39 | } | ||
40 | else { | ||
41 | /* end of path */ | ||
42 | - *store = '\0'; /* zero terminate */ | ||
43 | + entry_extracted = TRUE; | ||
44 | break; /* get out of this loop */ | ||
45 | } | ||
46 | } | ||
47 | @@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
48 | store++; | ||
49 | ptr++; | ||
50 | } | ||
51 | - | ||
52 | + *store = '\0'; /* zero terminate */ | ||
53 | + } | ||
54 | + if(entry_extracted) { | ||
55 | /* If the path name does not look like an absolute path (i.e.: it | ||
56 | does not start with a '/'), we probably need some server-dependent | ||
57 | adjustments. For example, this is the case when connecting to | ||
58 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
59 | index 8251ab9..01ad40d 100644 | ||
60 | --- a/tests/data/Makefile.inc | ||
61 | +++ b/tests/data/Makefile.inc | ||
62 | @@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ | ||
63 | test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ | ||
64 | test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ | ||
65 | test1144 test1145 test1146 \ | ||
66 | +test1152 \ | ||
67 | test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ | ||
68 | test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ | ||
69 | test1216 test1217 test1218 test1219 \ | ||
70 | diff --git a/tests/data/test1152 b/tests/data/test1152 | ||
71 | new file mode 100644 | ||
72 | index 0000000..c55739d | ||
73 | --- /dev/null | ||
74 | +++ b/tests/data/test1152 | ||
75 | @@ -0,0 +1,61 @@ | ||
76 | +<testcase> | ||
77 | +<info> | ||
78 | +<keywords> | ||
79 | +FTP | ||
80 | +PASV | ||
81 | +LIST | ||
82 | +</keywords> | ||
83 | +</info> | ||
84 | +# | ||
85 | +# Server-side | ||
86 | +<reply> | ||
87 | +<servercmd> | ||
88 | +REPLY PWD 257 "just one | ||
89 | +</servercmd> | ||
90 | + | ||
91 | +# When doing LIST, we get the default list output hard-coded in the test | ||
92 | +# FTP server | ||
93 | +<data mode="text"> | ||
94 | +total 20 | ||
95 | +drwxr-xr-x 8 98 98 512 Oct 22 13:06 . | ||
96 | +drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. | ||
97 | +drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases | ||
98 | +-r--r--r-- 1 0 1 35 Jul 16 1996 README | ||
99 | +lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin | ||
100 | +dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev | ||
101 | +drwxrwxrwx 2 98 98 512 May 29 16:04 download.html | ||
102 | +dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc | ||
103 | +drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub | ||
104 | +dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr | ||
105 | +</data> | ||
106 | +</reply> | ||
107 | + | ||
108 | +# | ||
109 | +# Client-side | ||
110 | +<client> | ||
111 | +<server> | ||
112 | +ftp | ||
113 | +</server> | ||
114 | + <name> | ||
115 | +FTP with uneven quote in PWD response | ||
116 | + </name> | ||
117 | + <command> | ||
118 | +ftp://%HOSTIP:%FTPPORT/test-1152/ | ||
119 | +</command> | ||
120 | +</client> | ||
121 | + | ||
122 | +# | ||
123 | +# Verify data after the test has been "shot" | ||
124 | +<verify> | ||
125 | +<protocol> | ||
126 | +USER anonymous | ||
127 | +PASS ftp@example.com | ||
128 | +PWD | ||
129 | +CWD test-1152 | ||
130 | +EPSV | ||
131 | +TYPE A | ||
132 | +LIST | ||
133 | +QUIT | ||
134 | +</protocol> | ||
135 | +</verify> | ||
136 | +</testcase> | ||
137 | -- | ||
138 | 1.9.1 | ||
139 | |||
diff --git a/recipes-support/curl/curl/CVE-2017-7407.patch b/recipes-support/curl/curl/CVE-2017-7407.patch deleted file mode 100644 index 6dbe71c..0000000 --- a/recipes-support/curl/curl/CVE-2017-7407.patch +++ /dev/null | |||
@@ -1,200 +0,0 @@ | |||
1 | From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dan Fandrich <dan@coneharvesters.com> | ||
3 | Date: Sat, 11 Mar 2017 10:59:34 +0100 | ||
