diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-04-21 12:29:17 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-04-21 13:54:14 +0200 |
commit | 3fc5d271f554e07c88b1195812e48a0d86291395 (patch) | |
tree | aa886d608aee07639e7a841d0618ccd0bda97bc7 | |
parent | 9ee38b3a027470c98f7337dceac67ba06420c075 (diff) | |
download | poky-3fc5d271f554e07c88b1195812e48a0d86291395.tar.gz |
curl: Upgrade 7.47.1 -> 7.53.1
Security vulnerabilities fixed between 7.47.1 and 7.53.1 versions:
=================================================================
TLS session resumption client cert bypass (again): CVE-2017-XXXX
--write-out out of buffer read: CVE-2017-7407
SSL_VERIFYSTATUS ignored: CVE-2017-2629
uninitialized random: CVE-2016-9594
printf floating point buffer overflow: CVE-2016-9586
Win CE schannel cert wildcard matches too much: CVE-2016-9952
Win CE schannel cert name out of buffer read: CVE-2016-9953
cookie injection for other servers: CVE-2016-8615
case insensitive password comparison: CVE-2016-8616
OOB write via unchecked multiplication: CVE-2016-8617
double-free in curl_maprintf: CVE-2016-8618
double-free in krb5 code: CVE-2016-8619
glob parser write/read out of bounds: CVE-2016-8620
curl_getdate read out of bounds: CVE-2016-8621
URL unescape heap overflow via integer truncation: CVE-2016-8622
Use-after-free via shared cookies: CVE-2016-8623
invalid URL parsing with '#': CVE-2016-8624
IDNA 2003 makes curl use wrong host: CVE-2016-8625
curl escape and unescape integer overflows: CVE-2016-7167
Incorrect reuse of client certificates: CVE-2016-7141
TLS session resumption client cert bypass: CVE-2016-5419
Re-using connections with wrong client cert: CVE-2016-5420
use of connection struct after free: CVE-2016-5421
Windows DLL hijacking: CVE-2016-4802
TLS certificate check bypass with mbedTLS/PolarSSL: CVE-2016-3739
Reference:
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/changes.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
17 files changed, 3 insertions, 1633 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-5419.patch b/meta/recipes-support/curl/curl/CVE-2016-5419.patch deleted file mode 100644 index 2bea362c87..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-5419.patch +++ /dev/null | |||
@@ -1,76 +0,0 @@ | |||
1 | From 247d890da88f9ee817079e246c59f3d7d12fde5f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 1 Jul 2016 13:32:31 +0200 | ||
4 | Subject: [PATCH] TLS: switch off SSL session id when client cert is used | ||
5 | |||
6 | |||
7 | Bug: https://curl.haxx.se/docs/adv_20160803A.html | ||
8 | Reported-by: Bru Rom | ||
9 | Contributions-by: Eric Rescorla and Ray Satiro | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | https://curl.haxx.se/CVE-2016-5419.patch | ||
13 | |||
14 | CVE: CVE-2016-5419 | ||
15 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
16 | --- | ||
17 | lib/url.c | 1 + | ||
18 | lib/urldata.h | 1 + | ||
19 | lib/vtls/vtls.c | 10 ++++++++++ | ||
20 | 3 files changed, 12 insertions(+) | ||
21 | |||
22 | diff --git a/lib/url.c b/lib/url.c | ||
23 | index 258a286..e547e5c 100644 | ||
24 | --- a/lib/url.c | ||
25 | +++ b/lib/url.c | ||
26 | @@ -6123,6 +6123,7 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
27 | data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; | ||
28 | data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; | ||
29 | data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; | ||
30 | + data->set.ssl.clientcert = data->set.str[STRING_CERT]; | ||
