summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-11-15 09:08:19 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:37 (GMT)
commit848ec2723a569c847f61f50e677f9a38ed03552a (patch)
tree97b836799de2650ed35dfcdcc2377df1d99b222a
parent102d84d61fdbce2d91e4d300f75c593d0a16d74f (diff)
downloadpoky-848ec2723a569c847f61f50e677f9a38ed03552a.tar.gz
curl: CVE-2016-8624
invalid URL parsing with '#' Affected versions: curl 7.1 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102J.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8624.patch51
-rw-r--r--meta/recipes-support/curl/curl_7.47.1.bb1
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8624.patch b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
new file mode 100644
index 0000000..009f7d0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
@@ -0,0 +1,51 @@
1From 3bb273db7e40ebc284cff45f3ce3f0475c8339c2 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 11 Oct 2016 00:48:35 +0200
4Subject: [PATCH] urlparse: accept '#' as end of host name
5
6'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
7for the '/' document with the rest of the URL being a fragment.
8
9CVE: CVE-2016-8624
10Upstream-Status: Backport
11
12Bug: https://curl.haxx.se/docs/adv_20161102J.html
13Reported-by: Fernando Muñoz
14
15Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
16
17diff -ruN a/lib/url.c b/lib/url.c
18--- a/lib/url.c 2016-11-07 08:50:23.030126833 +0100
19+++ b/lib/url.c 2016-11-07 10:16:13.562089428 +0100
20@@ -4086,7 +4086,7 @@
21 path[0]=0;
22
23 if(2 > sscanf(data->change.url,
24- "%15[^\n:]://%[^\n/?]%[^\n]",
25+ "%15[^\n:]://%[^\n/?#]%[^\n]",
26 protobuf,
27 conn->host.name, path)) {
28
29@@ -4094,7 +4094,7 @@
30 * The URL was badly formatted, let's try the browser-style _without_
31 * protocol specified like 'http://'.
32 */
33- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
34+ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
35 if(1 > rc) {
36 /*
37 * We couldn't even get this format.
38@@ -4184,10 +4184,10 @@
39 }
40
41 /* If the URL is malformatted (missing a '/' after hostname before path) we
42- * insert a slash here. The only letter except '/' we accept to start a path
43- * is '?'.
44+ * insert a slash here. The only letters except '/' that can start a path is
45+ * '?' and '#' - as controlled by the two sscanf() patterns above.
46 */
47- if(path[0] == '?') {
48+ if(path[0] != '/') {
49 /* We need this function to deal with overlapping memory areas. We know
50 that the memory area 'path' points to is 'urllen' bytes big and that
51 is bigger than the path. Use +1 to move the zero byte too. */
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 0f8fa3a..3c877e4 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -24,6 +24,7 @@ SRC_URI += " file://configure_ac.patch \
24 file://CVE-2016-8621.patch \ 24 file://CVE-2016-8621.patch \
25 file://CVE-2016-8622.patch \ 25 file://CVE-2016-8622.patch \
26 file://CVE-2016-8623.patch \ 26 file://CVE-2016-8623.patch \
27 file://CVE-2016-8624.patch \
27 " 28 "
28 29
29SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" 30SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"