curl: Security fix for CVE-2019-5482

(From OE-Core rev: 57d30f26c3dbba720079e98d429dfcb53d527d54) Signed-off-by: Muminul Islam <muislam@microsoft.com> [Fixup for thud context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Muminul Islam <muislam@microsoft.com> 2019-10-13 09:10:35 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-15 15:54:01 +0100
commit: ebf1cc65a96ba01edccb56f0a50235dedfca8478 (patch)
tree: ce40e0ba2b959f80e3a3b982e2baa9a8964dbb34
parent: 507434199d6ba699045692cef441931fa384b6dc (diff)
download: poky-ebf1cc65a96ba01edccb56f0a50235dedfca8478.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
new file mode 100644
index 0000000000..91b186699d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,68 @@
+From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+Reply-To: muislam@microsoft.com
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE: CVE-2019-5482
+Upstream-Status: Backport
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 064eef318..2c148e3e1 100644
+--- a/lib/tftp.c
+++ b/lib/tftp.c
+@@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
+  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
+  need_blksize = blksize;
+  /* default size is the fallback when no OACK is received */
+  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
+    need_blksize = TFTP_BLKSIZE_DEFAULT;
+
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
+    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
+    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
+  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
+-- 
+2.23.0
diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb
index c1e4342df5..cd880f9e22 100644
--- a/meta/recipes-support/curl/curl_7.61.0.bb
+++ b/meta/recipes-support/curl/curl_7.61.0.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://CVE-2018-16890.patch \
           file://CVE-2019-3822.patch \
           file://CVE-2019-3823.patch \
+           file://CVE-2019-5482.patch \
 "
 SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
author	Muminul Islam <muislam@microsoft.com>	2019-10-13 09:10:35 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-15 15:54:01 +0100
commit	ebf1cc65a96ba01edccb56f0a50235dedfca8478 (patch)
tree	ce40e0ba2b959f80e3a3b982e2baa9a8964dbb34
parent	507434199d6ba699045692cef441931fa384b6dc (diff)
download	poky-ebf1cc65a96ba01edccb56f0a50235dedfca8478.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch new file mode 100644 index 0000000000..91b186699d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,68 @@
		1	From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001
		2	From: Thomas Vegas <>
		3	Date: Sat, 31 Aug 2019 17:30:51 +0200
		4	Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
		5	received
		6	Reply-To: muislam@microsoft.com
		7
		8	Fixes potential buffer overflow from 'recvfrom()', should the server
		9	return an OACK without blksize.
		10
		11	Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
		12
		13	CVE: CVE-2019-5482
		14
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Muminul Islam <muislam@microsoft.com>
		18	---
		19	lib/tftp.c \| 12 +++++++++---
		20	1 file changed, 9 insertions(+), 3 deletions(-)
		21
		22	diff --git a/lib/tftp.c b/lib/tftp.c
		23	index 064eef318..2c148e3e1 100644
		24	--- a/lib/tftp.c
		25	+++ b/lib/tftp.c
		26	@@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata conn, bool done)
		27	{
		28	tftp_state_data_t *state;
		29	int blksize;
		30	+ int need_blksize;
		31
		32	blksize = TFTP_BLKSIZE_DEFAULT;
		33
		34	@@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata conn, bool done)
		35	return CURLE_TFTP_ILLEGAL;
		36	}
		37
		38	+ need_blksize = blksize;
		39	+ /* default size is the fallback when no OACK is received */
		40	+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
		41	+ need_blksize = TFTP_BLKSIZE_DEFAULT;
		42	+
		43	if(!state->rpacket.data) {
		44	- state->rpacket.data = calloc(1, blksize + 2 + 2);
		45	+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
		46
		47	if(!state->rpacket.data)
		48	return CURLE_OUT_OF_MEMORY;
		49	}
		50
		51	if(!state->spacket.data) {
		52	- state->spacket.data = calloc(1, blksize + 2 + 2);
		53	+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
		54
		55	if(!state->spacket.data)
		56	return CURLE_OUT_OF_MEMORY;
		57	@@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata conn, bool done)
		58	state->sockfd = state->conn->sock[FIRSTSOCKET];
		59	state->state = TFTP_STATE_START;
		60	state->error = TFTP_ERR_NONE;
		61	- state->blksize = blksize;
		62	+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
		63	state->requested_blksize = blksize;
		64
		65	((struct sockaddr *)&state->local_addr)->sa_family =
		66	--
		67	2.23.0
		68


diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb index c1e4342df5..cd880f9e22 100644 --- a/meta/recipes-support/curl/curl_7.61.0.bb +++ b/meta/recipes-support/curl/curl_7.61.0.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
16	file://CVE-2018-16890.patch \	16	file://CVE-2018-16890.patch \
17	file://CVE-2019-3822.patch \	17	file://CVE-2019-3822.patch \
18	file://CVE-2019-3823.patch \	18	file://CVE-2019-3823.patch \
		19	file://CVE-2019-5482.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"	22	SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"