summaryrefslogtreecommitdiffstats
path: root/recipes-support
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-09-21 13:57:05 +0200
committerAdrian Dudau <adrian.dudau@enea.com>2017-09-26 15:38:41 +0200
commit7218e2df932a95309e9d089d979f4280b0d10e40 (patch)
tree79e809c02bae89212a161979716b5fedb3624414 /recipes-support
parenta6c093cff598b0410e4bd9e9a3ba2905ebfb8cb2 (diff)
downloadmeta-nfv-access-common-7218e2df932a95309e9d089d979f4280b0d10e40.tar.gz
curl: CVE-2017-9502
URL file scheme drive letter buffer overflow References: https://curl.haxx.se/docs/adv_20170614.html https://curl.haxx.se/CVE-2017-9502.patch Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-support')
-rw-r--r--recipes-support/curl/curl/CVE-2017-9502.patch69
-rw-r--r--recipes-support/curl/curl_%.bbappend1
2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-9502.patch b/recipes-support/curl/curl/CVE-2017-9502.patch
new file mode 100644
index 0000000..c205568
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-9502.patch
@@ -0,0 +1,69 @@
1From 5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Wed, 7 Jun 2017 00:21:04 +0200
4Subject: [PATCH] url: fix buffer overwrite with file protocol (CVE-2017-9502)
5
6Bug: https://github.com/curl/curl/issues/1540
7Advisory: https://curl.haxx.se/docs/adv_20170614.html
8
9CVE: CVE-2017-9502
10Upstream-Status: Backport [backport from curl-7_54_1]
11
12Assisted-by: Ray Satiro
13Reported-by: Marcel Raad
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 lib/url.c | 27 ++++++++++++++++++++++-----
17 1 file changed, 22 insertions(+), 5 deletions(-)
18
19diff --git a/lib/url.c b/lib/url.c
20index 84822d9..87446db 100644
21--- a/lib/url.c
22+++ b/lib/url.c
23@@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
24 #endif
25
26 protop = "file"; /* protocol string */
27+ *prot_missing = !url_has_scheme;
28 }
29 else {
30 /* clear path */
31@@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
32
33 size_t plen = strlen(path); /* new path, should be 1 byte longer than
34 the original */
35- size_t urllen = strlen(data->change.url); /* original URL length */
36-
37 size_t prefixlen = strlen(conn->host.name);
38
39- if(!*prot_missing)
40- prefixlen += strlen(protop) + strlen("://");
41+ if(!*prot_missing) {
42+ size_t protolen = strlen(protop);
43+
44+ if(curl_strnequal(protop, data->change.url, protolen))
45+ prefixlen += protolen;
46+ else {
47+ failf(data, "<url> malformed");
48+ return CURLE_URL_MALFORMAT;
49+ }
50+
51+ if(curl_strnequal("://", &data->change.url[protolen], 3))
52+ prefixlen += 3;
53+ /* only file: is allowed to omit one or both slashes */
54+ else if(curl_strnequal("file:", data->change.url, 5))
55+ prefixlen += 1 + (data->change.url[5] == '/');
56+ else {
57+ failf(data, "<url> malformed");
58+ return CURLE_URL_MALFORMAT;
59+ }
60+ }
61
62- reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */
63+ reurl = malloc(prefixlen + plen + 1);
64 if(!reurl)
65 return CURLE_OUT_OF_MEMORY;
66
67--
681.9.1
69
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index ec4f997..15e74ba 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -2,4 +2,5 @@
2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" 2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3 3
4SRC_URI += "file://CVE-2017-7468.patch \ 4SRC_URI += "file://CVE-2017-7468.patch \
5 file://CVE-2017-9502.patch \
5 " 6 "