curl: several security fixes

Fixes below listed bugs: 1. CVE-2015-3143 2. CVE-2015-3144 3. CVE-2015-3145 Dropped: 4. CVE-2015-3148 SPNEGO was introduced in 7.39 so this version not affected (From OE-Core rev: e525ef63ed2b4f3a250caf0748637b7f16b34d90) Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Maxin B. John <maxin.john@enea.com> 2015-04-23 15:11:00 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 20:54:31 +0100
commit: 0c1c0877e83cd893ffe37d9fdeb5317343da631a (patch)
tree: a4cd1c3071afcea5f980b67d4375b146a73d1f94
parent: c930052636b1a5f70434ca19b02554fd0f54747b (diff)
download: poky-0c1c0877e83cd893ffe37d9fdeb5317343da631a.tar.gz
3 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
new file mode 100644
index 0000000000..745e9456f3
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
@@ -0,0 +1,38 @@
+From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 13:26:46 +0200
+Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
+ match
+Upstream-Status: Backport
+CVE-2015-3143
+Bug: http://curl.haxx.se/docs/adv_20150422A.html
+Reported-by: Paras Sethia
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/url.c b/lib/url.c
+index 018bb88..ee3d176 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data,
+            strcmp(check->localdev, needle->localdev))
+           continue;
+       }
+ 
+       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+-         wantNTLMhttp) {
+         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+           /* one of them was different */
+-- 
+2.1.4
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
new file mode 100644
index 0000000000..ca6d7448a1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
@@ -0,0 +1,45 @@
+From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 23:52:04 +0200
+Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport
+If a URL is given with a zero-length host name, like in "http://:80" or
+just ":80", `fix_hostname()` will index the host name pointer with a -1
+offset (as it blindly assumes a non-zero length) and both read and
+assign that address.
+CVE-2015-3144
+Bug: http://curl.haxx.se/docs/adv_20150422D.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/url.c b/lib/url.c
+index ee3d176..f033dbc 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
+ 
+   /* set the name we use to display the host name */
+   host->dispname = host->name;
+ 
+   len = strlen(host->name);
+-  if(host->name[len-1] == '.')
+  if(len && (host->name[len-1] == '.'))
+     /* strip off a single trailing dot if present, primarily for SNI but
+        there's no use for it */
+     host->name[len-1]=0;
+ 
+   if(!is_ASCII_name(host->name)) {
+-- 
+2.1.4
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
new file mode 100644
index 0000000000..15a998289e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
@@ -0,0 +1,70 @@
+From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 16:37:40 +0200
+Subject: [PATCH] cookie: cookie parser out of boundary memory access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport
+The internal libcurl function called sanitize_cookie_path() that cleans
+up the path element as given to it from a remote site or when read from
+a file, did not properly validate the input. If given a path that
+consisted of a single double-quote, libcurl would index a newly
+allocated memory area with index -1 and assign a zero to it, thus
+destroying heap memory it wasn't supposed to.
+CVE-2015-3145
+Bug: http://curl.haxx.se/docs/adv_20150422C.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/cookie.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0864f6b..0127926 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   char *new_path = strdup(cookie_path);
+   if(!new_path)
+     return NULL;
+ 
+   /* some stupid site sends path attribute with '"'. */
+  len = strlen(new_path);
+   if(new_path[0] == '\"') {
+-    memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
+    memmove((void *)new_path, (const void *)(new_path + 1), len);
+    len--;
+   }
+-  if(new_path[strlen(new_path) - 1] == '\"') {
+-    new_path[strlen(new_path) - 1] = 0x0;
+  if(len && (new_path[len - 1] == '\"')) {
+    new_path[len - 1] = 0x0;
+    len--;
+   }
+ 
+   /* RFC6265 5.2.4 The Path Attribute */
+   if(new_path[0] != '/') {
+     /* Let cookie-path be the default-path. */
+@@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path)
+     new_path = strdup("/");
+     return new_path;
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  len = strlen(new_path);
+-  if(1 < len && new_path[len - 1] == '/') {
+  if(len && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+   return new_path;
+ }
+-- 
+2.1.4
author	Maxin B. John <maxin.john@enea.com>	2015-04-23 15:11:00 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 20:54:31 +0100
commit	0c1c0877e83cd893ffe37d9fdeb5317343da631a (patch)
tree	a4cd1c3071afcea5f980b67d4375b146a73d1f94
parent	c930052636b1a5f70434ca19b02554fd0f54747b (diff)
download	poky-0c1c0877e83cd893ffe37d9fdeb5317343da631a.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch new file mode 100644 index 0000000000..745e9456f3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
@@ -0,0 +1,38 @@
	1	From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Thu, 16 Apr 2015 13:26:46 +0200
	4	Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
	5	match
	6
	7	Upstream-Status: Backport
	8
	9	CVE-2015-3143
	10
	11	Bug: http://curl.haxx.se/docs/adv_20150422A.html
	12	Reported-by: Paras Sethia
	13	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
	14	Signed-off-by: Maxin B. John <maxin.john@enea.com>
	15	---
	16	lib/url.c \| 2 +-
	17	1 file changed, 1 insertion(+), 1 deletion(-)
	18
	19	diff --git a/lib/url.c b/lib/url.c
	20	index 018bb88..ee3d176 100644
	21	--- a/lib/url.c
	22	+++ b/lib/url.c
	23	@@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data,
	24	strcmp(check->localdev, needle->localdev))
	25	continue;
	26	}
	27
	28	if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) \|\|
	29	- wantNTLMhttp) {
	30	+ (wantNTLMhttp \|\| check->ntlm.state != NTLMSTATE_NONE)) {
	31	/* This protocol requires credentials per connection or is HTTP+NTLM,
	32	so verify that we're using the same name and password as well */
	33	if(!strequal(needle->user, check->user) \|\|
	34	!strequal(needle->passwd, check->passwd)) {
	35	/* one of them was different */
	36	--
	37	2.1.4
	38


diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch new file mode 100644 index 0000000000..ca6d7448a1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
@@ -0,0 +1,45 @@
	1	From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Thu, 16 Apr 2015 23:52:04 +0200
	4	Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Upstream-Status: Backport
	10
	11	If a URL is given with a zero-length host name, like in "http://:80" or
	12	just ":80", `fix_hostname()` will index the host name pointer with a -1
	13	offset (as it blindly assumes a non-zero length) and both read and
	14	assign that address.
	15
	16	CVE-2015-3144
	17
	18	Bug: http://curl.haxx.se/docs/adv_20150422D.html
	19	Reported-by: Hanno Böck
	20	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
	21	Signed-off-by: Maxin B. John <maxin.john@enea.com>
	22	---
	23	lib/url.c \| 2 +-
	24	1 file changed, 1 insertion(+), 1 deletion(-)
	25
	26	diff --git a/lib/url.c b/lib/url.c
	27	index ee3d176..f033dbc 100644
	28	--- a/lib/url.c
	29	+++ b/lib/url.c
	30	@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
	31
	32	/* set the name we use to display the host name */
	33	host->dispname = host->name;
	34
	35	len = strlen(host->name);
	36	- if(host->name[len-1] == '.')
	37	+ if(len && (host->name[len-1] == '.'))
	38	/* strip off a single trailing dot if present, primarily for SNI but
	39	there's no use for it */
	40	host->name[len-1]=0;
	41
	42	if(!is_ASCII_name(host->name)) {
	43	--
	44	2.1.4
	45


diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch new file mode 100644 index 0000000000..15a998289e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
@@ -0,0 +1,70 @@
	1	From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Thu, 16 Apr 2015 16:37:40 +0200
	4	Subject: [PATCH] cookie: cookie parser out of boundary memory access
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Upstream-Status: Backport
	10
	11	The internal libcurl function called sanitize_cookie_path() that cleans
	12	up the path element as given to it from a remote site or when read from
	13	a file, did not properly validate the input. If given a path that
	14	consisted of a single double-quote, libcurl would index a newly
	15	allocated memory area with index -1 and assign a zero to it, thus
	16	destroying heap memory it wasn't supposed to.
	17
	18	CVE-2015-3145
	19
	20	Bug: http://curl.haxx.se/docs/adv_20150422C.html
	21	Reported-by: Hanno Böck
	22	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
	23	Signed-off-by: Maxin B. John <maxin.john@enea.com>
	24	---
	25	lib/cookie.c \| 12 +++++++-----
	26	1 file changed, 7 insertions(+), 5 deletions(-)
	27
	28	diff --git a/lib/cookie.c b/lib/cookie.c
	29	index 0864f6b..0127926 100644
	30	--- a/lib/cookie.c
	31	+++ b/lib/cookie.c
	32	@@ -223,15 +223,18 @@ static char sanitize_cookie_path(const char cookie_path)
	33	char *new_path = strdup(cookie_path);
	34	if(!new_path)
	35	return NULL;
	36
	37	/* some stupid site sends path attribute with '"'. */
	38	+ len = strlen(new_path);
	39	if(new_path[0] == '\"') {
	40	- memmove((void )new_path, (const void )(new_path + 1), strlen(new_path));
	41	+ memmove((void )new_path, (const void )(new_path + 1), len);
	42	+ len--;
	43	}
	44	- if(new_path[strlen(new_path) - 1] == '\"') {
	45	- new_path[strlen(new_path) - 1] = 0x0;
	46	+ if(len && (new_path[len - 1] == '\"')) {
	47	+ new_path[len - 1] = 0x0;
	48	+ len--;
	49	}
	50
	51	/* RFC6265 5.2.4 The Path Attribute */
	52	if(new_path[0] != '/') {
	53	/* Let cookie-path be the default-path. */
	54	@@ -239,12 +242,11 @@ static char sanitize_cookie_path(const char cookie_path)
	55	new_path = strdup("/");
	56	return new_path;
	57	}
	58
	59	/* convert /hoge/ to /hoge */
	60	- len = strlen(new_path);
	61	- if(1 < len && new_path[len - 1] == '/') {
	62	+ if(len && new_path[len - 1] == '/') {
	63	new_path[len - 1] = 0x0;
	64	}
	65
	66	return new_path;
	67	}
	68	--
	69	2.1.4
	70