31 | #ifdef USE_TLS_SRP | ||
32 | data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; | ||
33 | data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; | ||
34 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
35 | index 611c5a7..3cf7ed9 100644 | ||
36 | --- a/lib/urldata.h | ||
37 | +++ b/lib/urldata.h | ||
38 | @@ -351,6 +351,7 @@ struct ssl_config_data { | ||
39 | char *CAfile; /* certificate to verify peer against */ | ||
40 | const char *CRLfile; /* CRL to check certificate revocation */ | ||
41 | const char *issuercert;/* optional issuer certificate filename */ | ||
42 | + char *clientcert; | ||
43 | char *random_file; /* path to file containing "random" data */ | ||
44 | char *egdsocket; /* path to file containing the EGD daemon socket */ | ||
45 | char *cipher_list; /* list of ciphers to use */ | ||
46 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
47 | index d3e41cd..33e209d 100644 | ||
48 | --- a/lib/vtls/vtls.c | ||
49 | +++ b/lib/vtls/vtls.c | ||
50 | @@ -156,6 +156,15 @@ Curl_clone_ssl_config(struct ssl_config_data *source, | ||
51 | else | ||
52 | dest->random_file = NULL; | ||
53 | |||
54 | + if(source->clientcert) { | ||
55 | + dest->clientcert = strdup(source->clientcert); | ||
56 | + if(!dest->clientcert) | ||
57 | + return FALSE; | ||
58 | + dest->sessionid = FALSE; | ||
59 | + } | ||
60 | + else | ||
61 | + dest->clientcert = NULL; | ||
62 | + | ||
63 | return TRUE; | ||
64 | } | ||
65 | |||
66 | @@ -166,6 +175,7 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) | ||
67 | Curl_safefree(sslc->cipher_list); | ||
68 | Curl_safefree(sslc->egdsocket); | ||
69 | Curl_safefree(sslc->random_file); | ||
70 | + Curl_safefree(sslc->clientcert); | ||
71 | } | ||
72 | |||
73 | |||
74 | -- | ||
75 | 2.4.0 | ||
76 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-5420.patch b/meta/recipes-support/curl/curl/CVE-2016-5420.patch deleted file mode 100644 index 6bfacd7c9d..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-5420.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From 11ec5ad4352bba384404c56e77c7fab9382fd22d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Sun, 31 Jul 2016 00:51:48 +0200 | ||
4 | Subject: [PATCH] TLS: only reuse connections with the same client cert | ||
5 | |||
6 | Bug: https://curl.haxx.se/docs/adv_20160803B.html | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://curl.haxx.se/CVE-2016-5420.patch | ||
10 | |||
11 | CVE: CVE-2016-5420 | ||
12 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
13 | --- | ||
14 | lib/vtls/vtls.c | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
18 | index 33e209d..3863777 100644 | ||
19 | --- a/lib/vtls/vtls.c | ||
20 | +++ b/lib/vtls/vtls.c | ||
21 | @@ -99,6 +99,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data, | ||
22 | (data->verifyhost == needle->verifyhost) && | ||
23 | safe_strequal(data->CApath, needle->CApath) && | ||
24 | safe_strequal(data->CAfile, needle->CAfile) && | ||
25 | + safe_strequal(data->clientcert, needle->clientcert) && | ||
26 | safe_strequal(data->random_file, needle->random_file) && | ||
27 | safe_strequal(data->egdsocket, needle->egdsocket) && | ||
28 | safe_strequal(data->cipher_list, needle->cipher_list)) | ||
29 | -- | ||
30 | 2.4.0 | ||
31 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-5421.patch b/meta/recipes-support/curl/curl/CVE-2016-5421.patch deleted file mode 100644 index 862da757db..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-5421.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 75dc096e01ef1e21b6c57690d99371dedb2c0b80 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Sun, 31 Jul 2016 01:09:04 +0200 | ||
