From 5b1da299fd7359849d2c4ffda796bba999bf8f7e Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Thu, 13 Sep 2018 12:57:35 +0200 Subject: curl: Fix CVEs CVE: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 Curl in the upstream pyro is 7.53.1. CVE-2018-1000120 affected versions are 7.12.3 to and including 7.58.0 CVE-2018-1000121 affected versions are 7.21.0 to and including 7.58.0 CVE-2018-1000122 affected versions are 7.20.0 to and including 7.58.0 CVE-2018-1000301 affected versions are 7.20.0 to and including 7.59.0 Reference: CVE-2018-1000120 https://curl.haxx.se/CVE-2018-1000120.patch CVE-2018-1000121 https://curl.haxx.se/CVE-2018-1000121.patch CVE-2018-1000122 https://curl.haxx.se/CVE-2018-1000122.patch CVE-2018-1000301 https://curl.haxx.se/CVE-2018-1000301.patch Change-Id: I0b7269c83e1662ed16a1b216853c3b4408889954 Signed-off-by: Andreas Wellving Signed-off-by: Adrian Mangeac --- ...reject-path-components-with-control-codes.patch | 119 +++++++++++++++++++++ ...eck-ldap_get_attribute_ber-results-for-NU.patch | 47 ++++++++ ...ake-sure-excess-reads-don-t-go-beyond-buf.patch | 43 ++++++++ ...e-buffer-pointer-when-bad-response-line-i.patch | 48 +++++++++ recipes-support/curl/curl_%.bbappend | 12 --- recipes-support/curl/curl_7.53.1.bbappend | 17 +++ 6 files changed, 274 insertions(+), 12 deletions(-) create mode 100644 recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch create mode 100644 recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch create mode 100644 recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch create mode 100644 recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch delete mode 100644 recipes-support/curl/curl_%.bbappend create mode 100644 recipes-support/curl/curl_7.53.1.bbappend diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch new file mode 100644 index 0000000..cd44efb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch @@ -0,0 +1,119 @@ +From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001 +From: Andreas Wellving +Date: Mon, 22 Oct 2018 13:01:11 +0200 +Subject: [PATCH] FTP: reject path components with control codes + +Refuse to operate when given path components featuring byte values lower +than 32. + +Previously, inserting a %00 sequence early in the directory part when +using the 'singlecwd' ftp method could make curl write a zero byte +outside of the allocated buffer. + +Test case 340 verifies. + +CVE-2018-1000120 +Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch] + +Reported-by: Duy Phan Thanh +Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html + +Signed-off-by: Andreas Wellving +--- + lib/ftp.c | 6 +++--- + tests/data/Makefile.inc | 1 + + tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 44 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test340 + +diff --git a/lib/ftp.c b/lib/ftp.c +index cab3699..0e28059 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + + if(!result) + /* get the "raw" path */ +- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); + if(result) { + /* We can limp along anyway (and should try to since we may already be in + * the error path) */ +@@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", + slash_pos ? dirlen : 1, + &ftpc->dirs[0], NULL, +- FALSE); ++ TRUE); + if(result) { + freedirs(ftpc); + return result; +@@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + size_t dlen; + char *path; + CURLcode result = +- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); ++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); + if(result) { + freedirs(ftpc); + return result; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 135ba06..31e026f 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ + test307 test308 test309 test310 test311 test312 test313 \ + test320 test321 test322 test323 test324 \ + test325 \ ++test340 \ + test350 test351 test352 test353 test354 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +diff --git a/tests/data/test340 b/tests/data/test340 +new file mode 100644 +index 0000000..d834d76 +--- /dev/null ++++ b/tests/data/test340 +@@ -0,0 +1,40 @@ ++ ++ ++ ++FTP ++PASV ++CWD ++--ftp-method ++singlecwd ++ ++ ++# ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++FTP using %00 in path with singlecwd ++ ++ ++--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++ ++ ++3 ++ ++ ++ + + diff --git a/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch new file mode 100644 index 0000000..488d457 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch @@ -0,0 +1,47 @@ +From 