summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-11-15 09:08:18 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:37 (GMT)
commit102d84d61fdbce2d91e4d300f75c593d0a16d74f (patch)
treec3f92947a24f39e4dce6bd09e2a0a3f460fa70db
parent61ef07eb823a58d9f5f5b84722434ab6c3733230 (diff)
downloadpoky-102d84d61fdbce2d91e4d300f75c593d0a16d74f.tar.gz
curl: CVE-2016-8623
Use-after-free via shared cookies Affected versions: curl 7.10.7 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102I.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8623.patch209
-rw-r--r--meta/recipes-support/curl/curl_7.47.1.bb1
2 files changed, 210 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 0000000..d9ddef6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,209 @@
1From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 4 Oct 2016 23:26:13 +0200
4Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
5
6Previously it only held references to them, which was reckless as the
7thread lock was released so the cookies could get modified by other
8handles that share the same cookie jar over the share interface.
9
10CVE: CVE-2016-8623
11Upstream-Status: Backport
12
13Bug: https://curl.haxx.se/docs/adv_20161102I.html
14Reported-by: Cure53
15Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
16---
17 lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
18 lib/cookie.h | 4 ++--
19 lib/http.c | 2 +-
20 3 files changed, 43 insertions(+), 24 deletions(-)
21
22diff --git a/lib/cookie.c b/lib/cookie.c
23index 0f05da2..8607ce3 100644
24--- a/lib/cookie.c
25+++ b/lib/cookie.c
26@@ -1022,10 +1022,44 @@ static int cookie_sort(const void *p1, const void *p2)
27
28 /* sorry, can't be more deterministic */
29 return 0;
30 }
31
32+#define CLONE(field) \
33+ do { \
34+ if(src->field) { \
35+ dup->field = strdup(src->field); \
36+ if(!dup->field) \
37+ goto fail; \
38+ } \
39+ } while(0)
40+
41+static struct Cookie *dup_cookie(struct Cookie *src)
42+{
43+ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
44+ if(dup) {
45+ CLONE(expirestr);
46+ CLONE(domain);
47+ CLONE(path);
48+ CLONE(spath);
49+ CLONE(name);
50+ CLONE(value);
51+ CLONE(maxage);
52+ CLONE(version);
53+ dup->expires = src->expires;
54+ dup->tailmatch = src->tailmatch;
55+ dup->secure = src->secure;
56+ dup->livecookie = src->livecookie;
57+ dup->httponly = src->httponly;
58+ }
59+ return dup;
60+
61+ fail:
62+ freecookie(dup);
63+ return NULL;
64+}
65+
66 /*****************************************************************************
67 *
68 * Curl_cookie_getlist()
69 *
70 * For a given host and path, return a linked list of cookies that the
71@@ -1077,15 +1111,12 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
72 if(!co->spath || pathmatch(co->spath, path) ) {
73
74 /* and now, we know this is a match and we should create an
75 entry for the return-linked-list */
76
77- newco = malloc(sizeof(struct Cookie));
78+ newco = dup_cookie(co);
79 if(newco) {
80- /* first, copy the whole source cookie: */
81- memcpy(newco, co, sizeof(struct Cookie));
82-
83 /* then modify our next */
84 newco->next = mainco;
85
86 /* point the main to us */
87 mainco = newco;
88@@ -1093,16 +1124,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
89 matches++;
90 }
91 else {
92 fail:
93 /* failure, clear up the allocated chain and return NULL */
94- while(mainco) {
95- co = mainco->next;
96- free(mainco);
97- mainco = co;
98- }
99-
100+ Curl_cookie_freelist(mainco);
101 return NULL;
102 }
103 }
104 }
105 }
106@@ -1150,11 +1176,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
107 *
108 ****************************************************************************/
109 void Curl_cookie_clearall(struct CookieInfo *cookies)
110 {
111 if(cookies) {
112- Curl_cookie_freelist(cookies->cookies, TRUE);
113+ Curl_cookie_freelist(cookies->cookies);
114 cookies->cookies = NULL;
115 cookies->numcookies = 0;
116 }
117 }
118
119@@ -1162,25 +1188,18 @@ void Curl_cookie_clearall(struct CookieInfo *cookies)
120 *
121 * Curl_cookie_freelist()
122 *
123 * Free a list of cookies previously returned by Curl_cookie_getlist();
124 *
125- * The 'cookiestoo' argument tells this function whether to just free the
126- * list or actually also free all cookies within the list as well.
127- *
128 ****************************************************************************/
129
130-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
131+void Curl_cookie_freelist(struct Cookie *co)
132 {
133 struct Cookie *next;
134 while(co) {
135 next = co->next;
136- if(cookiestoo)
137- freecookie(co);
138- else
139- free(co); /* we only free the struct since the "members" are all just
140- pointed out in the main cookie list! */
141+ freecookie(co);
142 co = next;
143 }
144 }
145
146
147@@ -1231,11 +1250,11 @@ void Curl_cookie_clearsess(struct CookieInfo *cookies)
148 ****************************************************************************/
149 void Curl_cookie_cleanup(struct CookieInfo *c)
150 {
151 if(c) {
152 free(c->filename);
153- Curl_cookie_freelist(c->cookies, TRUE);
154+ Curl_cookie_freelist(c->cookies);
155 free(c); /* free the base struct as well */
156 }
157 }
158
159 /* get_netscape_format()
160diff --git a/lib/cookie.h b/lib/cookie.h
161index cd7c54a..a9a4578 100644
162--- a/lib/cookie.h
163+++ b/lib/cookie.h
164@@ -5,11 +5,11 @@
165 * Project ___| | | | _ \| |
166 * / __| | | | |_) | |
167 * | (__| |_| | _ <| |___
168 * \___|\___/|_| \_\_____|
169 *
170- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
171+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
172 *
173 * This software is licensed as described in the file COPYING, which
174 * you should have received as part of this distribution. The terms
175 * are also available at https://curl.haxx.se/docs/copyright.html.
176 *
177@@ -80,11 +80,11 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
178 struct CookieInfo *, bool header, char *lineptr,
179 const char *domain, const char *path);
180
181 struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
182 const char *, bool);
183-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
184+void Curl_cookie_freelist(struct Cookie *cookies);
185 void Curl_cookie_clearall(struct CookieInfo *cookies);
186 void Curl_cookie_clearsess(struct CookieInfo *cookies);
187
188 #if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_COOKIES)
189 #define Curl_cookie_list(x) NULL
190diff --git a/lib/http.c b/lib/http.c
191index 65c145a..e6e7d37 100644
192--- a/lib/http.c
193+++ b/lib/http.c
194@@ -2382,11 +2382,11 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
195 break;
196 count++;
197 }
198 co = co->next; /* next cookie please */
199 }
200- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
201+ Curl_cookie_freelist(store);
202 }
203 if(addcookies && !result) {
204 if(!count)
205 result = Curl_add_bufferf(req_buffer, "Cookie: ");
206 if(!result) {
207--
2082.9.3
209
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 4bff34e..0f8fa3a 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -23,6 +23,7 @@ SRC_URI += " file://configure_ac.patch \
23 file://CVE-2016-8620.patch \ 23 file://CVE-2016-8620.patch \
24 file://CVE-2016-8621.patch \ 24 file://CVE-2016-8621.patch \
25 file://CVE-2016-8622.patch \ 25 file://CVE-2016-8622.patch \
26 file://CVE-2016-8623.patch \
26 " 27 "
27 28
28SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" 29SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"