4 | Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Bug: https://curl.haxx.se/docs/adv_20160803C.html | ||
10 | Reported-by: Marcelo Echeverria and Fernando Muñoz | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://curl.haxx.se/CVE-2016-5421.patch | ||
14 | |||
15 | CVE: CVE-2016-5421 | ||
16 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
17 | --- | ||
18 | lib/multi.c | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/lib/multi.c b/lib/multi.c | ||
22 | index 9ee3523..8bb9366 100644 | ||
23 | --- a/lib/multi.c | ||
24 | +++ b/lib/multi.c | ||
25 | @@ -2157,6 +2157,8 @@ static void close_all_connections(struct Curl_multi *multi) | ||
26 | conn->data = multi->closure_handle; | ||
27 | |||
28 | sigpipe_ignore(conn->data, &pipe_st); | ||
29 | + conn->data->easy_conn = NULL; /* clear the easy handle's connection | ||
30 | + pointer */ | ||
31 | /* This will remove the connection from the cache */ | ||
32 | (void)Curl_disconnect(conn, FALSE); | ||
33 | sigpipe_restore(&pipe_st); | ||
34 | -- | ||
35 | 2.4.0 | ||
36 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-7141.patch b/meta/recipes-support/curl/curl/CVE-2016-7141.patch deleted file mode 100644 index eb03afddf8..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-7141.patch +++ /dev/null | |||
@@ -1,50 +0,0 @@ | |||
1 | From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001 | ||
2 | From: Kamil Dudka <kdudka@redhat.com> | ||
3 | Date: Mon, 22 Aug 2016 10:24:35 +0200 | ||
4 | Subject: [PATCH] nss: refuse previously loaded certificate from file | ||
5 | |||
6 | ... when we are not asked to use a certificate from file | ||
7 | |||
8 | Bug: https://curl.haxx.se/docs/adv_20160907.html | ||
9 | Reported-by: kdudka@redhat.com | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | https://curl.haxx.se/CVE-2016-5421.patch | ||
13 | |||
14 | CVE: CVE-2016-7141 | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | --- | ||
17 | lib/vtls/nss.c | 8 +++++++- | ||
18 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
21 | index 20c4277..cfb2263 100644 | ||
22 | --- a/lib/vtls/nss.c | ||
23 | +++ b/lib/vtls/nss.c | ||
24 | @@ -1002,10 +1002,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, | ||
25 | struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg; | ||
26 | struct Curl_easy *data = connssl->data; | ||
27 | const char *nickname = connssl->client_nickname; | ||
28 | + static const char pem_slotname[] = "PEM Token #1"; | ||
29 | |||
30 | if(connssl->obj_clicert) { | ||
31 | /* use the cert/key provided by PEM reader */ | ||
32 | - static const char pem_slotname[] = "PEM Token #1"; | ||
33 | SECItem cert_der = { 0, NULL, 0 }; | ||
34 | void *proto_win = SSL_RevealPinArg(sock); | ||
35 | struct CERTCertificateStr *cert; | ||
36 | @@ -1067,6 +1067,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, | ||
37 | if(NULL == nickname) | ||
38 | nickname = "[unknown]"; | ||
39 | |||
40 | + if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) { | ||
41 | + failf(data, "NSS: refusing previously loaded certificate from file: %s", | ||
42 | + nickname); | ||
43 | + return SECFailure; | ||
44 | + } | ||
45 | + | ||
46 | if(NULL == *pRetKey) { | ||
47 | failf(data, "NSS: private key not found for certificate: %s", nickname); | ||
48 | return SECFailure; | ||
49 | -- | ||