4 | Subject: [PATCH] CVE-2017-7407: fixed | ||
5 | |||
6 | Bug: https://curl.haxx.se/docs/adv_20170403.html | ||
7 | |||
8 | CVE: CVE-2017-7407 | ||
9 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-7407.patch] | ||
10 | |||
11 | Reported-by: Brian Carpenter | ||
12 | --- | ||
13 | src/tool_writeout.c | 6 +++--- | ||
14 | tests/data/Makefile.inc | 2 +- | ||
15 | tests/data/test1440 | 31 +++++++++++++++++++++++++++++++ | ||
16 | tests/data/test1441 | 31 +++++++++++++++++++++++++++++++ | ||
17 | tests/data/test1442 | 35 +++++++++++++++++++++++++++++++++++ | ||
18 | 5 files changed, 101 insertions(+), 4 deletions(-) | ||
19 | create mode 100644 tests/data/test1440 | ||
20 | create mode 100644 tests/data/test1441 | ||
21 | create mode 100644 tests/data/test1442 | ||
22 | |||
23 | diff --git a/src/tool_writeout.c b/src/tool_writeout.c | ||
24 | index 2fb77742a..5d92bd278 100644 | ||
25 | --- a/src/tool_writeout.c | ||
26 | +++ b/src/tool_writeout.c | ||
27 | @@ -3,11 +3,11 @@ | ||
28 | * Project ___| | | | _ \| | | ||
29 | * / __| | | | |_) | | | ||
30 | * | (__| |_| | _ <| |___ | ||
31 | * \___|\___/|_| \_\_____| | ||
32 | * | ||
33 | - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
34 | + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
35 | * | ||
36 | * This software is licensed as described in the file COPYING, which | ||
37 | * you should have received as part of this distribution. The terms | ||
38 | * are also available at https://curl.haxx.se/docs/copyright.html. | ||
39 | * | ||
40 | @@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo) | ||
41 | char *stringp = NULL; | ||
42 | long longinfo; | ||
43 | double doubleinfo; | ||
44 | |||
45 | while(ptr && *ptr) { | ||
46 | - if('%' == *ptr) { | ||
47 | + if('%' == *ptr && ptr[1]) { | ||
48 | if('%' == ptr[1]) { | ||
49 | /* an escaped %-letter */ | ||
50 | fputc('%', stream); | ||
51 | ptr += 2; | ||
52 | } | ||
53 | @@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo) | ||
54 | fputc(ptr[1], stream); | ||
55 | ptr += 2; | ||
56 | } | ||
57 | } | ||
58 | } | ||
59 | - else if('\\' == *ptr) { | ||
60 | + else if('\\' == *ptr && ptr[1]) { | ||
61 | switch(ptr[1]) { | ||
62 | case 'r': | ||
63 | fputc('\r', stream); | ||
64 | break; | ||
65 | case 'n': | ||
66 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
67 | index 8251ab9a4..267ff6aef 100644 | ||
68 | --- a/tests/data/Makefile.inc | ||
69 | +++ b/tests/data/Makefile.inc | ||
70 | @@ -149,11 +149,11 @@ test1396 test1397 test1398 \ | ||
71 | test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ | ||
72 | test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \ | ||
73 | test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \ | ||
74 | test1424 \ | ||
75 | test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \ | ||
76 | -test1436 test1437 test1438 test1439 \ | ||
77 | +test1436 test1437 test1438 test1439 test1440 test1441 test1442 \ | ||
78 | \ | ||
79 | test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ | ||
80 | test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ | ||
81 | test1516 test1517 \ | ||
82 | \ | ||
83 | diff --git a/tests/data/test1440 b/tests/data/test1440 | ||
84 | new file mode 100644 | ||
85 | index 000000000..7ed0c4d5f | ||
86 | --- /dev/null | ||
87 | +++ b/tests/data/test1440 | ||
88 | @@ -0,0 +1,31 @@ | ||
89 | +<testcase> | ||
90 | +<info> | ||
91 | +<keywords> | ||
92 | +--write-out | ||
93 | +</keywords> | ||
94 | +</info> | ||
95 | +# Server-side | ||
96 | +<reply> | ||
97 | +</reply> | ||
98 | + | ||
99 | +# Client-side | ||
100 | +<client> | ||
101 | +<server> | ||
102 | +file | ||
103 | +</server> | ||
104 | + | ||
105 | +<name> | ||
106 | +Check --write-out with trailing %{ | ||
107 | +</name> | ||
