summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-11-15 09:08:10 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:36 (GMT)
commitb9d34c10e7ff7222130488c11fdf44b401f254c1 (patch)
tree974de1f204e9cb820182670754b9880feeb08fb8
parent09cf53dfd3dc12d3b2f3743617d18cb1012e8b3f (diff)
downloadpoky-b9d34c10e7ff7222130488c11fdf44b401f254c1.tar.gz
curl: CVE-2016-8615
cookie injection for other servers Affected versions: curl 7.1 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102A.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8615.patch77
-rw-r--r--meta/recipes-support/curl/curl_7.47.1.bb1
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
new file mode 100644
index 0000000..5faa423
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
@@ -0,0 +1,77 @@
1From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 27 Sep 2016 17:36:19 +0200
4Subject: [PATCH] cookie: replace use of fgets() with custom version
5
6... that will ignore lines that are too long to fit in the buffer.
7
8CVE: CVE-2016-8615
9Upstream-Status: Backport
10
11Bug: https://curl.haxx.se/docs/adv_20161102A.html
12Reported-by: Cure53
13Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
14---
15 lib/cookie.c | 31 ++++++++++++++++++++++++++++++-
16 1 file changed, 30 insertions(+), 1 deletion(-)
17
18diff --git a/lib/cookie.c b/lib/cookie.c
19index 0f05da2..e5097d3 100644
20--- a/lib/cookie.c
21+++ b/lib/cookie.c
22@@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data,
23 }
24
25 return co;
26 }
27
28+/*
29+ * get_line() makes sure to only return complete whole lines that fit in 'len'
30+ * bytes and end with a newline.
31+ */
32+static char *get_line(char *buf, int len, FILE *input)
33+{
34+ bool partial = FALSE;
35+ while(1) {
36+ char *b = fgets(buf, len, input);
37+ if(b) {
38+ size_t rlen = strlen(b);
39+ if(rlen && (b[rlen-1] == '\n')) {
40+ if(partial) {
41+ partial = FALSE;
42+ continue;
43+ }
44+ return b;
45+ }
46+ else
47+ /* read a partial, discard the next piece that ends with newline */
48+ partial = TRUE;
49+ }
50+ else
51+ break;
52+ }
53+ return NULL;
54+}
55+
56+
57 /*****************************************************************************
58 *
59 * Curl_cookie_init()
60 *
61 * Inits a cookie struct to read data from a local file. This is always
62@@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
63 bool headerline;
64
65 line = malloc(MAX_COOKIE_LINE);
66 if(!line)
67 goto fail;
68- while(fgets(line, MAX_COOKIE_LINE, fp)) {
69+ while(get_line(line, MAX_COOKIE_LINE, fp)) {
70 if(checkprefix("Set-Cookie:", line)) {
71 /* This is a cookie line, get it! */
72 lineptr=&line[11];
73 headerline=TRUE;
74 }
75--
762.9.3
77
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 3670a11..1f2758c 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -15,6 +15,7 @@ SRC_URI += " file://configure_ac.patch \
15 file://CVE-2016-5420.patch \ 15 file://CVE-2016-5420.patch \
16 file://CVE-2016-5421.patch \ 16 file://CVE-2016-5421.patch \
17 file://CVE-2016-7141.patch \ 17 file://CVE-2016-7141.patch \
18 file://CVE-2016-8615.patch \
18 " 19 "
19 20
20SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" 21SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"