50 | 2.7.4 | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch b/meta/recipes-support/curl/curl/CVE-2016-8615.patch deleted file mode 100644 index 5faa423a2a..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8615.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 27 Sep 2016 17:36:19 +0200 | ||
4 | Subject: [PATCH] cookie: replace use of fgets() with custom version | ||
5 | |||
6 | ... that will ignore lines that are too long to fit in the buffer. | ||
7 | |||
8 | CVE: CVE-2016-8615 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Bug: https://curl.haxx.se/docs/adv_20161102A.html | ||
12 | Reported-by: Cure53 | ||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | lib/cookie.c | 31 ++++++++++++++++++++++++++++++- | ||
16 | 1 file changed, 30 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
19 | index 0f05da2..e5097d3 100644 | ||
20 | --- a/lib/cookie.c | ||
21 | +++ b/lib/cookie.c | ||
22 | @@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data, | ||
23 | } | ||
24 | |||
25 | return co; | ||
26 | } | ||
27 | |||
28 | +/* | ||
29 | + * get_line() makes sure to only return complete whole lines that fit in 'len' | ||
30 | + * bytes and end with a newline. | ||
31 | + */ | ||
32 | +static char *get_line(char *buf, int len, FILE *input) | ||
33 | +{ | ||
34 | + bool partial = FALSE; | ||
35 | + while(1) { | ||
36 | + char *b = fgets(buf, len, input); | ||
37 | + if(b) { | ||
38 | + size_t rlen = strlen(b); | ||
39 | + if(rlen && (b[rlen-1] == '\n')) { | ||
40 | + if(partial) { | ||
41 | + partial = FALSE; | ||
42 | + continue; | ||
43 | + } | ||
44 | + return b; | ||
45 | + } | ||
46 | + else | ||
47 | + /* read a partial, discard the next piece that ends with newline */ | ||
48 | + partial = TRUE; | ||
49 | + } | ||
50 | + else | ||
51 | + break; | ||
52 | + } | ||
53 | + return NULL; | ||
54 | +} | ||
55 | + | ||
56 | + | ||
57 | /***************************************************************************** | ||
58 | * | ||
59 | * Curl_cookie_init() | ||
60 | * | ||
61 | * Inits a cookie struct to read data from a local file. This is always | ||
62 | @@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
63 | bool headerline; | ||
64 | |||
65 | line = malloc(MAX_COOKIE_LINE); | ||
66 | if(!line) | ||
67 | goto fail; | ||
68 | - while(fgets(line, MAX_COOKIE_LINE, fp)) { | ||
69 | + while(get_line(line, MAX_COOKIE_LINE, fp)) { | ||
70 | if(checkprefix("Set-Cookie:", line)) { | ||
71 | /* This is a cookie line, get it! */ | ||
72 | lineptr=&line[11]; | ||
73 | headerline=TRUE; | ||
74 | } | ||
75 | -- | ||
76 | 2.9.3 | ||
77 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8616.patch b/meta/recipes-support/curl/curl/CVE-2016-8616.patch deleted file mode 100644 index d5d78fc73f..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8616.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From b3ee26c5df75d97f6895e6ec4538894ebaf76e48 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 27 Sep 2016 18:01:53 +0200 | ||
4 | Subject: [PATCH] connectionexists: use case sensitive user/password | ||
5 | comparisons | ||
6 | |||
7 | CVE: CVE-2016-8616 | ||
8 | Upstream-Status: Backport | ||
9 | |||
10 | Bug: https://curl.haxx.se/docs/adv_20161102B.html | ||
11 | Reported-by: Cure53 | ||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | |||
14 | diff -ruN a/lib/url.c b/lib/url.c | ||
15 | --- a/lib/url.c 2016-11-07 08:50:23.030126833 +0100 | ||
16 | +++ b/lib/url.c 2016-11-07 09:16:20.459836564 +0100 | ||
17 | @@ -3305,8 +3305,8 @@ | ||
18 | if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { | ||