9889db043393092e9d4b5a42720bba0b3d58deba Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 6 Mar 2018 23:02:16 +0100 +Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL + before using + +CVE-2018-1000121 +Reported-by: Dario Weisser +Bug: https://curl.haxx.se/docs/adv_2018-97a2.html + +CVE: CVE-2018-1000121 +Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000121.patch] + +Signed-off-by: Andreas Wellving +--- + lib/openldap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index f2ffdfe..6927275 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -473,7 +473,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + + for(ent = ldap_first_message(li->ld, msg); ent; + ent = ldap_next_message(li->ld, ent)) { +- struct berval bv, *bvals, **bvp = &bvals; ++ struct berval bv, *bvals; + int binary = 0, msgtype; + CURLcode writeerr; + +@@ -535,9 +535,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + } + data->req.bytecount += bv.bv_len + 5; + +- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); +- rc == LDAP_SUCCESS; +- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { ++ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); ++ (rc == LDAP_SUCCESS) && bvals; ++ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { + int i; + + if(bv.bv_val == NULL) break; +-- +2.7.4 + diff --git a/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch new file mode 100644 index 0000000..488d2fb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch @@ -0,0 +1,43 @@ +From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 8 Mar 2018 10:33:16 +0100 +Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end + +CVE-2018-1000122 +Bug: https://curl.haxx.se/docs/adv_2018-b047.html + +Detected by OSS-fuzz + +CVE: CVE-2018-1000122 +Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000122.patch] + +Signed-off-by: Andreas Wellving +--- + lib/transfer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index c46ac25..fd9af31 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, + + } /* if(!header and data to read) */ + +- if(conn->handler->readwrite && +- (excess > 0 && !conn->bits.stream_was_rewound)) { ++ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { + /* Parse the excess data */ + k->str += nread; ++ ++ if(&k->str[excess] > &k->buf[data->set.buffer_size]) { ++ /* the excess amount was too excessive(!), make sure ++ it doesn't read out of buffer */ ++ excess = &k->buf[data->set.buffer_size] - k->str; ++ } + nread = (ssize_t)excess; + + result = conn->handler->readwrite(data, conn, &nread, &readmore); +-- +2.7.4 + diff --git a/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch new file mode 100644 index 0000000..cf5a596 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch @@ -0,0 +1,48 @@ +From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed + +... leaving the k->str could lead to buffer over-reads later on. + +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +CVE: CVE-2018-1000301 +Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000301.patch] + +Signed-off-by: Andreas Wellving +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 1a313b4..e080ae5 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { +@@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } +-- +2.7.4 + diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend deleted file mode 100644 index 3727bea..0000000 --- a/recipes-support/curl/curl_%.bbappend +++ /dev/null @@ -1,12 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-7407.patch \ - file://CVE-2017-7468.patch \ - file://CVE-2017-9502.patch \ - file://CVE-2017-1000254.patch \ - file://CVE-2017-1000257.patch \ - file://CVE-2017-8816.patch \ - file://CVE-2017-8817.patch \ - file://CVE-2018-1000005.patch \ - " diff --git a/recipes-support/curl/curl_7.53.1.bbappend b/recipes-support/curl/curl_7.53.1.bbappend new file mode 100644 index 0000000..ad7241c --- /dev/null +++ b/recipes-support/curl/curl_7.53.1.bbappend @@ -0,0 +1,17 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += " \ + file://CVE-2017-7407.patch \ + file://CVE-2017-7468.patch \ + file://CVE-2017-9502.patch \ + file://CVE-2017-1000254.patch \ + file://CVE-2017-1000257.patch \ + file://CVE-2017-8816.patch \ + file://CVE-2017-8817.patch \ + file://CVE-2018-1000005.patch \ + file://CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch \ + file://CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch \ + file://CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch \ + file://CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch \ + " -- cgit v1.2.3-54-g00ecf