From 897a7bfe82b0ddc5dee59c1d36fe8cf9fd7ce499 Mon Sep 17 00:00:00 2001 From: Adrian Dudau Date: Wed, 22 Nov 2017 12:45:41 +0100 Subject: curl: Drop CVE patches These CVEs have been fixed in upstream poky/pyro. Signed-off-by: Adrian Dudau --- recipes-support/curl/curl/CVE-2017-1000100.patch | 59 -------------- recipes-support/curl/curl/CVE-2017-1000101.patch | 97 ------------------------ recipes-support/curl/curl_%.bbappend | 2 - 3 files changed, 158 deletions(-) delete mode 100644 recipes-support/curl/curl/CVE-2017-1000100.patch delete mode 100644 recipes-support/curl/curl/CVE-2017-1000101.patch (limited to 'recipes-support') diff --git a/recipes-support/curl/curl/CVE-2017-1000100.patch b/recipes-support/curl/curl/CVE-2017-1000100.patch deleted file mode 100644 index 02ae6cc..0000000 --- a/recipes-support/curl/curl/CVE-2017-1000100.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 1 Aug 2017 17:16:46 +0200 -Subject: [PATCH] tftp: reject file name lengths that don't fit - -... and thereby avoid telling send() to send off more bytes than the -size of the buffer! - -CVE-2017-1000100 - -Bug: https://curl.haxx.se/docs/adv_20170809B.html -Reported-by: Even Rouault - -Credit to OSS-Fuzz for the discovery - -CVE: CVE-2017-1000100 -Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000100.patch] - -Signed-off-by: Sona Sarmadi ---- - lib/tftp.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/tftp.c b/lib/tftp.c -index 02bd84242..f6f4bce5b 100644 ---- a/lib/tftp.c -+++ b/lib/tftp.c -@@ -3,11 +3,11 @@ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.haxx.se/docs/copyright.html. - * -@@ -489,10 +489,15 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) - result = Curl_urldecode(data, &state->conn->data->state.path[1], 0, - &filename, NULL, FALSE); - if(result) - return result; - -+ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { -+ failf(data, "TFTP file name too long\n"); -+ return CURLE_TFTP_ILLEGAL; /* too long file name field */ -+ } -+ - snprintf((char *)state->spacket.data+2, - state->blksize, - "%s%c%s%c", filename, '\0', mode, '\0'); - sbytes = 4 + strlen(filename) + strlen(mode); - --- -2.13.3 - diff --git a/recipes-support/curl/curl/CVE-2017-1000101.patch b/recipes-support/curl/curl/CVE-2017-1000101.patch deleted file mode 100644 index 2b25cfd..0000000 --- a/recipes-support/curl/curl/CVE-2017-1000101.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 7bf8af31fc9eaecd845d59ecb6a0dbe9e2028cf7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 1 Aug 2017 17:16:07 +0200 -Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow - range - -Added test 1289 to verify. - -CVE-2017-1000101 - -Bug: https://curl.haxx.se/docs/adv_20170809A.html -Reported-by: Brian Carpenter - -CVE: CVE-2017-1000101 -Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000101.patch] - -Signed-off-by: Sona Sarmadi ---- - src/tool_urlglob.c | 5 ++++- - tests/data/Makefile.inc | 2 +- - tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ - 3 files changed, 40 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test1289 - -diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c -index d002f27..caf2385 100644 ---- a/src/tool_urlglob.c -+++ b/src/tool_urlglob.c -@@ -269,7 +269,10 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, - } - errno = 0; - max_n = strtoul(pattern, &endp, 10); -- if(errno || (*endp == ':')) { -+ if(errno) -+ /* overflow */ -+ endp = NULL; -+ else if(*endp == ':') { - pattern = endp+1; - errno = 0; - step_n = strtoul(pattern, &endp, 10); -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 8251ab9..6f41eef 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -130,7 +130,7 @@ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \ - test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \ - test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \ - \ --test1280 test1281 test1282 test1283 test1284 test1285 test1286 \ -+test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1289 \ - \ - test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ - test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ -diff --git a/tests/data/test1289 b/tests/data/test1289 -new file mode 100644 -index 0000000..d679cc0 ---- /dev/null -+++ b/tests/data/test1289 -@@ -0,0 +1,35 @@ -+ -+ -+ -+HTTP -+HTTP GET -+globbing -+ -+ -+ -+# -+# Server-side -+ -+ -+ -+# Client-side -+ -+ -+http -+ -+ -+globbing with overflow and bad syntxx -+ -+ -+http://ur%20[0-60000000000000000000 -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+# curl: (3) [globbing] bad range in column -+ -+3 -+ -+ -+ --- -1.9.1 - diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index 6ce316a..ca548e8 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend @@ -4,6 +4,4 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2017-7407.patch \ file://CVE-2017-7468.patch \ file://CVE-2017-9502.patch \ - file://CVE-2017-1000100.patch \ - file://CVE-2017-1000101.patch \ " -- cgit v1.2.3-54-g00ecf