19 | /* This protocol requires credentials per connection, | ||
20 | so verify that we're using the same name and password as well */ | ||
21 | - if(!strequal(needle->user, check->user) || | ||
22 | - !strequal(needle->passwd, check->passwd)) { | ||
23 | + if(strcmp(needle->user, check->user) || | ||
24 | + strcmp(needle->passwd, check->passwd)) { | ||
25 | /* one of them was different */ | ||
26 | continue; | ||
27 | } | ||
28 | @@ -3369,8 +3369,8 @@ | ||
29 | possible. (Especially we must not reuse the same connection if | ||
30 | partway through a handshake!) */ | ||
31 | if(wantNTLMhttp) { | ||
32 | - if(!strequal(needle->user, check->user) || | ||
33 | - !strequal(needle->passwd, check->passwd)) | ||
34 | + if(strcmp(needle->user, check->user) || | ||
35 | + strcmp(needle->passwd, check->passwd)) | ||
36 | continue; | ||
37 | } | ||
38 | else if(check->ntlm.state != NTLMSTATE_NONE) { | ||
39 | @@ -3380,8 +3380,8 @@ | ||
40 | |||
41 | /* Same for Proxy NTLM authentication */ | ||
42 | if(wantProxyNTLMhttp) { | ||
43 | - if(!strequal(needle->proxyuser, check->proxyuser) || | ||
44 | - !strequal(needle->proxypasswd, check->proxypasswd)) | ||
45 | + if(strcmp(needle->proxyuser, check->proxyuser) || | ||
46 | + strcmp(needle->proxypasswd, check->proxypasswd)) | ||
47 | continue; | ||
48 | } | ||
49 | else if(check->proxyntlm.state != NTLMSTATE_NONE) { | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8617.patch b/meta/recipes-support/curl/curl/CVE-2016-8617.patch deleted file mode 100644 index d16c2f5a63..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8617.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | From efd24d57426bd77c9b5860e6b297904703750412 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 28 Sep 2016 00:05:12 +0200 | ||
4 | Subject: [PATCH] base64: check for integer overflow on large input | ||
5 | |||
6 | CVE: CVE-2016-8617 | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Bug: https://curl.haxx.se/docs/adv_20161102C.html | ||
10 | Reported-by: Cure53 | ||
11 | |||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | diff -ruN a/lib/base64.c b/lib/base64.c | ||
15 | --- a/lib/base64.c 2016-02-03 00:02:43.000000000 +0100 | ||
16 | +++ b/lib/base64.c 2016-11-07 09:22:07.918167530 +0100 | ||
17 | @@ -190,6 +190,11 @@ | ||
18 | if(0 == insize) | ||
19 | insize = strlen(indata); | ||
20 | |||
21 | +#if SIZEOF_SIZE_T == 4 | ||
22 | + if(insize > UINT_MAX/4) | ||
23 | + return CURLE_OUT_OF_MEMORY; | ||
24 | +#endif | ||
25 | + | ||
26 | base64data = output = malloc(insize*4/3+4); | ||
27 | if(NULL == output) | ||
28 | return CURLE_OUT_OF_MEMORY; | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch b/meta/recipes-support/curl/curl/CVE-2016-8618.patch deleted file mode 100644 index 2fd4749586..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8618.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 28 Sep 2016 10:15:34 +0200 | ||
4 | Subject: [PATCH] aprintf: detect wrap-around when growing allocation | ||
5 | |||
6 | On 32bit systems we could otherwise wrap around after 2GB and allocate 0 | ||
7 | bytes and crash. | ||
8 | |||
9 | CVE: CVE-2016-8618 | ||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Bug: https://curl.haxx.se/docs/adv_20161102D.html | ||
13 | Reported-by: Cure53 | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | lib/mprintf.c | 9 ++++++--- | ||
17 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/lib/mprintf.c b/lib/mprintf.c | ||
20 | index dbedeaa..2c88aa8 100644 | ||
21 | --- a/lib/mprintf.c | ||
