diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-04-01 17:04:01 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 07:23:59 -0700 |
commit | 418e54ce5c8ecf0022bb4c7996604039ed7387f2 (patch) | |
tree | e30debccc870d114bdb52390ead4dc7259d31b6f | |
parent | f9653f111864598e3659108ab2692c81f677954b (diff) | |
download | poky-418e54ce5c8ecf0022bb4c7996604039ed7387f2.tar.gz |
curl: backport Debian patch for CVE-2024-2398
import patch from ubuntu to fix
CVE-2024-2398
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security
Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
(From OE-Core rev: 67026cbb62e166b6a9f5509708531ebe0f36c36d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2024-2398.patch | 89 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..ea55117f4d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefan Eissing <stefan@eissing.org> | ||
5 | Date: Wed, 6 Mar 2024 09:36:08 +0100 | ||
6 | Subject: [PATCH] http2: push headers better cleanup | ||
7 | |||
8 | - provide common cleanup method for push headers | ||
9 | |||
10 | Closes #13054 | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/jammy-security | ||
13 | Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] | ||
14 | CVE: CVE-2024-2398 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | lib/http2.c | 34 +++++++++++++++------------------- | ||
18 | 1 file changed, 15 insertions(+), 19 deletions(-) | ||
19 | |||
20 | --- a/lib/http2.c | ||
21 | +++ b/lib/http2.c | ||
22 | @@ -555,6 +555,15 @@ static int set_transfer_url(struct Curl_ | ||
23 | return 0; | ||
24 | } | ||
25 | |||
26 | +static void free_push_headers(struct HTTP *stream) | ||
27 | +{ | ||
28 | + size_t i; | ||
29 | + for(i = 0; i<stream->push_headers_used; i++) | ||
30 | + free(stream->push_headers[i]); | ||
31 | + Curl_safefree(stream->push_headers); | ||
32 | + stream->push_headers_used = 0; | ||
33 | +} | ||
34 | + | ||
35 | static int push_promise(struct Curl_easy *data, | ||
36 | struct connectdata *conn, | ||
37 | const nghttp2_push_promise *frame) | ||
38 | @@ -568,7 +577,6 @@ static int push_promise(struct Curl_easy | ||
39 | struct curl_pushheaders heads; | ||
40 | CURLMcode rc; | ||
41 | struct http_conn *httpc; | ||
42 | - size_t i; | ||
43 | /* clone the parent */ | ||
44 | struct Curl_easy *newhandle = duphandle(data); | ||
45 | if(!newhandle) { | ||
46 | @@ -604,11 +612,7 @@ static int push_promise(struct Curl_easy | ||
47 | Curl_set_in_callback(data, false); | ||
48 | |||
49 | /* free the headers again */ | ||
50 | - for(i = 0; i<stream->push_headers_used; i++) | ||
51 | - free(stream->push_headers[i]); | ||
52 | - free(stream->push_headers); | ||
53 | - stream->push_headers = NULL; | ||
54 | - stream->push_headers_used = 0; | ||
55 | + free_push_headers(stream); | ||
56 | |||
57 | if(rv) { | ||
58 | DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); | ||
59 | @@ -1045,10 +1049,10 @@ static int on_header(nghttp2_session *se | ||
60 | stream->push_headers_alloc) { | ||
61 | char **headp; | ||
62 | stream->push_headers_alloc *= 2; | ||
63 | - headp = Curl_saferealloc(stream->push_headers, | ||
64 | - stream->push_headers_alloc * sizeof(char *)); | ||
65 | + headp = realloc(stream->push_headers, | ||
66 | + stream->push_headers_alloc * sizeof(char *)); | ||
67 | if(!headp) { | ||
68 | - stream->push_headers = NULL; | ||
69 | + free_push_headers(stream); | ||
70 | return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; | ||
71 | } | ||
72 | stream->push_headers = headp; | ||
73 | @@ -1214,15 +1218,7 @@ void Curl_http2_done(struct Curl_easy *d | ||
74 | setup */ | ||
75 | Curl_dyn_free(&http->header_recvbuf); | ||
76 | Curl_dyn_free(&http->trailer_recvbuf); | ||
77 | - if(http->push_headers) { | ||
78 | - /* if they weren't used and then freed before */ | ||
79 | - for(; http->push_headers_used > 0; --http->push_headers_used) { | ||
80 | - free(http->push_headers[http->push_headers_used - 1]); | ||
81 | - } | ||
82 | - free(http->push_headers); | ||
83 | - http->push_headers = NULL; | ||
84 | - } | ||
85 | - | ||
86 | + free_push_headers(http); | ||
87 | if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) || | ||
88 | !httpc->h2) /* not HTTP/2 ? */ | ||
89 | return; | ||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 383cf415d9..72d8544e08 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
@@ -57,6 +57,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
57 | file://CVE-2023-46219-0001.patch \ | 57 | file://CVE-2023-46219-0001.patch \ |
58 | file://CVE-2023-46219-0002.patch \ | 58 | file://CVE-2023-46219-0002.patch \ |
59 | file://CVE-2023-46219-0003.patch \ | 59 | file://CVE-2023-46219-0003.patch \ |
60 | file://CVE-2024-2398.patch \ | ||
60 | " | 61 | " |
61 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 62 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
62 | 63 | ||