From c207a4bc5d80dae6cc430df04bddaceac04687e6 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Mon, 4 Dec 2017 11:57:40 +0100
Subject: curl: security fix for CVE-2017-8817

FTP wildcard out of bounds read

References:
https://curl.haxx.se/docs/adv_2017-ae72.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 recipes-support/curl/curl/CVE-2017-8817.patch | 134 ++++++++++++++++++++++++++
 recipes-support/curl/curl_%.bbappend          |   1 +
 2 files changed, 135 insertions(+)
 create mode 100644 recipes-support/curl/curl/CVE-2017-8817.patch

(limited to 'recipes-support')

diff --git a/recipes-support/curl/curl/CVE-2017-8817.patch b/recipes-support/curl/curl/CVE-2017-8817.patch
new file mode 100644
index 0000000..20ca406
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-8817.patch
@@ -0,0 +1,134 @@
+From 2dd71516235bb8f98210242c34a1a617caa8c171 Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Mon, 4 Dec 2017 10:25:14 +0100
+Subject: [PATCH] curl: fix for CVE-2017-8817
+
+wildcardmatch: fix heap buffer overflow in setcharset
+
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+CVE: CVE-2017-8817
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8817.patch]
+
+Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/curl_fnmatch.c      |  9 +++------
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test1163
+
+diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
+index e8108bb..2f34335 100644
+--- a/lib/curl_fnmatch.c
++++ b/lib/curl_fnmatch.c
+@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+   unsigned char c;
+   for(;;) {
+     c = **p;
++    if(!c)
++      return SETCHARSET_FAIL;
++
+     switch(state) {
+     case CURLFNM_SCHS_DEFAULT:
+       if(ISALNUM(c)) { /* ASCII value */
+@@ -197,9 +200,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+         else
+           return SETCHARSET_FAIL;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else {
+         charset[c] = 1;
+         (*p)++;
+@@ -278,9 +278,6 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+       else if(c == ']') {
+         return SETCHARSET_OK;
+       }
+-      else if(c == '\0') {
+-        return SETCHARSET_FAIL;
+-      }
+       else if(ISPRINT(c)) {
+         charset[c] = 1;
+         (*p)++;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 01ad40d..20aa856 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -122,6 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 \
+ test1152 \
++test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1163 b/tests/data/test1163
+new file mode 100644
+index 0000000..3266fa8
+--- /dev/null
++++ b/tests/data/test1163
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++RETR
++LIST
++wildcardmatch
++ftplistparser
++flaky
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++ftp
++</server>
++<tool>
++lib576
++</tool>
++<name>
++FTP wildcard with pattern ending with an open-bracket
++</name>
++<command>
++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
++</command>
++</client>
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD fully_simulated
++CWD DOS
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++# 78 == CURLE_REMOTE_FILE_NOT_FOUND
++<errorcode>
++78
++</errorcode>
++</verify>
++</testcase>
+-- 
+1.9.1
+
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index 18231f4..5e642bb 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://CVE-2017-7407.patch \
             file://CVE-2017-1000254.patch \
             file://CVE-2017-1000257.patch \
             file://CVE-2017-8816.patch \
+            file://CVE-2017-8817.patch \
            "
-- 
cgit v1.2.3-54-g00ecf