summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTudor Florea <tudor.florea@enea.com>2015-07-06 22:26:20 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 22:26:20 (GMT)
commit430207c9cf87ca0a1e82fcb9915ad890a8e5720f (patch)
treef93b8269b7ccf0326c48b0b178e3d3583347aedb
parent9631f6b1399b24433ef577e9f87c0320700f3460 (diff)
downloadpoky-430207c9cf87ca0a1e82fcb9915ad890a8e5720f.tar.gz
curl: CVE-2014-3707
CVE-2014-3707, libcurl duphandle read out of bounds libcurl's function curl_easy_duphandle() has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending. Reference http://curl.haxx.se/docs/adv_20141105.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2014-3707.patch402
-rw-r--r--meta/recipes-support/curl/curl_7.35.0.bb1
2 files changed, 403 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3707.patch b/meta/recipes-support/curl/curl/CVE-2014-3707.patch
new file mode 100644
index 0000000..9604fbd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3707.patch
@@ -0,0 +1,402 @@
1curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of
2 bounds
3
4When duplicating a handle, the data to post was duplicated using
5strdup() when it could be binary and contain zeroes and it was not even
6zero terminated! This caused read out of bounds crashes/segfaults.
7
8Since the lib/strdup.c file no longer is easily shared with the curl
9tool with this change, it now uses its own version instead.
10
11Bug: http://curl.haxx.se/docs/adv_20141105.html
12CVE: CVE-2014-3707
13
14Reported-By: Symeon Paraschoudis
15
16Upstream-Status: Backport
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18
19diff -ruN a/lib/formdata.c b/lib/formdata.c
20--- a/lib/formdata.c 2014-01-05 23:07:54.000000000 +0100
21+++ b/lib/formdata.c 2015-05-18 09:13:49.767861474 +0200
22@@ -36,6 +36,7 @@
23 #include "strequal.h"
24 #include "curl_memory.h"
25 #include "sendf.h"
26+#include "strdup.h"
27
28 #define _MPRINTF_REPLACE /* use our functions only */
29 #include <curl/mprintf.h>
30@@ -214,46 +215,6 @@
31
32 /***************************************************************************
33 *
34- * memdup()
35- *
36- * Copies the 'source' data to a newly allocated buffer buffer (that is
37- * returned). Uses buffer_length if not null, else uses strlen to determine
38- * the length of the buffer to be copied
39- *
40- * Returns the new pointer or NULL on failure.
41- *
42- ***************************************************************************/
43-static char *memdup(const char *src, size_t buffer_length)
44-{
45- size_t length;
46- bool add = FALSE;
47- char *buffer;
48-
49- if(buffer_length)
50- length = buffer_length;
51- else if(src) {
52- length = strlen(src);
53- add = TRUE;
54- }
55- else
56- /* no length and a NULL src pointer! */
57- return strdup("");
58-
59- buffer = malloc(length+add);
60- if(!buffer)
61- return NULL; /* fail */
62-
63- memcpy(buffer, src, length);
64-
65- /* if length unknown do null termination */
66- if(add)
67- buffer[length] = '\0';
68-
69- return buffer;
70-}
71-
72-/***************************************************************************
73- *
74 * FormAdd()
75 *
76 * Stores a formpost parameter and builds the appropriate linked list.
77@@ -682,9 +643,13 @@
78 (form == first_form) ) {
79 /* Note that there's small risk that form->name is NULL here if the
80 app passed in a bad combo, so we better check for that first. */
81- if(form->name)
82+ if(form->name) {
83 /* copy name (without strdup; possibly contains null characters) */
84- form->name = memdup(form->name, form->namelength);
85+ form->name = Curl_memdup(form->name, form->namelength?
86+ form->namelength:
87+ strlen(form->name)+1);
88+ }
89+
90 if(!form->name) {
91 return_value = CURL_FORMADD_MEMORY;
92 break;
93@@ -695,7 +660,9 @@
94 HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |
95 HTTPPOST_CALLBACK)) ) {
96 /* copy value (without strdup; possibly contains null characters) */
97- form->value = memdup(form->value, form->contentslength);
98+ form->value = Curl_memdup(form->value, form->contentslength?
