summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-11-15 09:08:14 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:37 (GMT)
commit68e224826ee278d35d01b2bd9678dd52d6352da1 (patch)
treee84a11dfdcf9822dcfbec68eec4645dffc64416e
parente959182ba2941f29882d52c9fa700a83c477a504 (diff)
downloadpoky-68e224826ee278d35d01b2bd9678dd52d6352da1.tar.gz
curl: CVE-2016-8619
double-free in krb5 code Affected versions: curl 7.3 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102E.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8619.patch52
-rw-r--r--meta/recipes-support/curl/curl_7.47.1.bb1
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8619.patch b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
new file mode 100644
index 0000000..fb21cf6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
@@ -0,0 +1,52 @@
1From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Wed, 28 Sep 2016 12:56:02 +0200
4Subject: [PATCH] krb5: avoid realloc(0)
5
6If the requested size is zero, bail out with error instead of doing a
7realloc() that would cause a double-free: realloc(0) acts as a free()
8and then there's a second free in the cleanup path.
9
10CVE: CVE-2016-8619
11Upstream-Status: Backport
12
13Bug: https://curl.haxx.se/docs/adv_20161102E.html
14Reported-by: Cure53
15Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
16---
17 lib/security.c | 9 ++++++---
18 1 file changed, 6 insertions(+), 3 deletions(-)
19
20diff --git a/lib/security.c b/lib/security.c
21index a268d4a..4cef8f8 100644
22--- a/lib/security.c
23+++ b/lib/security.c
24@@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, const void *to,
25 static CURLcode read_data(struct connectdata *conn,
26 curl_socket_t fd,
27 struct krb5buffer *buf)
28 {
29 int len;
30- void* tmp;
31+ void *tmp = NULL;
32 CURLcode result;
33
34 result = socket_read(fd, &len, sizeof(len));
35 if(result)
36 return result;
37
38- len = ntohl(len);
39- tmp = realloc(buf->data, len);
40+ if(len) {
41+ /* only realloc if there was a length */
42+ len = ntohl(len);
43+ tmp = realloc(buf->data, len);
44+ }
45 if(tmp == NULL)
46 return CURLE_OUT_OF_MEMORY;
47
48 buf->data = tmp;
49 result = socket_read(fd, buf->data, len);
50--
512.9.3
52
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 27a999e..9ef5718 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -19,6 +19,7 @@ SRC_URI += " file://configure_ac.patch \
19 file://CVE-2016-8616.patch \ 19 file://CVE-2016-8616.patch \
20 file://CVE-2016-8617.patch \ 20 file://CVE-2016-8617.patch \
21 file://CVE-2016-8618.patch \ 21 file://CVE-2016-8618.patch \
22 file://CVE-2016-8619.patch \
22 " 23 "
23 24
24SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" 25SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"