curl: fix CVE-2019-15601

(From OE-Core rev: 30f4f40c4c92b000fa3356fae0504da233b0f601) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2020-02-05 12:12:43 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-02-11 23:05:12 +0000
commit: d447876b4f68e9b3fd3b389dfc403ed831290a54 (patch)
tree: 43786eb64b215a02e75238ac0ce753d3420e48a1
parent: 5865fb9194c5c22721a67b3aae229219880f4146 (diff)
download: poky-d447876b4f68e9b3fd3b389dfc403ed831290a54.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-15601.patch b/meta/recipes-support/curl/curl/CVE-2019-15601.patch
new file mode 100644
index 0000000000..7bfaae7b21
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-15601.patch
@@ -0,0 +1,46 @@
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1b71bc532bde8621fd3260843f8197182a467ff2]
+CVE: CVE-2019-15601
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 7 Nov 2019 10:13:01 +0100
+Subject: [PATCH] file: on Windows, refuse paths that start with \\
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+... as that might cause an unexpected SMB connection to a given host
+name.
+Reported-by: Fernando Muñoz
+CVE-2019-15601
+Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
+---
+ lib/file.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/lib/file.c b/lib/file.c
+index d349cd9241..166931d7f1 100644
+--- a/lib/file.c
+++ b/lib/file.c
+@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
+   struct Curl_easy *data = conn->data;
+   char *real_path;
+   struct FILEPROTO *file = data->req.protop;
+-  int fd;
+  int fd = -1;
+ #ifdef DOS_FILESYSTEM
+   size_t i;
+   char *actual_path;
+@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
+       return CURLE_URL_MALFORMAT;
+     }
+ 
+-  fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
+  if(strncmp("\\\\", actual_path, 2))
+    /* refuse to open path that starts with two backslashes */
+    fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
+   file->path = actual_path;
+ #else
+   if(memchr(real_path, 0, real_path_len)) {
diff --git a/meta/recipes-support/curl/curl_7.66.0.bb b/meta/recipes-support/curl/curl_7.66.0.bb
index d1975f2460..a54e0536e9 100644
--- a/meta/recipes-support/curl/curl_7.66.0.bb
+++ b/meta/recipes-support/curl/curl_7.66.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=be5d9e1419c4363f4b32037a2d3b7ffa"
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://0001-replace-krb5-config-with-pkg-config.patch \
+           file://CVE-2019-15601.patch \
 "
 SRC_URI[md5sum] = "c238aa394e3aa47ca4fcb0491774149f"
author	Anuj Mittal <anuj.mittal@intel.com>	2020-02-05 12:12:43 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-02-11 23:05:12 +0000
commit	d447876b4f68e9b3fd3b389dfc403ed831290a54 (patch)
tree	43786eb64b215a02e75238ac0ce753d3420e48a1
parent	5865fb9194c5c22721a67b3aae229219880f4146 (diff)
download	poky-d447876b4f68e9b3fd3b389dfc403ed831290a54.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2019-15601.patch b/meta/recipes-support/curl/curl/CVE-2019-15601.patch new file mode 100644 index 0000000000..7bfaae7b21 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-15601.patch
@@ -0,0 +1,46 @@
		1	Upstream-Status: Backport [https://github.com/curl/curl/commit/1b71bc532bde8621fd3260843f8197182a467ff2]
		2	CVE: CVE-2019-15601
		3	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		4
		5	From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001
		6	From: Daniel Stenberg <daniel@haxx.se>
		7	Date: Thu, 7 Nov 2019 10:13:01 +0100
		8	Subject: [PATCH] file: on Windows, refuse paths that start with \\
		9	MIME-Version: 1.0
		10	Content-Type: text/plain; charset=UTF-8
		11	Content-Transfer-Encoding: 8bit
		12
		13	... as that might cause an unexpected SMB connection to a given host
		14	name.
		15
		16	Reported-by: Fernando Muñoz
		17	CVE-2019-15601
		18	Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
		19	---
		20	lib/file.c \| 6 ++++--
		21	1 file changed, 4 insertions(+), 2 deletions(-)
		22
		23	diff --git a/lib/file.c b/lib/file.c
		24	index d349cd9241..166931d7f1 100644
		25	--- a/lib/file.c
		26	+++ b/lib/file.c
		27	@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata conn, bool done)
		28	struct Curl_easy *data = conn->data;
		29	char *real_path;
		30	struct FILEPROTO *file = data->req.protop;
		31	- int fd;
		32	+ int fd = -1;
		33	#ifdef DOS_FILESYSTEM
		34	size_t i;
		35	char *actual_path;
		36	@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata conn, bool done)
		37	return CURLE_URL_MALFORMAT;
		38	}
		39
		40	- fd = open_readonly(actual_path, O_RDONLY\|O_BINARY);
		41	+ if(strncmp("\\\\", actual_path, 2))
		42	+ /* refuse to open path that starts with two backslashes */
		43	+ fd = open_readonly(actual_path, O_RDONLY\|O_BINARY);
		44	file->path = actual_path;
		45	#else
		46	if(memchr(real_path, 0, real_path_len)) {


diff --git a/meta/recipes-support/curl/curl_7.66.0.bb b/meta/recipes-support/curl/curl_7.66.0.bb index d1975f2460..a54e0536e9 100644 --- a/meta/recipes-support/curl/curl_7.66.0.bb +++ b/meta/recipes-support/curl/curl_7.66.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=be5d9e1419c4363f4b32037a2d3b7ffa"
7		7
8	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \	8	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
9	file://0001-replace-krb5-config-with-pkg-config.patch \	9	file://0001-replace-krb5-config-with-pkg-config.patch \
		10	file://CVE-2019-15601.patch \
10	"	11	"
11		12
12	SRC_URI[md5sum] = "c238aa394e3aa47ca4fcb0491774149f"	13	SRC_URI[md5sum] = "c238aa394e3aa47ca4fcb0491774149f"