99+ form->contentslength:
100+ strlen(form->value)+1);
101 if(!form->value) {
102 return_value = CURL_FORMADD_MEMORY;
103 break;
104diff -ruN a/lib/strdup.c b/lib/strdup.c
105--- a/lib/strdup.c 2013-09-09 00:11:15.000000000 +0200
106+++ b/lib/strdup.c 2015-05-18 09:05:27.641416906 +0200
107@@ -5,7 +5,7 @@
108 * | (__| |_| | _ <| |___
109 * \___|\___/|_| \_\_____|
110 *
111- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
112+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
113 *
114 * This software is licensed as described in the file COPYING, which
115 * you should have received as part of this distribution. The terms
116@@ -19,12 +19,12 @@
117 * KIND, either express or implied.
118 *
119 ***************************************************************************/
120-/*
121- * This file is 'mem-include-scan' clean. See test 1132.
122- */
123 #include "curl_setup.h"
124-
125 #include "strdup.h"
126+#include "curl_memory.h"
127+
128+/* The last #include file should be: */
129+#include "memdebug.h"
130
131 #ifndef HAVE_STRDUP
132 char *curlx_strdup(const char *str)
133@@ -50,3 +50,25 @@
134
135 }
136 #endif
137+
138+/***************************************************************************
139+ *
140+ * Curl_memdup(source, length)
141+ *
142+ * Copies the 'source' data to a newly allocated buffer (that is
143+ * returned). Copies 'length' bytes.
144+ *
145+ * Returns the new pointer or NULL on failure.
146+ *
147+ ***************************************************************************/
148+char *Curl_memdup(const char *src, size_t length)
149+{
150+ char *buffer = malloc(length);
151+ if(!buffer)
152+ return NULL; /* fail */
153+
154+ memcpy(buffer, src, length);
155+
156+ /* if length unknown do null termination */
157+ return buffer;
158+}
159diff -ruN a/lib/strdup.h b/lib/strdup.h
160--- a/lib/strdup.h 2013-09-09 00:11:15.000000000 +0200
161+++ b/lib/strdup.h 2015-05-18 09:05:27.645416733 +0200
162@@ -7,7 +7,7 @@
163 * | (__| |_| | _ <| |___
164 * \___|\___/|_| \_\_____|
165 *
166- * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
167+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
168 *
169 * This software is licensed as described in the file COPYING, which
170 * you should have received as part of this distribution. The terms
171@@ -26,5 +26,6 @@
172 #ifndef HAVE_STRDUP
173 extern char *curlx_strdup(const char *str);
174 #endif
175+char *Curl_memdup(const char *src, size_t buffer_length);
176
177 #endif /* HEADER_CURL_STRDUP_H */
178diff -ruN a/lib/url.c b/lib/url.c
179--- a/lib/url.c 2014-01-29 07:54:29.000000000 +0100
180+++ b/lib/url.c 2015-05-18 09:31:00.631682330 +0200
181@@ -125,6 +125,7 @@
182 #include "multihandle.h"
183 #include "pipeline.h"
184 #include "dotdot.h"
185+#include "strdup.h"
186
187 #define _MPRINTF_REPLACE /* use our functions only */
188 #include <curl/mprintf.h>
189@@ -270,8 +271,9 @@
190 {
191 /* Free all dynamic strings stored in the data->set substructure. */
192 enum dupstring i;
193- for(i=(enum dupstring)0; i < STRING_LAST; i++)
194+ for(i=(enum dupstring)0; i < STRING_LAST; i++) {
195 Curl_safefree(data->set.str[i]);
196+ }
197
198 if(data->change.referer_alloc) {
199 Curl_safefree(data->change.referer);
200@@ -340,7 +342,7 @@
201
202 CURLcode Curl_dupset(struct SessionHandle *dst, struct SessionHandle *src)
203 {
204- CURLcode r = CURLE_OK;
205+ CURLcode result = CURLE_OK;
206 enum dupstring i;
207
208 /* Copy src->set into dst->set first, then deal with the strings
209@@ -351,14 +353,25 @@
210 memset(dst->set.str, 0, STRING_LAST * sizeof(char *));
211
212 /* duplicate all strings */
213- for(i=(enum dupstring)0; i< STRING_LAST; i++) {
214- r = setstropt(&dst->set.str[i], src->set.str[i]);
215- if(r != CURLE_OK)
216- break;
217+ for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {
