1 files changed, 119 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
new file mode 100644
index 0000000..cd44efb
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
@@ -0,0 +1,119 @@
+From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:01:11 +0200
+Subject: [PATCH] FTP: reject path components with control codes
+Refuse to operate when given path components featuring byte values lower
+than 32.
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+Test case 340 verifies.
+CVE-2018-1000120
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch]
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/ftp.c               |  6 +++---
+ tests/data/Makefile.inc |  1 +
+ tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test340
+diff --git a/lib/ftp.c b/lib/ftp.c
+index cab3699..0e28059 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
+ 
+   if(!result)
+     /* get the "raw" path */
+-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
+    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+   if(result) {
+     /* We can limp along anyway (and should try to since we may already be in
+      * the error path) */
+@@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+                               slash_pos ? dirlen : 1,
+                               &ftpc->dirs[0], NULL,
+-                              FALSE);
+                              TRUE);
+       if(result) {
+         freedirs(ftpc);
+         return result;
+@@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+     size_t dlen;
+     char *path;
+     CURLcode result =
+-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
+      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+     if(result) {
+       freedirs(ftpc);
+       return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 135ba06..31e026f 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \
+ test307 test308 test309 test310 test311 test312 test313                 \
+                                 test320 test321 test322 test323 test324 \
+ test325 \
+test340 \
+ test350 test351 test352 test353 test354 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+diff --git a/tests/data/test340 b/tests/data/test340
+new file mode 100644
+index 0000000..d834d76
+--- /dev/null
+++ b/tests/data/test340
+@@ -0,0 +1,40 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+CWD
+--ftp-method
+singlecwd
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP using %00 in path with singlecwd
+ </name>
+ <command>
+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+</protocol>
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>

diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch new file mode 100644 index 0000000..cd44efb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
@@ -0,0 +1,119 @@
	1	From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 13:01:11 +0200
	4	Subject: [PATCH] FTP: reject path components with control codes
	5
	6	Refuse to operate when given path components featuring byte values lower
	7	than 32.
	8
	9	Previously, inserting a %00 sequence early in the directory part when
	10	using the 'singlecwd' ftp method could make curl write a zero byte
	11	outside of the allocated buffer.
	12
	13	Test case 340 verifies.
	14
	15	CVE-2018-1000120
	16	Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch]
	17
	18	Reported-by: Duy Phan Thanh
	19	Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
	20
	21	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	22	---
	23	lib/ftp.c \| 6 +++---
	24	tests/data/Makefile.inc \| 1 +
	25	tests/data/test340 \| 40 ++++++++++++++++++++++++++++++++++++++++
	26	3 files changed, 44 insertions(+), 3 deletions(-)
	27	create mode 100644 tests/data/test340
	28
	29	diff --git a/lib/ftp.c b/lib/ftp.c
	30	index cab3699..0e28059 100644
	31	--- a/lib/ftp.c
	32	+++ b/lib/ftp.c
	33	@@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
	34
	35	if(!result)
	36	/* get the "raw" path */
	37	- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
	38	+ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
	39	if(result) {
	40	/* We can limp along anyway (and should try to since we may already be in
	41	* the error path) */
	42	@@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
	43	result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
	44	slash_pos ? dirlen : 1,
	45	&ftpc->dirs[0], NULL,
	46	- FALSE);
	47	+ TRUE);
	48	if(result) {
	49	freedirs(ftpc);
	50	return result;
	51	@@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
	52	size_t dlen;
	53	char *path;
	54	CURLcode result =
	55	- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
	56	+ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
	57	if(result) {
	58	freedirs(ftpc);
	59	return result;
	60	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
	61	index 135ba06..31e026f 100644
	62	--- a/tests/data/Makefile.inc
	63	+++ b/tests/data/Makefile.inc
	64	@@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \
	65	test307 test308 test309 test310 test311 test312 test313 \
	66	test320 test321 test322 test323 test324 \
	67	test325 \
	68	+test340 \
	69	test350 test351 test352 test353 test354 \
	70	\
	71	test400 test401 test402 test403 test404 test405 test406 test407 test408 \
	72	diff --git a/tests/data/test340 b/tests/data/test340
	73	new file mode 100644
	74	index 0000000..d834d76
	75	--- /dev/null
	76	+++ b/tests/data/test340
	77	@@ -0,0 +1,40 @@
	78	+<testcase>
	79	+<info>
	80	+<keywords>
	81	+FTP
	82	+PASV
	83	+CWD
	84	+--ftp-method
	85	+singlecwd
	86	+</keywords>
	87	+</info>
	88	+#
	89	+# Server-side
	90	+<reply>
	91	+</reply>
	92	+
	93	+# Client-side
	94	+<client>
	95	+<server>
	96	+ftp
	97	+</server>
	98	+ <name>
	99	+FTP using %00 in path with singlecwd
	100	+ </name>
	101	+ <command>
	102	+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
	103	+</command>
	104	+</client>
	105	+
	106	+# Verify data after the test has been "shot"
	107	+<verify>
	108	+<protocol>
	109	+USER anonymous
	110	+PASS ftp@example.com
	111	+PWD
	112	+</protocol>
	113	+<errorcode>
	114	+3
	115	+</errorcode>
	116	+</verify>
	117	+</testcase>
	118
	119