108 | +<command> | ||
109 | +file://localhost/%PWD/log/ --write-out '%{' | ||
110 | +</command> | ||
111 | +</client> | ||
112 | + | ||
113 | +# Verify data | ||
114 | +<verify> | ||
115 | +<stdout nonewline="yes"> | ||
116 | +%{ | ||
117 | +</stdout> | ||
118 | +</verify> | ||
119 | +</testcase> | ||
120 | diff --git a/tests/data/test1441 b/tests/data/test1441 | ||
121 | new file mode 100644 | ||
122 | index 000000000..6e253a690 | ||
123 | --- /dev/null | ||
124 | +++ b/tests/data/test1441 | ||
125 | @@ -0,0 +1,31 @@ | ||
126 | +<testcase> | ||
127 | +<info> | ||
128 | +<keywords> | ||
129 | +--write-out | ||
130 | +</keywords> | ||
131 | +</info> | ||
132 | +# Server-side | ||
133 | +<reply> | ||
134 | +</reply> | ||
135 | + | ||
136 | +# Client-side | ||
137 | +<client> | ||
138 | +<server> | ||
139 | +file | ||
140 | +</server> | ||
141 | + | ||
142 | +<name> | ||
143 | +Check --write-out with trailing % | ||
144 | +</name> | ||
145 | +<command> | ||
146 | +file://localhost/%PWD/log/ --write-out '%' | ||
147 | +</command> | ||
148 | +</client> | ||
149 | + | ||
150 | +# Verify data | ||
151 | +<verify> | ||
152 | +<stdout nonewline="yes"> | ||
153 | +% | ||
154 | +</stdout> | ||
155 | +</verify> | ||
156 | +</testcase> | ||
157 | diff --git a/tests/data/test1442 b/tests/data/test1442 | ||
158 | new file mode 100644 | ||
159 | index 000000000..255a4c9ff | ||
160 | --- /dev/null | ||
161 | +++ b/tests/data/test1442 | ||
162 | @@ -0,0 +1,35 @@ | ||
163 | +<testcase> | ||
164 | +<info> | ||
165 | +<keywords> | ||
166 | +--write-out | ||
167 | +FILE | ||
168 | +</keywords> | ||
169 | +</info> | ||
170 | +# Server-side | ||
171 | +<reply> | ||
172 | +</reply> | ||
173 | + | ||
174 | +# Client-side | ||
175 | +<client> | ||
176 | +<server> | ||
177 | +file | ||
178 | +</server> | ||
179 | + | ||
180 | +<name> | ||
181 | +Check --write-out with trailing \ | ||
182 | +</name> | ||
183 | +<command> | ||
184 | +file://localhost/%PWD/log/non-existent-file.txt --write-out '\' | ||
185 | +</command> | ||
186 | +</client> | ||
187 | + | ||
188 | +# Verify data | ||
189 | +<verify> | ||
190 | +<errorcode> | ||
191 | +37 | ||
192 | +</errorcode> | ||
193 | +<stdout nonewline="yes"> | ||
194 | +\ | ||
195 | +</stdout> | ||
196 | +</verify> | ||
197 | +</testcase> | ||
198 | -- | ||
199 | 2.11.0 | ||
200 | |||
diff --git a/recipes-support/curl/curl/CVE-2017-7468.patch b/recipes-support/curl/curl/CVE-2017-7468.patch deleted file mode 100644 index 184ed51..0000000 --- a/recipes-support/curl/curl/CVE-2017-7468.patch +++ /dev/null | |||
@@ -1,299 +0,0 @@ | |||
1 | From 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jay Satiro <raysatiro@yahoo.com> | ||
3 | Date: Wed, 22 Mar 2017 01:59:49 -0400 | ||
4 | Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is | ||
5 | used | ||
6 | |||
7 | Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl | ||
8 | will each have their own sessionid flag. | ||
9 | |||
10 | Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that | ||
11 | this issue had been fixed in 247d890, CVE-2016-5419. | ||
12 | |||
13 | Bug: https://github.com/curl/curl/issues/1341 | ||
14 | Reported-by: lijian996@users.noreply.github.com | ||
15 | |||
16 | CVE: CVE-2017-7468 | ||
17 | Upstream-Status: Backport [backport from curl-7_54_1] | ||
18 | |||
19 | The new incarnation of this bug is called CVE-2017-7468 and is documented | ||
20 | here: https://curl.haxx.se/docs/adv_20170419.html | ||
21 | |||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | lib/url.c | 5 +++-- | ||
25 | lib/urldata.h | 2 +- | ||
26 | lib/vtls/axtls.c | 4 ++-- | ||
27 | lib/vtls/cyassl.c | 4 ++-- | ||
28 | lib/vtls/darwinssl.c | 2 +- | ||
29 | lib/vtls/gtls.c | 4 ++-- | ||
30 | lib/vtls/mbedtls.c | 4 ++-- | ||
31 | lib/vtls/nss.c | 2 +- | ||
