curl: Security Advisory - curl - CVE-2014-3620

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. (From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853) (From OE-Core rev: 13bb2ee98cfd159455e459501dda280a78cb5a3b) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-07-07 00:23:37 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-07 00:23:37 +0200
commit: 9631f6b1399b24433ef577e9f87c0320700f3460 (patch)
tree: 7165ac8cc44587788de6b818c2b8ffbfe97465a6
parent: 35272ed55c848a63c2468b7ea1f0ddce64b4bd73 (diff)
download: poky-9631f6b1399b24433ef577e9f87c0320700f3460.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
new file mode 100644
index 0000000000..d11f1908af
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
@@ -0,0 +1,69 @@
+From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 19 Aug 2014 21:11:20 +0200
+Subject: [PATCH] cookies: reject incoming cookies set for TLDs
+Test 61 was modified to verify this.
+CVE-2014-3620
+Reported-by: Tim Ruehsen
+URL: http://curl.haxx.se/docs/adv_20140910B.html
+Upstream-Status: Backport
+Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
+---
+ lib/cookie.c      | 6 ++++++
+ tests/data/test61 | 1 +
+ 2 files changed, 7 insertions(+)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 46904ac..375485f 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data,
+             break;
+           }
+         }
+         else if(Curl_raw_equal("domain", name)) {
+           bool is_ip;
+          const char *dotp;
+ 
+           /* Now, we make sure that our host is within the given domain,
+              or the given domain is not valid and thus cannot be set. */
+ 
+           if('.' == whatptr[0])
+             whatptr++; /* ignore preceding dot */
+ 
+           is_ip = isip(domain ? domain : whatptr);
+ 
+          /* check for more dots */
+          dotp = strchr(whatptr, '.');
+          if(!dotp)
+            domain=":";
+
+           if(!domain
+              || (is_ip && !strcmp(whatptr, domain))
+              || (!is_ip && tailmatch(whatptr, domain))) {
+             strstore(&co->domain, whatptr);
+             if(!co->domain) {
+diff --git a/tests/data/test61 b/tests/data/test61
+index d2de279..e6dbbb9 100644
+--- a/tests/data/test61
+++ b/tests/data/test61
+@@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2
+ SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
+ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
+ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
+ Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
+ Set-Cookie: fake=fooledyou; domain=..com; path=/;
+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
+ Content-Length: 4
+ 
+ boo
+ </data>
+ </reply>
+-- 
+2.1.0
diff --git a/meta/recipes-support/curl/curl_7.35.0.bb b/meta/recipes-support/curl/curl_7.35.0.bb
index 97f5ee38b5..3021dec11f 100644
--- a/meta/recipes-support/curl/curl_7.35.0.bb
+++ b/meta/recipes-support/curl/curl_7.35.0.bb
@@ -12,6 +12,7 @@ DEPENDS_class-nativesdk = "nativesdk-zlib"
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://pkgconfig_fix.patch \
           file://CVE-2014-3613.patch \
+           file://CVE-2014-3620.patch \
 "
 # curl likes to set -g0 in CFLAGS, so we stop it
author	Tudor Florea <tudor.florea@enea.com>	2015-07-07 00:23:37 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-07 00:23:37 +0200
commit	9631f6b1399b24433ef577e9f87c0320700f3460 (patch)
tree	7165ac8cc44587788de6b818c2b8ffbfe97465a6
parent	35272ed55c848a63c2468b7ea1f0ddce64b4bd73 (diff)
download	poky-9631f6b1399b24433ef577e9f87c0320700f3460.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch new file mode 100644 index 0000000000..d11f1908af --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
@@ -0,0 +1,69 @@
		1	From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 19 Aug 2014 21:11:20 +0200
		4	Subject: [PATCH] cookies: reject incoming cookies set for TLDs
		5
		6	Test 61 was modified to verify this.
		7
		8	CVE-2014-3620
		9
		10	Reported-by: Tim Ruehsen
		11	URL: http://curl.haxx.se/docs/adv_20140910B.html
		12
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
		16	---
		17	lib/cookie.c \| 6 ++++++
		18	tests/data/test61 \| 1 +
		19	2 files changed, 7 insertions(+)
		20
		21	diff --git a/lib/cookie.c b/lib/cookie.c
		22	index 46904ac..375485f 100644
		23	--- a/lib/cookie.c
		24	+++ b/lib/cookie.c
		25	@@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data,
		26	break;
		27	}
		28	}
		29	else if(Curl_raw_equal("domain", name)) {
		30	bool is_ip;
		31	+ const char *dotp;
		32
		33	/* Now, we make sure that our host is within the given domain,
		34	or the given domain is not valid and thus cannot be set. */
		35
		36	if('.' == whatptr[0])
		37	whatptr++; /* ignore preceding dot */
		38
		39	is_ip = isip(domain ? domain : whatptr);
		40
		41	+ /* check for more dots */
		42	+ dotp = strchr(whatptr, '.');
		43	+ if(!dotp)
		44	+ domain=":";
		45	+
		46	if(!domain
		47	\|\| (is_ip && !strcmp(whatptr, domain))
		48	\|\| (!is_ip && tailmatch(whatptr, domain))) {
		49	strstore(&co->domain, whatptr);
		50	if(!co->domain) {
		51	diff --git a/tests/data/test61 b/tests/data/test61
		52	index d2de279..e6dbbb9 100644
		53	--- a/tests/data/test61
		54	+++ b/tests/data/test61
		55	@@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2
		56	SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
		57	Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
		58	Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
		59	Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
		60	Set-Cookie: fake=fooledyou; domain=..com; path=/;
		61	+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
		62	Content-Length: 4
		63
		64	boo
		65	</data>
		66	</reply>
		67	--
		68	2.1.0
		69


diff --git a/meta/recipes-support/curl/curl_7.35.0.bb b/meta/recipes-support/curl/curl_7.35.0.bb index 97f5ee38b5..3021dec11f 100644 --- a/meta/recipes-support/curl/curl_7.35.0.bb +++ b/meta/recipes-support/curl/curl_7.35.0.bb
@@ -12,6 +12,7 @@ DEPENDS_class-nativesdk = "nativesdk-zlib"
12	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \	12	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
13	file://pkgconfig_fix.patch \	13	file://pkgconfig_fix.patch \
14	file://CVE-2014-3613.patch \	14	file://CVE-2014-3613.patch \
		15	file://CVE-2014-3620.patch \
15	"	16	"
16		17
17	# curl likes to set -g0 in CFLAGS, so we stop it	18	# curl likes to set -g0 in CFLAGS, so we stop it