diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-10-13 09:20:56 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-11-01 05:01:25 -1000 |
| commit | 715fc203c2c5694e06d3725428f24e73b58fe774 (patch) | |
| tree | c9e0b949b917884b1eae4aa8be49d8e9fdc40b07 | |
| parent | e9a74270774d1cfe8997ded4542558adbc5f4bad (diff) | |
| download | poky-715fc203c2c5694e06d3725428f24e73b58fe774.tar.gz | |
curl: fix CVE-2023-38546
A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of conditions are met.
(From OE-Core rev: 9c0c09b81594979aafd74511366316419d23046e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-38546.patch | 137 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 1 |
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch new file mode 100644 index 0000000000..1b2f1e7a7d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch | |||
| @@ -0,0 +1,137 @@ | |||
| 1 | From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Thu, 14 Sep 2023 23:28:32 +0200 | ||
| 4 | Subject: [PATCH] cookie: remove unnecessary struct fields | ||
| 5 | |||
| 6 | Plus: reduce the hash table size from 256 to 63. It seems unlikely to | ||
| 7 | make much of a speed difference for most use cases but saves 1.5KB of | ||
| 8 | data per instance. | ||
| 9 | |||
| 10 | Closes #11862 | ||
| 11 | |||
| 12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/61275672b46d9abb32857404] | ||
| 13 | |||
| 14 | CVE: CVE-2023-38546 | ||
| 15 | |||
| 16 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 17 | --- | ||
| 18 | lib/cookie.c | 13 +------------ | ||
| 19 | lib/cookie.h | 13 ++++--------- | ||
| 20 | lib/easy.c | 4 +--- | ||
| 21 | 3 files changed, 6 insertions(+), 24 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
| 24 | index e0470a1..38d8d6c 100644 | ||
| 25 | --- a/lib/cookie.c | ||
| 26 | +++ b/lib/cookie.c | ||
| 27 | @@ -115,7 +115,6 @@ static void freecookie(struct Cookie *co) | ||
| 28 | free(co->name); | ||
| 29 | free(co->value); | ||
| 30 | free(co->maxage); | ||
| 31 | - free(co->version); | ||
| 32 | free(co); | ||
| 33 | } | ||
| 34 | |||
| 35 | @@ -707,11 +706,7 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| 36 | } | ||
| 37 | } | ||
| 38 | else if(strcasecompare("version", name)) { | ||
| 39 | - strstore(&co->version, whatptr); | ||
| 40 | - if(!co->version) { | ||
| 41 | - badcookie = TRUE; | ||
| 42 | - break; | ||
| 43 | - } | ||
| 44 | + /* just ignore */ | ||
| 45 | } | ||
| 46 | else if(strcasecompare("max-age", name)) { | ||
| 47 | /* | ||
| 48 | @@ -1132,7 +1127,6 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| 49 | free(clist->path); | ||
| 50 | free(clist->spath); | ||
| 51 | free(clist->expirestr); | ||
| 52 | - free(clist->version); | ||
| 53 | free(clist->maxage); | ||
| 54 | |||
| 55 | *clist = *co; /* then store all the new data */ | ||
| 56 | @@ -1210,9 +1204,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
| 57 | c = calloc(1, sizeof(struct CookieInfo)); | ||
| 58 | if(!c) | ||
| 59 | return NULL; /* failed to get memory */ | ||
| 60 | - c->filename = strdup(file?file:"none"); /* copy the name just in case */ | ||
| 61 | - if(!c->filename) | ||
| 62 | - goto fail; /* failed to get memory */ | ||
| 63 | /* | ||
| 64 | * Initialize the next_expiration time to signal that we don't have enough | ||
| 65 | * information yet. | ||
| 66 | @@ -1363,7 +1354,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) | ||
| 67 | CLONE(name); | ||
| 68 | CLONE(value); | ||
| 69 | CLONE(maxage); | ||
| 70 | - CLONE(version); | ||
| 71 | d->expires = src->expires; | ||
| 72 | d->tailmatch = src->tailmatch; | ||
| 73 | d->secure = src->secure; | ||