32 | lib/vtls/openssl.c | 4 ++-- | ||
33 | lib/vtls/polarssl.c | 4 ++-- | ||
34 | lib/vtls/schannel.c | 4 ++-- | ||
35 | lib/vtls/vtls.c | 9 ++++++--- | ||
36 | 12 files changed, 26 insertions(+), 22 deletions(-) | ||
37 | |||
38 | diff --git a/lib/url.c b/lib/url.c | ||
39 | index 4609f4f..caa28f5 100644 | ||
40 | --- a/lib/url.c | ||
41 | +++ b/lib/url.c | ||
42 | @@ -546,7 +546,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) | ||
43 | #endif | ||
44 | set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth | ||
45 | type */ | ||
46 | - set->general_ssl.sessionid = TRUE; /* session ID caching enabled by | ||
47 | + set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by | ||
48 | default */ | ||
49 | set->proxy_ssl = set->ssl; | ||
50 | |||
51 | @@ -2499,8 +2499,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, | ||
52 | break; | ||
53 | |||
54 | case CURLOPT_SSL_SESSIONID_CACHE: | ||
55 | - data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ? | ||
56 | + data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ? | ||
57 | TRUE : FALSE; | ||
58 | + data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid; | ||
59 | break; | ||
60 | |||
61 | #ifdef USE_LIBSSH2 | ||
62 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
63 | index bd7d25d..3c94553 100644 | ||
64 | --- a/lib/urldata.h | ||
65 | +++ b/lib/urldata.h | ||
66 | @@ -360,6 +360,7 @@ struct ssl_primary_config { | ||
67 | char *random_file; /* path to file containing "random" data */ | ||
68 | char *egdsocket; /* path to file containing the EGD daemon socket */ | ||
69 | char *cipher_list; /* list of ciphers to use */ | ||
70 | + bool sessionid; /* cache session IDs or not */ | ||
71 | }; | ||
72 | |||
73 | struct ssl_config_data { | ||
74 | @@ -389,7 +390,6 @@ struct ssl_config_data { | ||
75 | }; | ||
76 | |||
77 | struct ssl_general_config { | ||
78 | - bool sessionid; /* cache session IDs or not */ | ||
79 | size_t max_ssl_sessions; /* SSL session id cache size */ | ||
80 | }; | ||
81 | |||
82 | diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c | ||
83 | index af01fe3..f0e3766 100644 | ||
84 | --- a/lib/vtls/axtls.c | ||
85 | +++ b/lib/vtls/axtls.c | ||
86 | @@ -262,7 +262,7 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex) | ||
87 | * 2) setting up callbacks. these seem gnutls specific | ||
88 | */ | ||
89 | |||
90 | - if(data->set.general_ssl.sessionid) { | ||
91 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
92 | const uint8_t *ssl_sessionid; | ||
93 | size_t ssl_idsize; | ||
94 | |||
95 | @@ -392,7 +392,7 @@ static CURLcode connect_finish(struct connectdata *conn, int sockindex) | ||
96 | conn->send[sockindex] = axtls_send; | ||
97 | |||
98 | /* Put our freshly minted SSL session in cache */ | ||
99 | - if(data->set.general_ssl.sessionid) { | ||
100 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
101 | const uint8_t *ssl_sessionid = ssl_get_session_id(ssl); | ||
102 | size_t ssl_idsize = ssl_get_session_id_size(ssl); | ||
103 | Curl_ssl_sessionid_lock(conn); | ||
104 | diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c | ||
105 | index 2dfd79d..5f51ad5 100644 | ||
106 | --- a/lib/vtls/cyassl.c | ||
107 | +++ b/lib/vtls/cyassl.c | ||
108 | @@ -398,7 +398,7 @@ cyassl_connect_step1(struct connectdata *conn, | ||
109 | #endif /* HAVE_ALPN */ | ||
110 | |||
111 | /* Check if there's a cached ID we can/should use here! */ | ||
112 | - if(data->set.general_ssl.sessionid) { | ||
113 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
114 | void *ssl_sessionid = NULL; | ||
115 | |||
116 | Curl_ssl_sessionid_lock(conn); | ||
117 | @@ -618,7 +618,7 @@ cyassl_connect_step3(struct connectdata *conn, | ||
118 | |||
119 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
120 | |||
