diff options
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-8817.patch | 134 | ||||
-rw-r--r-- | recipes-support/curl/curl_%.bbappend | 1 |
2 files changed, 135 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch new file mode 100644 index 0000000..20ca406 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-8817.patch | |||
@@ -0,0 +1,134 @@ | |||
1 | From 2dd71516235bb8f98210242c34a1a617caa8c171 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Mon, 4 Dec 2017 10:25:14 +0100 | ||
4 | Subject: [PATCH] curl: fix for CVE-2017-8817 | ||
5 | |||
6 | wildcardmatch: fix heap buffer overflow in setcharset | ||
7 | |||
8 | The code would previous read beyond the end of the pattern string if the | ||
9 | match pattern ends with an open bracket when the default pattern | ||
10 | matching function is used. | ||
11 | |||
12 | Detected by OSS-Fuzz: | ||
13 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 | ||
14 | |||
15 | CVE: CVE-2017-8817 | ||
16 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch] | ||
17 | |||
18 | Bug: https://curl.haxx.se/docs/adv_2017-ae72.html | ||
19 | |||
20 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
21 | --- | ||
22 | lib/curl_fnmatch.c | 9 +++------ | ||
23 | tests/data/Makefile.inc | 1 + | ||
24 | tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ | ||
25 | 3 files changed, 56 insertions(+), 6 deletions(-) | ||
26 | create mode 100644 tests/data/test1163 | ||
27 | |||
28 | diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c | ||
29 | index e8108bb..2f34335 100644 | ||
30 | --- a/lib/curl_fnmatch.c | ||
31 | +++ b/lib/curl_fnmatch.c | ||
32 | @@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
33 | unsigned char c; | ||
34 | for(;;) { | ||
35 | c = **p; | ||
36 | + if(!c) | ||
37 | + return SETCHARSET_FAIL; | ||
38 | + | ||
39 | switch(state) { | ||
40 | case CURLFNM_SCHS_DEFAULT: | ||
41 | if(ISALNUM(c)) { /* ASCII value */ | ||
42 | @@ -197,9 +200,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
43 | else | ||
44 | return SETCHARSET_FAIL; | ||
45 | } | ||
46 | - else if(c == '\0') { | ||
47 | - return SETCHARSET_FAIL; | ||
48 | - } | ||
49 | else { | ||
50 | charset[c] = 1; | ||
51 | (*p)++; | ||
52 | @@ -278,9 +278,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) | ||
53 | else if(c == ']') { | ||
54 | return SETCHARSET_OK; | ||
55 | } | ||
56 | - else if(c == '\0') { | ||
57 | - return SETCHARSET_FAIL; | ||
58 | - } | ||
59 | else if(ISPRINT(c)) { | ||
60 | charset[c] = 1; | ||
61 | (*p)++; | ||
62 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
63 | index 01ad40d..20aa856 100644 | ||
64 | --- a/tests/data/Makefile.inc | ||
65 | +++ b/tests/data/Makefile.inc | ||
66 | @@ -122,6 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ | ||
67 | test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ | ||
68 | test1144 test1145 test1146 \ | ||
69 | test1152 \ | ||
70 | +test1163 \ | ||
71 | test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ | ||
72 | test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ | ||
73 | test1216 test1217 test1218 test1219 \ | ||
74 | diff --git a/tests/data/test1163 b/tests/data/test1163 | ||
75 | new file mode 100644 | ||
76 | index 0000000..3266fa8 | ||
77 | --- /dev/null | ||
78 | +++ b/tests/data/test1163 | ||
79 | @@ -0,0 +1,52 @@ | ||
80 | +<testcase> | ||
81 | +<info> | ||
82 | +<keywords> | ||
83 | +FTP | ||
84 | +RETR | ||
85 | +LIST | ||
86 | +wildcardmatch | ||
87 | +ftplistparser | ||
88 | +flaky | ||
89 | +</keywords> | ||
90 | +</info> | ||
91 | + | ||
92 | +# | ||
93 | +# Server-side | ||
94 | +<reply> | ||
95 | +<data> | ||
96 | +</data> | ||
97 | +</reply> | ||
98 | + | ||
99 | +# Client-side | ||
100 | +<client> | ||
101 | +<server> | ||
102 | +ftp | ||
103 | +</server> | ||
104 | +<tool> | ||
105 | +lib576 | ||
106 | +</tool> | ||
107 | +<name> | ||
108 | +FTP wildcard with pattern ending with an open-bracket | ||
109 | +</name> | ||
110 | +<command> | ||
111 | +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" | ||
112 | +</command> | ||
113 | +</client> | ||
114 | +<verify> | ||
115 | +<protocol> | ||
116 | +USER anonymous | ||
117 | +PASS ftp@example.com | ||
118 | +PWD | ||
119 | +CWD fully_simulated | ||
120 | +CWD DOS | ||
121 | +EPSV | ||
122 | +TYPE A | ||
123 | +LIST | ||
124 | +QUIT | ||
125 | +</protocol> | ||
126 | +# 78 == CURLE_REMOTE_FILE_NOT_FOUND | ||
127 | +<errorcode> | ||
128 | +78 | ||
129 | +</errorcode> | ||
130 | +</verify> | ||
131 | +</testcase> | ||
132 | -- | ||
133 | 1.9.1 | ||
134 | |||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 18231f4..5e642bb 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend | |||
@@ -7,4 +7,5 @@ SRC_URI += "file://CVE-2017-7407.patch \ | |||
7 | file://CVE-2017-1000254.patch \ | 7 | file://CVE-2017-1000254.patch \ |
8 | file://CVE-2017-1000257.patch \ | 8 | file://CVE-2017-1000257.patch \ |
9 | file://CVE-2017-8816.patch \ | 9 | file://CVE-2017-8816.patch \ |
10 | file://CVE-2017-8817.patch \ | ||
10 | " | 11 | " |