218+ result = setstropt(&dst->set.str[i], src->set.str[i]);
219+ if(result)
220+ return result;
221+ }
222+
223+ /* duplicate memory areas pointed to */
224+ i = STRING_COPYPOSTFIELDS;
225+ if(src->set.postfieldsize && src->set.str[i]) {
226+ /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */
227+ dst->set.str[i] = Curl_memdup(src->set.str[i],
228+ curlx_sotouz(src->set.postfieldsize));
229+ if(!dst->set.str[i])
230+ return CURLE_OUT_OF_MEMORY;
231+ /* point to the new copy */
232+ dst->set.postfields = dst->set.str[i];
233 }
234
235- /* If a failure occurred, freeing has to be performed externally. */
236- return r;
237+ return CURLE_OK;
238 }
239
240 /*
241diff -ruN a/lib/urldata.h b/lib/urldata.h
242--- a/lib/urldata.h 2014-01-26 22:16:50.000000000 +0100
243+++ b/lib/urldata.h 2015-05-18 09:05:27.649416562 +0200
244@@ -1332,7 +1332,6 @@
245 STRING_KRB_LEVEL, /* krb security level */
246 STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
247 $HOME/.netrc */
248- STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
249 STRING_PROXY, /* proxy to use */
250 STRING_SET_RANGE, /* range, if used */
251 STRING_SET_REFERER, /* custom string for the HTTP referer field */
252@@ -1374,7 +1373,15 @@
253
254 STRING_BEARER, /* <bearer>, if used */
255
256- /* -- end of strings -- */
257+ /* -- end of zero-terminated strings -- */
258+
259+ STRING_LASTZEROTERMINATED,
260+
261+ /* -- below this are pointers to binary data that cannot be strdup'ed.
262+ Each such pointer must be added manually to Curl_dupset() --- */
263+
264+ STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
265+
266 STRING_LAST /* not used, just an end-of-list marker */
267 };
268
269diff -ruN a/src/Makefile.inc b/src/Makefile.inc
270--- a/src/Makefile.inc 2013-09-09 00:11:15.000000000 +0200
271+++ b/src/Makefile.inc 2015-05-18 09:38:28.124528175 +0200
272@@ -11,7 +11,6 @@
273 # the official API, but we re-use the code here to avoid duplication.
274 CURLX_ONES = \
275 ../lib/strtoofft.c \
276- ../lib/strdup.c \
277 ../lib/rawstr.c \
278 ../lib/nonblock.c
279
280@@ -46,6 +45,7 @@
281 tool_panykey.c \
282 tool_paramhlp.c \
283 tool_parsecfg.c \
284+ tool_strdup.c \
285 tool_setopt.c \
286 tool_sleep.c \
287 tool_urlglob.c \
288@@ -90,6 +90,7 @@
289 tool_setopt.h \
290 tool_setup.h \
291 tool_sleep.h \
292+ tool_strdup.h \
293 tool_urlglob.h \
294 tool_util.h \
295 tool_version.h \
296diff -ruN a/src/tool_setup.h b/src/tool_setup.h
297--- a/src/tool_setup.h 2013-09-09 00:11:15.000000000 +0200
298+++ b/src/tool_setup.h 2015-05-18 09:05:27.649416562 +0200
299@@ -7,7 +7,7 @@
300 * | (__| |_| | _ <| |___
301 * \___|\___/|_| \_\_____|
302 *
303- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
304+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
305 *
306 * This software is licensed as described in the file COPYING, which
307 * you should have received as part of this distribution. The terms
308@@ -67,8 +67,7 @@
309 #endif
310
311 #ifndef HAVE_STRDUP
312-# include "strdup.h"
313-# define strdup(ptr) curlx_strdup(ptr)
314+# include "tool_strdup.h"
315 #endif
316
317 #endif /* HEADER_CURL_TOOL_SETUP_H */
318diff -ruN a/src/tool_strdup.c b/src/tool_strdup.c
319--- a/src/tool_strdup.c 1970-01-01 01:00:00.000000000 +0100
320+++ b/src/tool_strdup.c 2015-05-18 09:05:27.649416562 +0200
321@@ -0,0 +1,47 @@
322+/***************************************************************************
323+ * _ _ ____ _
324+ * Project ___| | | | _ \| |
325+ * / __| | | | |_) | |
326+ * | (__| |_| | _ <| |___
327+ * \___|\___/|_| \_\_____|
328+ *
329+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
330+ *
331+ * This software is licensed as described in the file COPYING, which
332+ * you should have received as part of this distribution. The terms
333+ * are also available at http://curl.haxx.se/docs/copyright.html.