121 | - if(data->set.general_ssl.sessionid) { | ||
122 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
123 | bool incache; | ||
124 | SSL_SESSION *our_ssl_sessionid; | ||
125 | void *old_ssl_sessionid = NULL; | ||
126 | diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c | ||
127 | index f8697cc..5533dfe 100644 | ||
128 | --- a/lib/vtls/darwinssl.c | ||
129 | +++ b/lib/vtls/darwinssl.c | ||
130 | @@ -1644,7 +1644,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | ||
131 | #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ | ||
132 | |||
133 | /* Check if there's a cached ID we can/should use here! */ | ||
134 | - if(data->set.general_ssl.sessionid) { | ||
135 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
136 | char *ssl_sessionid; | ||
137 | size_t ssl_sessionid_len; | ||
138 | |||
139 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
140 | index 51a5aa8..0230778 100644 | ||
141 | --- a/lib/vtls/gtls.c | ||
142 | +++ b/lib/vtls/gtls.c | ||
143 | @@ -873,7 +873,7 @@ gtls_connect_step1(struct connectdata *conn, | ||
144 | |||
145 | /* This might be a reconnect, so we check for a session ID in the cache | ||
146 | to speed up things */ | ||
147 | - if(data->set.general_ssl.sessionid) { | ||
148 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
149 | void *ssl_sessionid; | ||
150 | size_t ssl_idsize; | ||
151 | |||
152 | @@ -1404,7 +1404,7 @@ gtls_connect_step3(struct connectdata *conn, | ||
153 | conn->recv[sockindex] = gtls_recv; | ||
154 | conn->send[sockindex] = gtls_send; | ||
155 | |||
156 | - if(data->set.general_ssl.sessionid) { | ||
157 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
158 | /* we always unconditionally get the session id here, as even if we | ||
159 | already got it from the cache and asked to use it in the connection, it | ||
160 | might've been rejected and then a new one is in use now and we need to | ||
161 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
162 | index edf30db..3ffa957 100644 | ||
163 | --- a/lib/vtls/mbedtls.c | ||
164 | +++ b/lib/vtls/mbedtls.c | ||
165 | @@ -430,7 +430,7 @@ mbed_connect_step1(struct connectdata *conn, | ||
166 | #endif | ||
167 | |||
168 | /* Check if there's a cached ID we can/should use here! */ | ||
169 | - if(data->set.general_ssl.sessionid) { | ||
170 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
171 | void *old_session = NULL; | ||
172 | |||
173 | Curl_ssl_sessionid_lock(conn); | ||
174 | @@ -684,7 +684,7 @@ mbed_connect_step3(struct connectdata *conn, | ||
175 | |||
176 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
177 | |||
178 | - if(data->set.general_ssl.sessionid) { | ||
179 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
180 | int ret; | ||
181 | mbedtls_ssl_session *our_ssl_sessionid; | ||
182 | void *old_ssl_sessionid = NULL; | ||
183 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
184 | index 1d7047a..4898511 100644 | ||
185 | --- a/lib/vtls/nss.c | ||
186 | +++ b/lib/vtls/nss.c | ||
187 | @@ -1720,7 +1720,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) | ||
188 | goto error; | ||
189 | |||
190 | /* do not use SSL cache if disabled or we are not going to verify peer */ | ||
191 | - ssl_no_cache = (data->set.general_ssl.sessionid | ||
192 | + ssl_no_cache = (SSL_SET_OPTION(primary.sessionid) | ||
193 | && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE; | ||
194 | if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) | ||
195 | goto error; | ||
196 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
197 | index ee07615..58a014a 100644 | ||
198 | --- a/lib/vtls/openssl.c | ||
199 | +++ b/lib/vtls/openssl.c | ||
200 | @@ -2235,7 +2235,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
201 | #endif | ||
202 | |||
