From 8c928bbadf6ae0e6dc2705ed57c89eb2e6810197 Mon Sep 17 00:00:00 2001 From: Martin Borg Date: Thu, 3 May 2018 14:29:23 +0200 Subject: curl: Drop CVE patches curl was upgraded to 7.58.0 on upstream poky rocko branch and this version already contains all our CVE patches. Signed-off-by: Martin Borg --- recipes-support/curl/curl/CVE-2017-1000257.patch | 39 ------- recipes-support/curl/curl/CVE-2017-8816.patch | 69 ------------ recipes-support/curl/curl/CVE-2017-8817.patch | 135 ----------------------- recipes-support/curl/curl/CVE-2018-1000005.patch | 41 ------- recipes-support/curl/curl_%.bbappend | 8 -- 5 files changed, 292 deletions(-) delete mode 100644 recipes-support/curl/curl/CVE-2017-1000257.patch delete mode 100644 recipes-support/curl/curl/CVE-2017-8816.patch delete mode 100644 recipes-support/curl/curl/CVE-2017-8817.patch delete mode 100644 recipes-support/curl/curl/CVE-2018-1000005.patch delete mode 100644 recipes-support/curl/curl_%.bbappend (limited to 'recipes-support') diff --git a/recipes-support/curl/curl/CVE-2017-1000257.patch b/recipes-support/curl/curl/CVE-2017-1000257.patch deleted file mode 100644 index de0dc3a..0000000 --- a/recipes-support/curl/curl/CVE-2017-1000257.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 7 Oct 2017 00:11:31 +0200 -Subject: [PATCH] imap: if a FETCH response has no size, don't call write - callback - -CVE: CVE-2017-1000257 -Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000257.patch] - -Reported-by: Brian Carpenter and 0xd34db347 -Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 -Signed-off-by: Sona Sarmadi ---- - lib/imap.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib/imap.c b/lib/imap.c -index 954d18f37..baa31a2f8 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -1124,10 +1124,15 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, - - if(chunk > (size_t)size) - /* The conversion from curl_off_t to size_t is always fine here */ - chunk = (size_t)size; - -+ if(!chunk) { -+ /* no size, we're done with the data */ -+ state(conn, IMAP_STOP); -+ return CURLE_OK; -+ } - result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); - if(result) - return result; - - data->req.bytecount += chunk; --- -2.15.0.rc1 - diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch deleted file mode 100644 index 9b957ce..0000000 --- a/recipes-support/curl/curl/CVE-2017-8816.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 6 Nov 2017 23:51:52 +0100 -Subject: [PATCH] ntlm: avoid integer overflow for malloc size - -Reported-by: Alex Nichols -Assisted-by: Kamil Dudka and Max Dymond - -CVE: CVE-2017-8816 -Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch] - -Bug: https://curl.haxx.se/docs/adv_2017-11e7.html -Signed-off-by: Sona Sarmadi ---- - lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index 1309bf0d9..e8962769c 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, - Curl_HMAC_final(ctxt, output); - - return CURLE_OK; - } - -+#ifndef SIZE_T_MAX -+/* some limits.h headers have this defined, some don't */ -+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) -+#define SIZE_T_MAX 18446744073709551615U -+#else -+#define SIZE_T_MAX 4294967295U -+#endif -+#endif -+ - /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode - * (uppercase UserName + Domain) as the data - */ - CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, - const char *domain, size_t domlen, - unsigned char *ntlmhash, - unsigned char *ntlmv2hash) - { - /* Unicode representation */ -- size_t identity_len = (userlen + domlen) * 2; -- unsigned char *identity = malloc(identity_len); -+ size_t identity_len; -+ unsigned char *identity; - CURLcode result = CURLE_OK; - -+ /* we do the length checks below separately to avoid integer overflow risk -+ on extreme data lengths */ -+ if((userlen > SIZE_T_MAX/2) || -+ (domlen > SIZE_T_MAX/2) || -+ ((userlen + domlen) > SIZE_T_MAX/2)) -+ return CURLE_OUT_OF_MEMORY; -+ -+ identity_len = (userlen + domlen) * 2; -+ identity = malloc(identity_len); -+ - if(!identity) - return CURLE_OUT_OF_MEMORY; - - ascii_uppercase_to_unicode_le(identity, user, userlen); - ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); --- -2.15.0 - diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch deleted file mode 100644 index e8429b2..0000000 --- a/recipes-support/curl/curl/CVE-2017-8817.