| 74 | @@ -1579,7 +1569,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) | ||
| 75 | { | ||
| 76 | if(c) { | ||
| 77 | unsigned int i; | ||
| 78 | - free(c->filename); | ||
| 79 | for(i = 0; i < COOKIE_HASH_SIZE; i++) | ||
| 80 | Curl_cookie_freelist(c->cookies[i]); | ||
| 81 | free(c); /* free the base struct as well */ | ||
| 82 | diff --git a/lib/cookie.h b/lib/cookie.h | ||
| 83 | index 7411980..645600a 100644 | ||
| 84 | --- a/lib/cookie.h | ||
| 85 | +++ b/lib/cookie.h | ||
| 86 | @@ -34,11 +34,7 @@ struct Cookie { | ||
| 87 | char *domain; /* domain = <this> */ | ||
| 88 | curl_off_t expires; /* expires = <this> */ | ||
| 89 | char *expirestr; /* the plain text version */ | ||
| 90 | - | ||
| 91 | - /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ | ||
| 92 | - char *version; /* Version = <value> */ | ||
| 93 | char *maxage; /* Max-Age = <value> */ | ||
| 94 | - | ||
| 95 | bool tailmatch; /* whether we do tail-matching of the domain name */ | ||
| 96 | bool secure; /* whether the 'secure' keyword was used */ | ||
| 97 | bool livecookie; /* updated from a server, not a stored file */ | ||
| 98 | @@ -54,18 +50,17 @@ struct Cookie { | ||
| 99 | #define COOKIE_PREFIX__SECURE (1<<0) | ||
| 100 | #define COOKIE_PREFIX__HOST (1<<1) | ||
| 101 | |||
| 102 | -#define COOKIE_HASH_SIZE 256 | ||
| 103 | +#define COOKIE_HASH_SIZE 63 | ||
| 104 | |||
| 105 | struct CookieInfo { | ||
| 106 | /* linked list of cookies we know of */ | ||
| 107 | struct Cookie *cookies[COOKIE_HASH_SIZE]; | ||
| 108 | |||
| 109 | - char *filename; /* file we read from/write to */ | ||
| 110 | - long numcookies; /* number of cookies in the "jar" */ | ||
| 111 | + curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
| 112 | + int numcookies; /* number of cookies in the "jar" */ | ||
| 113 | + int lastct; /* last creation-time used in the jar */ | ||
| 114 | bool running; /* state info, for cookie adding information */ | ||
| 115 | bool newsession; /* new session, discard session cookies on load */ | ||
| 116 | - int lastct; /* last creation-time used in the jar */ | ||
| 117 | - curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
| 118 | }; | ||
| 119 | |||
| 120 | /* This is the maximum line length we accept for a cookie line. RFC 2109 | ||
| 121 | diff --git a/lib/easy.c b/lib/easy.c | ||
| 122 | index 0e23561..31abf9e 100644 | ||
| 123 | --- a/lib/easy.c | ||
| 124 | +++ b/lib/easy.c | ||
| 125 | @@ -841,9 +841,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) | ||
| 126 | if(data->cookies) { | ||
| 127 | /* If cookies are enabled in the parent handle, we enable them | ||
| 128 | in the clone as well! */ | ||
| 129 | - outcurl->cookies = Curl_cookie_init(data, | ||
| 130 | - data->cookies->filename, | ||
| 131 | - outcurl->cookies, | ||
| 132 | + outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, | ||
| 133 | data->set.cookiesession); | ||
| 134 | if(!outcurl->cookies) | ||
| 135 | goto fail; | ||
| 136 | -- | ||
| 137 | 2.40.0 | ||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 86a3a84332..471bc47f34 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
| @@ -53,6 +53,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
| 53 | file://CVE-2023-28322-2.patch \ | 53 | file://CVE-2023-28322-2.patch \ |
| 54 | file://CVE-2023-32001.patch \ | 54 | file://CVE-2023-32001.patch \ |
| 55 | file://CVE-2023-38545.patch \ | 55 | file://CVE-2023-38545.patch \ |
| 56 | file://CVE-2023-38546.patch \ | ||
| 56 | " | 57 | " |
| 57 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 58 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
| 58 | 59 | ||