diff options
author | Martin Borg <martin.borg@enea.com> | 2018-05-03 14:29:23 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2018-05-03 14:29:23 +0200 |
commit | 8c928bbadf6ae0e6dc2705ed57c89eb2e6810197 (patch) | |
tree | a317199e3cac1f517359a49e11b73a159fb4f295 /recipes-support | |
parent | 1c3a21479972cb4b868b1e57b80dc607ef398d8d (diff) | |
download | meta-nfv-access-common-8c928bbadf6ae0e6dc2705ed57c89eb2e6810197.tar.gz |
curl: Drop CVE patches
curl was upgraded to 7.58.0 on upstream poky rocko branch
and this version already contains all our CVE patches.
Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-support')
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-1000257.patch | 39 | ||||
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-8816.patch | 69 | ||||
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-8817.patch | 135 | ||||
-rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000005.patch | 41 | ||||
-rw-r--r-- | recipes-support/curl/curl_%.bbappend | 8 |
5 files changed, 0 insertions, 292 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-1000257.patch b/recipes-support/curl/curl/CVE-2017-1000257.patch deleted file mode 100644 index de0dc3a..0000000 --- a/recipes-support/curl/curl/CVE-2017-1000257.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Sat, 7 Oct 2017 00:11:31 +0200 | ||
4 | Subject: [PATCH] imap: if a FETCH response has no size, don't call write | ||
5 | callback | ||
6 | |||
7 | CVE: CVE-2017-1000257 | ||
8 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000257.patch] | ||
9 | |||
10 | Reported-by: Brian Carpenter and 0xd34db347 | ||
11 | Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 | ||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | lib/imap.c | 5 +++++ | ||
15 | 1 file changed, 5 insertions(+) | ||
16 | |||
17 | diff --git a/lib/imap.c b/lib/imap.c | ||
18 | index 954d18f37..baa31a2f8 100644 | ||
19 | --- a/lib/imap.c | ||
20 | +++ b/lib/imap.c | ||
21 | @@ -1124,10 +1124,15 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, | ||
22 | |||
23 | if(chunk > (size_t)size) | ||
24 | /* The conversion from curl_off_t to size_t is always fine here */ | ||
25 | chunk = (size_t)size; | ||
26 | |||
27 | + if(!chunk) { | ||
28 | + /* no size, we're done with the data */ | ||
29 | + state(conn, IMAP_STOP); | ||
30 | + return CURLE_OK; | ||
31 | + } | ||
32 | result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); | ||
33 | if(result) | ||
34 | return result; | ||
35 | |||
36 | data->req.bytecount += chunk; | ||
37 | -- | ||
38 | 2.15.0.rc1 | ||
39 | |||
diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch deleted file mode 100644 index 9b957ce..0000000 --- a/recipes-support/curl/curl/CVE-2017-8816.patch +++ /dev/null | |||
@@ -1,69 +0,0 @@ | |||
1 | From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 6 Nov 2017 23:51:52 +0100 | ||
4 | Subject: [PATCH] ntlm: avoid integer overflow for malloc size | ||
5 | |||
6 | Reported-by: Alex Nichols | ||
7 | Assisted-by: Kamil Dudka and Max Dymond | ||
8 | |||
9 | CVE: CVE-2017-8816 | ||
10 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch] | ||
11 | |||
12 | Bug: https://curl.haxx.se/docs/adv_2017-11e7.html | ||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- | ||
16 | 1 file changed, 21 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c | ||
19 | index 1309bf0d9..e8962769c 100644 | ||
20 | --- a/lib/curl_ntlm_core.c | ||
21 | +++ b/lib/curl_ntlm_core.c | ||
22 | @@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, | ||
23 | Curl_HMAC_final(ctxt, output); | ||
24 | |||
25 | return CURLE_OK; | ||
26 | } | ||
27 | |||
28 | +#ifndef SIZE_T_MAX | ||
29 | +/* some limits.h headers have this defined, some don't */ | ||
30 | +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) | ||
31 | +#define SIZE_T_MAX 18446744073709551615U | ||
32 | +#else | ||
33 | +#define SIZE_T_MAX 4294967295U | ||
34 | +#endif | ||
35 | +#endif | ||
36 | + | ||
