diff options
author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-10-13 09:20:56 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-11-01 05:01:25 -1000 |
commit | 715fc203c2c5694e06d3725428f24e73b58fe774 (patch) | |
tree | c9e0b949b917884b1eae4aa8be49d8e9fdc40b07 | |
parent | e9a74270774d1cfe8997ded4542558adbc5f4bad (diff) | |
download | poky-715fc203c2c5694e06d3725428f24e73b58fe774.tar.gz |
curl: fix CVE-2023-38546
A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of conditions are met.
(From OE-Core rev: 9c0c09b81594979aafd74511366316419d23046e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-38546.patch | 137 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 1 |
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch new file mode 100644 index 0000000000..1b2f1e7a7d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch | |||
@@ -0,0 +1,137 @@ | |||
1 | From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 14 Sep 2023 23:28:32 +0200 | ||
4 | Subject: [PATCH] cookie: remove unnecessary struct fields | ||
5 | |||
6 | Plus: reduce the hash table size from 256 to 63. It seems unlikely to | ||
7 | make much of a speed difference for most use cases but saves 1.5KB of | ||
8 | data per instance. | ||
9 | |||
10 | Closes #11862 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/61275672b46d9abb32857404] | ||
13 | |||
14 | CVE: CVE-2023-38546 | ||
15 | |||
16 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
17 | --- | ||
18 | lib/cookie.c | 13 +------------ | ||
19 | lib/cookie.h | 13 ++++--------- | ||
20 | lib/easy.c | 4 +--- | ||
21 | 3 files changed, 6 insertions(+), 24 deletions(-) | ||
22 | |||
23 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
24 | index e0470a1..38d8d6c 100644 | ||
25 | --- a/lib/cookie.c | ||
26 | +++ b/lib/cookie.c | ||
27 | @@ -115,7 +115,6 @@ static void freecookie(struct Cookie *co) | ||
28 | free(co->name); | ||
29 | free(co->value); | ||
30 | free(co->maxage); | ||
31 | - free(co->version); | ||
32 | free(co); | ||
33 | } | ||
34 | |||
35 | @@ -707,11 +706,7 @@ Curl_cookie_add(struct Curl_easy *data, | ||
36 | } | ||
37 | } | ||
38 | else if(strcasecompare("version", name)) { | ||
39 | - strstore(&co->version, whatptr); | ||
40 | - if(!co->version) { | ||
41 | - badcookie = TRUE; | ||
42 | - break; | ||
43 | - } | ||
44 | + /* just ignore */ | ||
45 | } | ||
46 | else if(strcasecompare("max-age", name)) { | ||
47 | /* | ||
48 | @@ -1132,7 +1127,6 @@ Curl_cookie_add(struct Curl_easy *data, | ||
49 | free(clist->path); | ||
50 | free(clist->spath); | ||
51 | free(clist->expirestr); | ||
52 | - free(clist->version); | ||
53 | free(clist->maxage); | ||
54 | |||
55 | *clist = *co; /* then store all the new data */ | ||
56 | @@ -1210,9 +1204,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
57 | c = calloc(1, sizeof(struct CookieInfo)); | ||
58 | if(!c) | ||
59 | return NULL; /* failed to get memory */ | ||
60 | - c->filename = strdup(file?file:"none"); /* copy the name just in case */ | ||
61 | - if(!c->filename) | ||
62 | - goto fail; /* failed to get memory */ | ||
63 | /* | ||
64 | * Initialize the next_expiration time to signal that we don't have enough | ||
65 | * information yet. | ||
66 | @@ -1363,7 +1354,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) | ||
67 | CLONE(name); | ||
68 | CLONE(value); | ||
69 | CLONE(maxage); | ||
70 | - CLONE(version); | ||
71 | d->expires = src->expires; | ||
72 | d->tailmatch = src->tailmatch; | ||
73 | d->secure = src->secure; | ||
74 | @@ -1579,7 +1569,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) | ||
75 | { | ||
76 | if(c) { | ||
77 | unsigned int i; | ||
78 | - free(c->filename); | ||
79 | for(i = 0; i < COOKIE_HASH_SIZE; i++) | ||
80 | Curl_cookie_freelist(c->cookies[i]); | ||
81 | free(c); /* free the base struct as well */ | ||
82 | diff --git a/lib/cookie.h b/lib/cookie.h | ||
83 | index 7411980..645600a 100644 | ||
84 | --- a/lib/cookie.h | ||
85 | +++ b/lib/cookie.h | ||
86 | @@ -34,11 +34,7 @@ struct Cookie { | ||
87 | char *domain; /* domain = <this> */ | ||
88 | curl_off_t expires; /* expires = <this> */ | ||
89 | char *expirestr; /* the plain text version */ | ||
90 | - | ||
91 | - /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ | ||
92 | - char *version; /* Version = <value> */ | ||
93 | char *maxage; /* Max-Age = <value> */ | ||
94 | - | ||
95 | bool tailmatch; /* whether we do tail-matching of the domain name */ | ||
96 | bool secure; /* whether the 'secure' keyword was used */ | ||
97 | bool livecookie; /* updated from a server, not a stored file */ | ||
98 | @@ -54,18 +50,17 @@ struct Cookie { | ||
99 | #define COOKIE_PREFIX__SECURE (1<<0) | ||
100 | #define COOKIE_PREFIX__HOST (1<<1) | ||
101 | |||
102 | -#define COOKIE_HASH_SIZE 256 | ||
103 | +#define COOKIE_HASH_SIZE 63 | ||
104 | |||
105 | struct CookieInfo { | ||
106 | /* linked list of cookies we know of */ | ||
107 | struct Cookie *cookies[COOKIE_HASH_SIZE]; | ||
108 | |||
109 | - char *filename; /* file we read from/write to */ | ||
110 | - long numcookies; /* number of cookies in the "jar" */ | ||
111 | + curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
112 | + int numcookies; /* number of cookies in the "jar" */ | ||
113 | + int lastct; /* last creation-time used in the jar */ | ||
114 | bool running; /* state info, for cookie adding information */ | ||
115 | bool newsession; /* new session, discard session cookies on load */ | ||
116 | - int lastct; /* last creation-time used in the jar */ | ||
117 | - curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
118 | }; | ||
119 | |||
120 | /* This is the maximum line length we accept for a cookie line. RFC 2109 | ||
121 | diff --git a/lib/easy.c b/lib/easy.c | ||
122 | index 0e23561..31abf9e 100644 | ||
123 | --- a/lib/easy.c | ||
124 | +++ b/lib/easy.c | ||
125 | @@ -841,9 +841,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) | ||
126 | if(data->cookies) { | ||
127 | /* If cookies are enabled in the parent handle, we enable them | ||
128 | in the clone as well! */ | ||
129 | - outcurl->cookies = Curl_cookie_init(data, | ||
130 | - data->cookies->filename, | ||
131 | - outcurl->cookies, | ||
132 | + outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, | ||
133 | data->set.cookiesession); | ||
134 | if(!outcurl->cookies) | ||
135 | goto fail; | ||
136 | -- | ||
137 | 2.40.0 | ||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 86a3a84332..471bc47f34 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
@@ -53,6 +53,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
53 | file://CVE-2023-28322-2.patch \ | 53 | file://CVE-2023-28322-2.patch \ |
54 | file://CVE-2023-32001.patch \ | 54 | file://CVE-2023-32001.patch \ |
55 | file://CVE-2023-38545.patch \ | 55 | file://CVE-2023-38545.patch \ |
56 | file://CVE-2023-38546.patch \ | ||
56 | " | 57 | " |
57 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 58 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
58 | 59 | ||