diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-11-15 10:08:10 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:14:20 +0100 |
commit | ad2cce0f1ecdb8c4f75f32c04d132d0eea076bb5 (patch) | |
tree | 229ad88634025460e67b1613d557295d584d12d4 | |
parent | c96936cfd9a63aa5cd74a05b0494f7ca223e9e5c (diff) | |
download | poky-ad2cce0f1ecdb8c4f75f32c04d132d0eea076bb5.tar.gz |
curl: CVE-2016-8615
cookie injection for other servers
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102A.html
(From OE-Core rev: ba4e218d1e09aaecbdb760a299826c03202a9ba9)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.47.1.bb | 1 |
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch b/meta/recipes-support/curl/curl/CVE-2016-8615.patch new file mode 100644 index 0000000000..5faa423a2a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 27 Sep 2016 17:36:19 +0200 | ||
4 | Subject: [PATCH] cookie: replace use of fgets() with custom version | ||
5 | |||
6 | ... that will ignore lines that are too long to fit in the buffer. | ||
7 | |||
8 | CVE: CVE-2016-8615 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Bug: https://curl.haxx.se/docs/adv_20161102A.html | ||
12 | Reported-by: Cure53 | ||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | lib/cookie.c | 31 ++++++++++++++++++++++++++++++- | ||
16 | 1 file changed, 30 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
19 | index 0f05da2..e5097d3 100644 | ||
20 | --- a/lib/cookie.c | ||
21 | +++ b/lib/cookie.c | ||
22 | @@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data, | ||
23 | } | ||
24 | |||
25 | return co; | ||
26 | } | ||
27 | |||
28 | +/* | ||
29 | + * get_line() makes sure to only return complete whole lines that fit in 'len' | ||
30 | + * bytes and end with a newline. | ||
31 | + */ | ||
32 | +static char *get_line(char *buf, int len, FILE *input) | ||
33 | +{ | ||
34 | + bool partial = FALSE; | ||
35 | + while(1) { | ||
36 | + char *b = fgets(buf, len, input); | ||
37 | + if(b) { | ||
38 | + size_t rlen = strlen(b); | ||
39 | + if(rlen && (b[rlen-1] == '\n')) { | ||
40 | + if(partial) { | ||
41 | + partial = FALSE; | ||
42 | + continue; | ||
43 | + } | ||
44 | + return b; | ||
45 | + } | ||
46 | + else | ||
47 | + /* read a partial, discard the next piece that ends with newline */ | ||
48 | + partial = TRUE; | ||
49 | + } | ||
50 | + else | ||
51 | + break; | ||
52 | + } | ||
53 | + return NULL; | ||
54 | +} | ||
55 | + | ||
56 | + | ||
57 | /***************************************************************************** | ||
58 | * | ||
59 | * Curl_cookie_init() | ||
60 | * | ||
61 | * Inits a cookie struct to read data from a local file. This is always | ||
62 | @@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
63 | bool headerline; | ||
64 | |||
65 | line = malloc(MAX_COOKIE_LINE); | ||
66 | if(!line) | ||
67 | goto fail; | ||
68 | - while(fgets(line, MAX_COOKIE_LINE, fp)) { | ||
69 | + while(get_line(line, MAX_COOKIE_LINE, fp)) { | ||
70 | if(checkprefix("Set-Cookie:", line)) { | ||
71 | /* This is a cookie line, get it! */ | ||
72 | lineptr=&line[11]; | ||
73 | headerline=TRUE; | ||
74 | } | ||
75 | -- | ||
76 | 2.9.3 | ||
77 | |||
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index 3670a11178..1f2758c9c5 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb | |||
@@ -15,6 +15,7 @@ SRC_URI += " file://configure_ac.patch \ | |||
15 | file://CVE-2016-5420.patch \ | 15 | file://CVE-2016-5420.patch \ |
16 | file://CVE-2016-5421.patch \ | 16 | file://CVE-2016-5421.patch \ |
17 | file://CVE-2016-7141.patch \ | 17 | file://CVE-2016-7141.patch \ |
18 | file://CVE-2016-8615.patch \ | ||
18 | " | 19 | " |
19 | 20 | ||
20 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" | 21 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" |