203 | /* Check if there's a cached ID we can/should use here! */ | ||
204 | - if(data->set.general_ssl.sessionid) { | ||
205 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
206 | void *ssl_sessionid = NULL; | ||
207 | |||
208 | Curl_ssl_sessionid_lock(conn); | ||
209 | @@ -2965,7 +2965,7 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) | ||
210 | |||
211 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
212 | |||
213 | - if(data->set.general_ssl.sessionid) { | ||
214 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
215 | bool incache; | ||
216 | SSL_SESSION *our_ssl_sessionid; | ||
217 | void *old_ssl_sessionid = NULL; | ||
218 | diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c | ||
219 | index e6ad525..669091c 100644 | ||
220 | --- a/lib/vtls/polarssl.c | ||
221 | +++ b/lib/vtls/polarssl.c | ||
222 | @@ -375,7 +375,7 @@ polarssl_connect_step1(struct connectdata *conn, | ||
223 | ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); | ||
224 | |||
225 | /* Check if there's a cached ID we can/should use here! */ | ||
226 | - if(data->set.general_ssl.sessionid) { | ||
227 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
228 | void *old_session = NULL; | ||
229 | |||
230 | Curl_ssl_sessionid_lock(conn); | ||
231 | @@ -603,7 +603,7 @@ polarssl_connect_step3(struct connectdata *conn, | ||
232 | |||
233 | DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); | ||
234 | |||
235 | - if(data->set.general_ssl.sessionid) { | ||
236 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
237 | int ret; | ||
238 | ssl_session *our_ssl_sessionid; | ||
239 | void *old_ssl_sessionid = NULL; | ||
240 | diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c | ||
241 | index e0fb2d5..c9b5132 100644 | ||
242 | --- a/lib/vtls/schannel.c | ||
243 | +++ b/lib/vtls/schannel.c | ||
244 | @@ -188,7 +188,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) | ||
245 | connssl->cred = NULL; | ||
246 | |||
247 | /* check for an existing re-usable credential handle */ | ||
248 | - if(data->set.general_ssl.sessionid) { | ||
249 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
250 | Curl_ssl_sessionid_lock(conn); | ||
251 | if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { | ||
252 | connssl->cred = old_cred; | ||
253 | @@ -757,7 +757,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
254 | #endif | ||
255 | |||
256 | /* save the current session data for possible re-use */ | ||
257 | - if(data->set.general_ssl.sessionid) { | ||
258 | + if(SSL_SET_OPTION(primary.sessionid)) { | ||
259 | bool incache; | ||
260 | struct curl_schannel_cred *old_cred = NULL; | ||
261 | |||
262 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
263 | index c6935b5..d5d0971 100644 | ||
264 | --- a/lib/vtls/vtls.c | ||
265 | +++ b/lib/vtls/vtls.c | ||
266 | @@ -122,6 +122,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
267 | CLONE_STRING(egdsocket); | ||
268 | CLONE_STRING(random_file); | ||
269 | CLONE_STRING(clientcert); | ||
270 | + | ||
271 | + /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ | ||
272 | + dest->sessionid = (dest->clientcert ? false : source->sessionid); | ||
273 | return TRUE; | ||
274 | } | ||
275 | |||
276 | @@ -308,9 +311,9 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
277 | int port = isProxy ? (int)conn->port : conn->remote_port; | ||
278 | *ssl_sessionid = NULL; | ||
279 | |||
280 | - DEBUGASSERT(data->set.general_ssl.sessionid); | ||
281 | + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
282 | |||
283 | - if(!data->set.general_ssl.sessionid) | ||
284 | + if(!SSL_SET_OPTION(primary.sessionid)) | ||
285 | /* session ID re-use is disabled */ | ||
286 | return TRUE; | ||
287 | |||
288 | @@ -412,7 +415,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
289 | &conn->proxy_ssl_config : | ||
