summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTudor Florea <tudor.florea@enea.com>2015-07-06 22:23:37 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 22:23:37 (GMT)
commit9631f6b1399b24433ef577e9f87c0320700f3460 (patch)
tree7165ac8cc44587788de6b818c2b8ffbfe97465a6
parent35272ed55c848a63c2468b7ea1f0ddce64b4bd73 (diff)
downloadpoky-9631f6b1399b24433ef577e9f87c0320700f3460.tar.gz
curl: Security Advisory - curl - CVE-2014-3620
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. (From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853) (From OE-Core rev: 13bb2ee98cfd159455e459501dda280a78cb5a3b) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2014-3620.patch69
-rw-r--r--meta/recipes-support/curl/curl_7.35.0.bb1
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
new file mode 100644
index 0000000..d11f190
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
@@ -0,0 +1,69 @@
1From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 19 Aug 2014 21:11:20 +0200
4Subject: [PATCH] cookies: reject incoming cookies set for TLDs
5
6Test 61 was modified to verify this.
7
8CVE-2014-3620
9
10Reported-by: Tim Ruehsen
11URL: http://curl.haxx.se/docs/adv_20140910B.html
12
13Upstream-Status: Backport
14
15Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
16---
17 lib/cookie.c | 6 ++++++
18 tests/data/test61 | 1 +
19 2 files changed, 7 insertions(+)
20
21diff --git a/lib/cookie.c b/lib/cookie.c
22index 46904ac..375485f 100644
23--- a/lib/cookie.c
24+++ b/lib/cookie.c
25@@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data,
26 break;
27 }
28 }
29 else if(Curl_raw_equal("domain", name)) {
30 bool is_ip;
31+ const char *dotp;
32
33 /* Now, we make sure that our host is within the given domain,
34 or the given domain is not valid and thus cannot be set. */
35
36 if('.' == whatptr[0])
37 whatptr++; /* ignore preceding dot */
38
39 is_ip = isip(domain ? domain : whatptr);
40
41+ /* check for more dots */
42+ dotp = strchr(whatptr, '.');
43+ if(!dotp)
44+ domain=":";
45+
46 if(!domain
47 || (is_ip && !strcmp(whatptr, domain))
48 || (!is_ip && tailmatch(whatptr, domain))) {
49 strstore(&co->domain, whatptr);
50 if(!co->domain) {
51diff --git a/tests/data/test61 b/tests/data/test61
52index d2de279..e6dbbb9 100644
53--- a/tests/data/test61
54+++ b/tests/data/test61
55@@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2
56 SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
57 Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
58 Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
59 Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
60 Set-Cookie: fake=fooledyou; domain=..com; path=/;
61+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
62 Content-Length: 4
63
64 boo
65 </data>
66 </reply>
67--
682.1.0
69
diff --git a/meta/recipes-support/curl/curl_7.35.0.bb b/meta/recipes-support/curl/curl_7.35.0.bb
index 97f5ee3..3021dec 100644
--- a/meta/recipes-support/curl/curl_7.35.0.bb
+++ b/meta/recipes-support/curl/curl_7.35.0.bb
@@ -12,6 +12,7 @@ DEPENDS_class-nativesdk = "nativesdk-zlib"
12SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ 12SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
13 file://pkgconfig_fix.patch \ 13 file://pkgconfig_fix.patch \
14 file://CVE-2014-3613.patch \ 14 file://CVE-2014-3613.patch \
15 file://CVE-2014-3620.patch \
15" 16"
16 17
17# curl likes to set -g0 in CFLAGS, so we stop it 18# curl likes to set -g0 in CFLAGS, so we stop it