334+ *
335+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
336+ * copies of the Software, and permit persons to whom the Software is
337+ * furnished to do so, under the terms of the COPYING file.
338+ *
339+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
340+ * KIND, either express or implied.
341+ *
342+ ***************************************************************************/
343+#include "strdup.h"
344+
345+#ifndef HAVE_STRDUP
346+char *strdup(const char *str)
347+{
348+ size_t len;
349+ char *newstr;
350+
351+ if(!str)
352+ return (char *)NULL;
353+
354+ len = strlen(str);
355+
356+ if(len >= ((size_t)-1) / sizeof(char))
357+ return (char *)NULL;
358+
359+ newstr = malloc((len+1)*sizeof(char));
360+ if(!newstr)
361+ return (char *)NULL;
362+
363+ memcpy(newstr,str,(len+1)*sizeof(char));
364+
365+ return newstr;
366+
367+}
368+#endif
369diff -ruN a/src/tool_strdup.h b/src/tool_strdup.h
370--- a/src/tool_strdup.h 1970-01-01 01:00:00.000000000 +0100
371+++ b/src/tool_strdup.h 2015-05-18 09:05:27.653416391 +0200
372@@ -0,0 +1,30 @@
373+#ifndef HEADER_TOOL_STRDUP_H
374+#define HEADER_TOOL_STRDUP_H
375+/***************************************************************************
376+ * _ _ ____ _
377+ * Project ___| | | | _ \| |
378+ * / __| | | | |_) | |
379+ * | (__| |_| | _ <| |___
380+ * \___|\___/|_| \_\_____|
381+ *
382+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
383+ *
384+ * This software is licensed as described in the file COPYING, which
385+ * you should have received as part of this distribution. The terms
386+ * are also available at http://curl.haxx.se/docs/copyright.html.
387+ *
388+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
389+ * copies of the Software, and permit persons to whom the Software is
390+ * furnished to do so, under the terms of the COPYING file.
391+ *
392+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
393+ * KIND, either express or implied.
394+ *
395+ ***************************************************************************/
396+#include "tool_setup.h"
397+
398+#ifndef HAVE_STRDUP
399+extern char *strdup(const char *str);
400+#endif
401+
402+#endif /* HEADER_TOOL_STRDUP_H */
diff --git a/meta/recipes-support/curl/curl_7.35.0.bb b/meta/recipes-support/curl/curl_7.35.0.bb
index 3021dec..5fa7277 100644
--- a/meta/recipes-support/curl/curl_7.35.0.bb
+++ b/meta/recipes-support/curl/curl_7.35.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
13 file://pkgconfig_fix.patch \ 13 file://pkgconfig_fix.patch \
14 file://CVE-2014-3613.patch \ 14 file://CVE-2014-3613.patch \
15 file://CVE-2014-3620.patch \ 15 file://CVE-2014-3620.patch \
16 file://CVE-2014-3707.patch \
16" 17"
17 18
18# curl likes to set -g0 in CFLAGS, so we stop it 19# curl likes to set -g0 in CFLAGS, so we stop it