290 | &conn->ssl_config; | ||
291 | |||
292 | - DEBUGASSERT(data->set.general_ssl.sessionid); | ||
293 | + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
294 | |||
295 | clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); | ||
296 | if(!clone_host) | ||
297 | -- | ||
298 | 1.9.1 | ||
299 | |||
diff --git a/recipes-support/curl/curl/CVE-2017-9502.patch b/recipes-support/curl/curl/CVE-2017-9502.patch deleted file mode 100644 index c205568..0000000 --- a/recipes-support/curl/curl/CVE-2017-9502.patch +++ /dev/null | |||
@@ -1,69 +0,0 @@ | |||
1 | From 5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 7 Jun 2017 00:21:04 +0200 | ||
4 | Subject: [PATCH] url: fix buffer overwrite with file protocol (CVE-2017-9502) | ||
5 | |||
6 | Bug: https://github.com/curl/curl/issues/1540 | ||
7 | Advisory: https://curl.haxx.se/docs/adv_20170614.html | ||
8 | |||
9 | CVE: CVE-2017-9502 | ||
10 | Upstream-Status: Backport [backport from curl-7_54_1] | ||
11 | |||
12 | Assisted-by: Ray Satiro | ||
13 | Reported-by: Marcel Raad | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | lib/url.c | 27 ++++++++++++++++++++++----- | ||
17 | 1 file changed, 22 insertions(+), 5 deletions(-) | ||
18 | |||
19 | diff --git a/lib/url.c b/lib/url.c | ||
20 | index 84822d9..87446db 100644 | ||
21 | --- a/lib/url.c | ||
22 | +++ b/lib/url.c | ||
23 | @@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, | ||
24 | #endif | ||
25 | |||
26 | protop = "file"; /* protocol string */ | ||
27 | + *prot_missing = !url_has_scheme; | ||
28 | } | ||
29 | else { | ||
30 | /* clear path */ | ||
31 | @@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, | ||
32 | |||
33 | size_t plen = strlen(path); /* new path, should be 1 byte longer than | ||
34 | the original */ | ||
35 | - size_t urllen = strlen(data->change.url); /* original URL length */ | ||
36 | - | ||
37 | size_t prefixlen = strlen(conn->host.name); | ||
38 | |||
39 | - if(!*prot_missing) | ||
40 | - prefixlen += strlen(protop) + strlen("://"); | ||
41 | + if(!*prot_missing) { | ||
42 | + size_t protolen = strlen(protop); | ||
43 | + | ||
44 | + if(curl_strnequal(protop, data->change.url, protolen)) | ||
45 | + prefixlen += protolen; | ||
46 | + else { | ||
47 | + failf(data, "<url> malformed"); | ||
48 | + return CURLE_URL_MALFORMAT; | ||
49 | + } | ||
50 | + | ||
51 | + if(curl_strnequal("://", &data->change.url[protolen], 3)) | ||
52 | + prefixlen += 3; | ||
53 | + /* only file: is allowed to omit one or both slashes */ | ||
54 | + else if(curl_strnequal("file:", data->change.url, 5)) | ||
55 | + prefixlen += 1 + (data->change.url[5] == '/'); | ||
56 | + else { | ||
57 | + failf(data, "<url> malformed"); | ||
58 | + return CURLE_URL_MALFORMAT; | ||
59 | + } | ||
60 | + } | ||
61 | |||
62 | - reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */ | ||
63 | + reurl = malloc(prefixlen + plen + 1); | ||
64 | if(!reurl) | ||
65 | return CURLE_OUT_OF_MEMORY; | ||
66 | |||
67 | -- | ||
68 | 1.9.1 | ||
69 | |||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 5e642bb..2da58d4 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend | |||
@@ -1,11 +1,7 @@ | |||
1 | # look for files in the layer first | 1 | # look for files in the layer first |
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | 2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" |
3 | 3 | ||
4 | SRC_URI += "file://CVE-2017-7407.patch \ | 4 | SRC_URI += "file://CVE-2017-1000257.patch \ |
5 | file://CVE-2017-7468.patch \ | ||
6 | file://CVE-2017-9502.patch \ | ||
7 | file://CVE-2017-1000254.patch \ | ||
8 | file://CVE-2017-1000257.patch \ | ||
9 | file://CVE-2017-8816.patch \ | 5 | file://CVE-2017-8816.patch \ |
10 | file://CVE-2017-8817.patch \ | 6 | file://CVE-2017-8817.patch \ |
11 | " | 7 | " |