22 | +++ b/lib/mprintf.c | ||
23 | @@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data) | ||
24 | } | ||
25 | infop->alloc = 32; | ||
26 | infop->len =0; | ||
27 | } | ||
28 | else if(infop->len+1 >= infop->alloc) { | ||
29 | - char *newptr; | ||
30 | + char *newptr = NULL; | ||
31 | + size_t newsize = infop->alloc*2; | ||
32 | |||
33 | - newptr = realloc(infop->buffer, infop->alloc*2); | ||
34 | + /* detect wrap-around or other overflow problems */ | ||
35 | + if(newsize > infop->alloc) | ||
36 | + newptr = realloc(infop->buffer, newsize); | ||
37 | |||
38 | if(!newptr) { | ||
39 | infop->fail = 1; | ||
40 | return -1; /* fail */ | ||
41 | } | ||
42 | infop->buffer = newptr; | ||
43 | - infop->alloc *= 2; | ||
44 | + infop->alloc = newsize; | ||
45 | } | ||
46 | |||
47 | infop->buffer[ infop->len ] = outc; | ||
48 | |||
49 | infop->len++; | ||
50 | -- | ||
51 | 2.9.3 | ||
52 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8619.patch b/meta/recipes-support/curl/curl/CVE-2016-8619.patch deleted file mode 100644 index fb21cf6b89..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8619.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 28 Sep 2016 12:56:02 +0200 | ||
4 | Subject: [PATCH] krb5: avoid realloc(0) | ||
5 | |||
6 | If the requested size is zero, bail out with error instead of doing a | ||
7 | realloc() that would cause a double-free: realloc(0) acts as a free() | ||
8 | and then there's a second free in the cleanup path. | ||
9 | |||
10 | CVE: CVE-2016-8619 | ||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Bug: https://curl.haxx.se/docs/adv_20161102E.html | ||
14 | Reported-by: Cure53 | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | --- | ||
17 | lib/security.c | 9 ++++++--- | ||
18 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/lib/security.c b/lib/security.c | ||
21 | index a268d4a..4cef8f8 100644 | ||
22 | --- a/lib/security.c | ||
23 | +++ b/lib/security.c | ||
24 | @@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, const void *to, | ||
25 | static CURLcode read_data(struct connectdata *conn, | ||
26 | curl_socket_t fd, | ||
27 | struct krb5buffer *buf) | ||
28 | { | ||
29 | int len; | ||
30 | - void* tmp; | ||
31 | + void *tmp = NULL; | ||
32 | CURLcode result; | ||
33 | |||
34 | result = socket_read(fd, &len, sizeof(len)); | ||
35 | if(result) | ||
36 | return result; | ||
37 | |||
38 | - len = ntohl(len); | ||
39 | - tmp = realloc(buf->data, len); | ||
40 | + if(len) { | ||
41 | + /* only realloc if there was a length */ | ||
42 | + len = ntohl(len); | ||
43 | + tmp = realloc(buf->data, len); | ||
44 | + } | ||
45 | if(tmp == NULL) | ||
46 | return CURLE_OUT_OF_MEMORY; | ||
47 | |||
48 | buf->data = tmp; | ||
49 | result = socket_read(fd, buf->data, len); | ||
50 | -- | ||
51 | 2.9.3 | ||
52 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch b/meta/recipes-support/curl/curl/CVE-2016-8620.patch deleted file mode 100644 index 613ace30b8..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8620.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From fbb5f1aa0326d485d5a7ac643b48481897ca667f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 3 Oct 2016 17:27:16 +0200 | ||
4 | Subject: [PATCH] range: prevent negative end number in a glob range | ||
5 | |||
6 | CVE: CVE-2016-8620 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | Bug: https://curl.haxx.se/docs/adv_20161102F.html | ||
11 | Reported-by: Luáşt Nguyá»…n | ||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | src/tool_urlglob.c | 7 +++++++ | ||