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 438a9ebfe9c4dc850ca2ed858bf5b8c31ce15ef5 Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Fri, 2 Mar 2018 08:48:05 +0100 -Subject: [PATCH] curl: fix for CVE-2017-8817 - -wildcardmatch: fix heap buffer overflow in setcharset - -The code would previous read beyond the end of the pattern string if the -match pattern ends with an open bracket when the default pattern -matching function is used. - -Detected by OSS-Fuzz: -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 - -CVE: CVE-2017-8817 -Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch] - -Bug: https://curl.haxx.se/docs/adv_2017-ae72.html - -Signed-off-by: Sona Sarmadi ---- - lib/curl_fnmatch.c | 9 +++------ - tests/data/Makefile.inc | 2 +- - tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 56 insertions(+), 7 deletions(-) - create mode 100644 tests/data/test1163 - -diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c -index 46d3ada..5dd5323 100644 ---- a/lib/curl_fnmatch.c -+++ b/lib/curl_fnmatch.c -@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset) - unsigned char c; - for(;;) { - c = **p; -+ if(!c) -+ return SETCHARSET_FAIL; -+ - switch(state) { - case CURLFNM_SCHS_DEFAULT: - if(ISALNUM(c)) { /* ASCII value */ -@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) - else - return SETCHARSET_FAIL; - } -- else if(c == '\0') { -- return SETCHARSET_FAIL; -- } - else { - charset[c] = 1; - (*p)++; -@@ -277,9 +277,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) - else if(c == ']') { - return SETCHARSET_OK; - } -- else if(c == '\0') { -- return SETCHARSET_FAIL; -- } - else if(ISPRINT(c)) { - charset[c] = 1; - (*p)++; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 5284654..942f9ee 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -122,7 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ - test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ - test1144 test1145 test1146 \ - test1152 \ --\ -+test1163 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ - test1216 test1217 test1218 test1219 \ -diff --git a/tests/data/test1163 b/tests/data/test1163 -new file mode 100644 -index 0000000..3266fa8 ---- /dev/null -+++ b/tests/data/test1163 -@@ -0,0 +1,52 @@ -+ -+ -+ -+FTP -+RETR -+LIST -+wildcardmatch -+ftplistparser -+flaky -+ -+ -+ -+# -+# Server-side -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+ftp -+ -+ -+lib576 -+ -+ -+FTP wildcard with pattern ending with an open-bracket -+ -+ -+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" -+ -+ -+ -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+CWD fully_simulated -+CWD DOS -+EPSV -+TYPE A -+LIST -+QUIT -+ -+# 78 == CURLE_REMOTE_FILE_NOT_FOUND -+ -+78 -+ -+ -+ --- -1.9.1 - diff --git a/recipes-support/curl/curl/CVE-2018-1000005.patch b/recipes-support/curl/curl/CVE-2018-1000005.patch deleted file mode 100644 index 200ef16..0000000 --- a/recipes-support/curl/curl/CVE-2018-1000005.patch +++ /dev/null @@ -1,41 +0,0 @@ -From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 -From: Zhouyihai Ding -Date: Wed, 10 Jan 2018 10:12:18 -0800 -Subject: [PATCH] http2: fix incorrect trailer buffer size - -Prior to this change the stored byte count of each trailer was -miscalculated and 1 less than required. It appears any trailer -after the first that was passed to Curl_client_write would be truncated -or corrupted as well as the size. Potentially the size of some -subsequent trailer could be erroneously extracted from the contents of -that trailer, and since that size is used by client write an -out-of-bounds read could occur and cause a crash or be otherwise -processed by client write. - -The bug appears to have been born in 0761a51 (precedes 7.49.0). - -Closes https://github.com/curl/curl/pull/2231 - -Upstream-Status: Backport -CVE: CVE-2018-1000005 - -Signed-off-by: Sona Sarmadi ---- - lib/http2.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index 8e2fc71996..699287940e 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, - - if(stream->bodystarted) { - /* This is trailer fields. */ -- /* 3 is for ":" and "\r\n". */ -- uint32_t n = (uint32_t)(namelen + valuelen + 3); -+ /* 4 is for ": " and "\r\n". */ -+ uint32_t n = (uint32_t)(namelen + valuelen + 4); - - DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, - value)); diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend deleted file mode 100644 index d30e613..0000000 --- a/recipes-support/curl/curl_%.bbappend +++ /dev/null @@ -1,8 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-1000257.patch \ - file://CVE-2017-8816.patch \ - file://CVE-2017-8817.patch \ - file://CVE-2018-1000005.patch \ - " -- cgit v1.2.3-54-g00ecf