summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2019-09-13 16:14:16 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-09-30 16:44:42 +0100
commit1b9559de4b3d034e11debe57bfe595328e8ceff3 (patch)
tree4959ea9afd730e92e97e69b605ae906b30400bfc
parentc6720451a8d0cb672d8fe36a34b5283787edac55 (diff)
downloadpoky-1b9559de4b3d034e11debe57bfe595328e8ceff3.tar.gz
Curl: Security fix for CVE-2019-5482
Source: curl.org MR: 99905 Type: Security Fix Disposition: Backport from https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d ChangeID: e0c807da8937f687a4b2e28eaa6b4b5a51845bc5 Description: Fixes CVE-2019-5482 - Affected versions: libcurl >= 7.19.4 to and including 7.65.3 - Not affected versions: libcurl < 7.19.4 (From OE-Core rev: d2e5558133f970a8a196c545dd00af9315c1a06a) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2019-5482.patch65
-rw-r--r--meta/recipes-support/curl/curl_7.64.1.bb1
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
new file mode 100644
index 0000000000..30122d1ae9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,65 @@
1From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
2From: Thomas Vegas <>
3Date: Sat, 31 Aug 2019 17:30:51 +0200
4Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
5 received
6
7Fixes potential buffer overflow from 'recvfrom()', should the server
8return an OACK without blksize.
9
10Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
11CVE-2019-5482
12
13Upstream-Status: Backport
14CVE: CVE-2019-5482
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 lib/tftp.c | 12 +++++++++---
20 1 file changed, 9 insertions(+), 3 deletions(-)
21
22Index: curl-7.64.1/lib/tftp.c
23===================================================================
24--- curl-7.64.1.orig/lib/tftp.c
25+++ curl-7.64.1/lib/tftp.c
26@@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct conn
27 {
28 tftp_state_data_t *state;
29 int blksize;
30+ int need_blksize;
31
32 blksize = TFTP_BLKSIZE_DEFAULT;
33
34@@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct conn
35 return CURLE_TFTP_ILLEGAL;
36 }
37
38+ need_blksize = blksize;
39+ /* default size is the fallback when no OACK is received */
40+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
41+ need_blksize = TFTP_BLKSIZE_DEFAULT;
42+
43 if(!state->rpacket.data) {
44- state->rpacket.data = calloc(1, blksize + 2 + 2);
45+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
46
47 if(!state->rpacket.data)
48 return CURLE_OUT_OF_MEMORY;
49 }
50
51 if(!state->spacket.data) {
52- state->spacket.data = calloc(1, blksize + 2 + 2);
53+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
54
55 if(!state->spacket.data)
56 return CURLE_OUT_OF_MEMORY;
57@@ -1009,7 +1015,7 @@ static CURLcode tftp_connect(struct conn
58 state->sockfd = state->conn->sock[FIRSTSOCKET];
59 state->state = TFTP_STATE_START;
60 state->error = TFTP_ERR_NONE;
61- state->blksize = blksize;
62+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
63 state->requested_blksize = blksize;
64
65 ((struct sockaddr *)&state->local_addr)->sa_family =
diff --git a/meta/recipes-support/curl/curl_7.64.1.bb b/meta/recipes-support/curl/curl_7.64.1.bb
index 00c8c5a826..151d74a236 100644
--- a/meta/recipes-support/curl/curl_7.64.1.bb
+++ b/meta/recipes-support/curl/curl_7.64.1.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
9 file://0001-replace-krb5-config-with-pkg-config.patch \ 9 file://0001-replace-krb5-config-with-pkg-config.patch \
10 file://CVE-2019-5435.patch \ 10 file://CVE-2019-5435.patch \
11 file://CVE-2019-5436.patch \ 11 file://CVE-2019-5436.patch \
12 file://CVE-2019-5482.patch \
12" 13"
13 14
14SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2" 15SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2"