15 | 1 file changed, 7 insertions(+) | ||
16 | |||
17 | diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c | ||
18 | index a357b8b..64c75ba 100644 | ||
19 | --- a/src/tool_urlglob.c | ||
20 | +++ b/src/tool_urlglob.c | ||
21 | @@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, | ||
22 | endp = NULL; | ||
23 | else { | ||
24 | pattern = endp+1; | ||
25 | + while(*pattern && ISBLANK(*pattern)) | ||
26 | + pattern++; | ||
27 | + if(!ISDIGIT(*pattern)) { | ||
28 | + endp = NULL; | ||
29 | + goto fail; | ||
30 | + } | ||
31 | errno = 0; | ||
32 | max_n = strtoul(pattern, &endp, 10); | ||
33 | if(errno || (*endp == ':')) { | ||
34 | @@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, | ||
35 | } | ||
36 | } | ||
37 | |||
38 | + fail: | ||
39 | *posp += (pattern - *patternp); | ||
40 | |||
41 | if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n) | ||
42 | -- | ||
43 | 1.9.1 | ||
44 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8621.patch b/meta/recipes-support/curl/curl/CVE-2016-8621.patch deleted file mode 100644 index 7345838af7..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8621.patch +++ /dev/null | |||
@@ -1,120 +0,0 @@ | |||
1 | From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2016 16:59:38 +0200 | ||
4 | Subject: [PATCH] parsedate: handle cut off numbers better | ||
5 | |||
6 | ... and don't read outside of the given buffer! | ||
7 | |||
8 | CVE: CVE-2016-8621 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | bug: https://curl.haxx.se/docs/adv_20161102G.html | ||
12 | Reported-by: Luáşt Nguyá»…n | ||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | lib/parsedate.c | 12 +++++++----- | ||
16 | tests/data/test517 | 6 ++++++ | ||
17 | tests/libtest/lib517.c | 8 +++++++- | ||
18 | 3 files changed, 20 insertions(+), 6 deletions(-) | ||
19 | |||
20 | diff --git a/lib/parsedate.c b/lib/parsedate.c | ||
21 | index dfcf855..8e932f4 100644 | ||
22 | --- a/lib/parsedate.c | ||
23 | +++ b/lib/parsedate.c | ||
24 | @@ -3,11 +3,11 @@ | ||
25 | * Project ___| | | | _ \| | | ||
26 | * / __| | | | |_) | | | ||
27 | * | (__| |_| | _ <| |___ | ||
28 | * \___|\___/|_| \_\_____| | ||
29 | * | ||
30 | - * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
31 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
32 | * | ||
33 | * This software is licensed as described in the file COPYING, which | ||
34 | * you should have received as part of this distribution. The terms | ||
35 | * are also available at https://curl.haxx.se/docs/copyright.html. | ||
36 | * | ||
37 | @@ -384,19 +384,21 @@ static int parsedate(const char *date, time_t *output) | ||
38 | } | ||
39 | else if(ISDIGIT(*date)) { | ||
40 | /* a digit */ | ||
41 | int val; | ||
42 | char *end; | ||
43 | + int len=0; | ||
44 | if((secnum == -1) && | ||
45 | - (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) { | ||
46 | + (3 == sscanf(date, "%02d:%02d:%02d%n", | ||
47 | + &hournum, &minnum, &secnum, &len))) { | ||
48 | /* time stamp! */ | ||
49 | - date += 8; | ||
50 | + date += len; | ||
51 | } | ||
52 | else if((secnum == -1) && | ||
53 | - (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) { | ||
54 | + (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) { | ||
55 | /* time stamp without seconds */ | ||
56 | - date += 5; | ||
57 | + date += len; | ||
58 | secnum = 0; | ||
59 | } | ||
60 | else { | ||
61 | long lval; | ||
62 | int error; | ||
63 | diff --git a/tests/data/test517 b/tests/data/test517 | ||