37 | /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode | ||
38 | * (uppercase UserName + Domain) as the data | ||
39 | */ | ||
40 | CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, | ||
41 | const char *domain, size_t domlen, | ||
42 | unsigned char *ntlmhash, | ||
43 | unsigned char *ntlmv2hash) | ||
44 | { | ||
45 | /* Unicode representation */ | ||
46 | - size_t identity_len = (userlen + domlen) * 2; | ||
47 | - unsigned char *identity = malloc(identity_len); | ||
48 | + size_t identity_len; | ||
49 | + unsigned char *identity; | ||
50 | CURLcode result = CURLE_OK; | ||
51 | |||
52 | + /* we do the length checks below separately to avoid integer overflow risk | ||
53 | + on extreme data lengths */ | ||
54 | + if((userlen > SIZE_T_MAX/2) || | ||
55 | + (domlen > SIZE_T_MAX/2) || | ||
56 | + ((userlen + domlen) > SIZE_T_MAX/2)) | ||
57 | + return CURLE_OUT_OF_MEMORY; | ||
58 | + | ||
59 | + identity_len = (userlen + domlen) * 2; | ||
60 | + identity = malloc(identity_len); | ||
61 | + | ||
62 | if(!identity) | ||
63 | return CURLE_OUT_OF_MEMORY; | ||
64 | |||
65 | ascii_uppercase_to_unicode_le(identity, user, userlen); | ||
66 | ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); | ||
67 | -- | ||
68 | 2.15.0 | ||
69 | |||
diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch deleted file mode 100644 index e8429b2..0000000 --- a/recipes-support/curl/curl/CVE-2017-8817.patch +++ /dev/null | |||
@@ -1,135 +0,0 @@ | |||
1 | From 438a9ebfe9c4dc850ca2ed858bf5b8c31ce15ef5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Fri, 2 Mar 2018 08:48:05 +0100 | ||
4 | Subject: [PATCH] curl: fix for CVE-2017-8817 | ||
5 | |||
6 | wildcardmatch: fix heap buffer overflow in setcharset | ||
7 | |||
8 | The code would previous read beyond the end of the pattern string if the | ||
9 | match pattern ends with an open bracket when the default pattern | ||
10 | matching function is used. | ||
11 | |||
12 | Detected by OSS-Fuzz: | ||
13 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 | ||
14 | |||
15 | CVE: CVE-2017-8817 | ||
16 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch] | ||
17 | |||
18 | Bug: https://curl.haxx.se/docs/adv_2017-ae72.html | ||
19 | |||
20 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
21 | --- | ||
22 | lib/curl_fnmatch.c | 9 +++------ | ||
23 | tests/data/Makefile.inc | 2 +- | ||
24 | tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ | ||
25 | 3 files changed, 56 insertions(+), 7 deletions(-) | ||
26 | create mode 100644 tests/data/test1163 | ||
27 | |||
28 | diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c | ||
29 | index 46d3ada..5dd5323 100644 | ||
30 | --- a/lib/curl_fnmatch.c | ||
31 | +++ b/lib/curl_fnmatch.c | ||
32 | @@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
33 | unsigned char c; | ||
34 | for(;;) { | ||
35 | c = **p; | ||
36 | + if(!c) | ||
37 | + return SETCHARSET_FAIL; | ||
38 | + | ||
39 | switch(state) { | ||
40 | case CURLFNM_SCHS_DEFAULT: | ||
41 | if(ISALNUM(c)) { /* ASCII value */ | ||
42 | @@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
43 | else | ||
44 | return SETCHARSET_FAIL; | ||
45 | } | ||
46 | - else if(c == '\0') { | ||
47 | - return SETCHARSET_FAIL; | ||
48 | - } | ||
49 | else { | ||
50 | charset[c] = 1; | ||
51 | (*p)++; | ||
52 | @@ -277,9 +277,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
53 | else if(c == ']') { | ||
54 | return SETCHARSET_OK; | ||
55 | } | ||
56 | - else if(c == '\0') { | ||
57 | - return SETCHARSET_FAIL; | ||
58 | - } | ||
59 | else if(ISPRINT(c)) { | ||
60 | charset[c] = 1; | ||
61 | (*p)++; | ||
62 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
63 | index 5284654..942f9ee 100644 | ||
64 | --- a/tests/data/Makefile.inc | ||
65 | +++ b/tests/data/Makefile.inc | ||
66 | @@ -122,7 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ | ||
67 | test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ | ||
68 | test1144 test1145 test1146 \ | ||
69 | test1152 \ | ||
70 | -\ | ||
71 | +test1163 \ | ||
72 | test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ | ||
73 | test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ | ||
74 | test1216 test1217 test1218 test1219 \ | ||
75 | diff --git a/tests/data/test1163 b/tests/data/test1163 | ||
76 | new file mode 100644 | ||
77 | index 0000000..3266fa8 | ||
78 | --- /dev/null | ||
79 | +++ b/tests/data/test1163 | ||
80 | @@ -0,0 +1,52 @@ | ||
81 | +<testcase> | ||
82 | +<info> | ||
83 | +<keywords> | ||
84 | +FTP | ||
85 | +RETR | ||
86 | +LIST | ||
87 | +wildcardmatch | ||
88 | +ftplistparser | ||
89 | +flaky | ||
90 | +</keywords> | ||
91 | +</info> | ||
92 | + | ||
93 | +# | ||
94 | +# Server-side | ||
95 | +<reply> | ||
96 | +<data> | ||
97 | +</data> | ||
98 | +</reply> | ||
99 | + | ||
100 | +# Client-side | ||
101 | +<client> | ||
102 | +<server> | ||
103 | +ftp | ||
104 | +</server> | ||
105 | +<tool> | ||
106 | +lib576 | ||
107 | +</tool> | ||
108 | +<name> | ||
109 | +FTP wildcard with pattern ending with an open-bracket | ||
110 | +</name> | ||
111 | +<command> | ||
112 | +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" | ||
113 | +</command> | ||
114 | +</client> | ||
115 | +<verify> | ||
116 | +<protocol> | ||
117 | +USER anonymous | ||
118 | +PASS ftp@example.com | ||
119 | +PWD | ||
120 | +CWD fully_simulated | ||
121 | +CWD DOS | ||
122 | +EPSV | ||
123 | +TYPE A | ||
124 | +LIST | ||
125 | +QUIT | ||
126 | +</protocol> | ||
127 | +# 78 == CURLE_REMOTE_FILE_NOT_FOUND | ||
128 | +<errorcode> | ||
129 | +78 | ||
130 | +</errorcode> | ||
131 | +</verify> | ||
132 | +</testcase> | ||
133 | -- | ||
134 | 1.9.1 | ||
135 | |||
diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch deleted file mode 100644 index 200ef16..0000000 --- a/recipes-support/curl/curl/CVE-2018-1000005.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com> | ||
3 | Date: Wed, 10 Jan 2018 10:12:18 -0800 | ||
4 | Subject: [PATCH] http2: fix incorrect trailer buffer size | ||
5 | |||
6 | Prior to this change the stored byte count of each trailer was | ||
7 | miscalculated and 1 less than required. It appears any trailer | ||
8 | after the first that was passed to Curl_client_write would be truncated | ||
9 | or corrupted as well as the size. Potentially the size of some | ||
10 | subsequent trailer could be erroneously extracted from the contents of | ||
11 | that trailer, and since that size is used by client write an | ||
12 | out-of-bounds read could occur and cause a crash or be otherwise | ||
13 | processed by client write. | ||
14 | |||
15 | The bug appears to have been born in 0761a51 (precedes 7.49.0). | ||
16 | |||
17 | Closes https://github.com/curl/curl/pull/2231 | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | CVE: CVE-2018-1000005 | ||
21 | |||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | lib/http2.c | 4 ++-- | ||
25 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
26 | |||
27 | diff --git a/lib/http2.c b/lib/http2.c | ||
28 | index 8e2fc71996..699287940e 100644 | ||
29 | --- a/lib/http2.c | ||
30 | +++ b/lib/http2.c | ||
31 | @@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, | ||
32 | |||
33 | if(stream->bodystarted) { | ||
34 | /* This is trailer fields. */ | ||
35 | - /* 3 is for ":" and "\r\n". */ | ||
36 | - uint32_t n = (uint32_t)(namelen + valuelen + 3); | ||
37 | + /* 4 is for ": " and "\r\n". */ | ||
38 | + uint32_t n = (uint32_t)(namelen + valuelen + 4); | ||
39 | |||
40 | DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, | ||
41 | value)); | ||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend deleted file mode 100644 index d30e613..0000000 --- a/recipes-support/curl/curl_%.bbappend +++ /dev/null | |||
@@ -1,8 +0,0 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://CVE-2017-1000257.patch \ | ||
5 | file://CVE-2017-8816.patch \ | ||
6 | file://CVE-2017-8817.patch \ | ||
7 | file://CVE-2018-1000005.patch \ | ||
8 | " | ||