64 | index c81a45e..513634f 100644 | ||
65 | --- a/tests/data/test517 | ||
66 | +++ b/tests/data/test517 | ||
67 | @@ -114,10 +114,16 @@ nothing | ||
68 | 79: 20110632 12:34:56 => -1 | ||
69 | 80: 20110623 56:34:56 => -1 | ||
70 | 81: 20111323 12:34:56 => -1 | ||
71 | 82: 20110623 12:34:79 => -1 | ||
72 | 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000 | ||
73 | +84: 20110623 12:3 => 1308830580 | ||
74 | +85: 20110623 1:3 => 1308790980 | ||
75 | +86: 20110623 1:30 => 1308792600 | ||
76 | +87: 20110623 12:12:3 => 1308831123 | ||
77 | +88: 20110623 01:12:3 => 1308791523 | ||
78 | +89: 20110623 01:99:30 => -1 | ||
79 | </stdout> | ||
80 | |||
81 | # This test case previously tested an overflow case ("2094 Nov 6 => | ||
82 | # 2147483647") for 32bit time_t, but since some systems have 64bit time_t and | ||
83 | # handles this (returning 3939840000), and some 64bit-time_t systems don't | ||
84 | diff --git a/tests/libtest/lib517.c b/tests/libtest/lib517.c | ||
85 | index 2f68ebd..22162ff 100644 | ||
86 | --- a/tests/libtest/lib517.c | ||
87 | +++ b/tests/libtest/lib517.c | ||
88 | @@ -3,11 +3,11 @@ | ||
89 | * Project ___| | | | _ \| | | ||
90 | * / __| | | | |_) | | | ||
91 | * | (__| |_| | _ <| |___ | ||
92 | * \___|\___/|_| \_\_____| | ||
93 | * | ||
94 | - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
95 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
96 | * | ||
97 | * This software is licensed as described in the file COPYING, which | ||
98 | * you should have received as part of this distribution. The terms | ||
99 | * are also available at https://curl.haxx.se/docs/copyright.html. | ||
100 | * | ||
101 | @@ -114,10 +114,16 @@ static const char * const dates[]={ | ||
102 | "20110632 12:34:56", | ||
103 | "20110623 56:34:56", | ||
104 | "20111323 12:34:56", | ||
105 | "20110623 12:34:79", | ||
106 | "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */ | ||
107 | + "20110623 12:3", | ||
108 | + "20110623 1:3", | ||
109 | + "20110623 1:30", | ||
110 | + "20110623 12:12:3", | ||
111 | + "20110623 01:12:3", | ||
112 | + "20110623 01:99:30", | ||
113 | NULL | ||
114 | }; | ||
115 | |||
116 | int test(char *URL) | ||
117 | { | ||
118 | -- | ||
119 | 2.9.3 | ||
120 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8622.patch b/meta/recipes-support/curl/curl/CVE-2016-8622.patch deleted file mode 100644 index 8edad0184e..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8622.patch +++ /dev/null | |||
@@ -1,94 +0,0 @@ | |||
1 | From 53e71e47d6b81650d26ec33a58d0dca24c7ffb2c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2016 18:56:45 +0200 | ||
4 | Subject: [PATCH] unescape: avoid integer overflow | ||
5 | |||
6 | CVE: CVE-2016-8622 | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Bug: https://curl.haxx.se/docs/adv_20161102H.html | ||
10 | Reported-by: Cure53 | ||
11 | |||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | |||
14 | diff -ruN a/docs/libcurl/curl_easy_unescape.3 b/docs/libcurl/curl_easy_unescape.3 | ||
15 | --- a/docs/libcurl/curl_easy_unescape.3 2016-02-03 00:08:02.000000000 +0100 | ||
16 | +++ b/docs/libcurl/curl_easy_unescape.3 2016-11-07 09:25:45.999933275 +0100 | ||
17 | @@ -5,7 +5,7 @@ | ||
18 | .\" * | (__| |_| | _ <| |___ | ||
19 | .\" * \___|\___/|_| \_\_____| | ||
20 | .\" * | ||
21 | -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
22 | +.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
23 | .\" * | ||
24 | .\" * This software is licensed as described in the file COPYING, which | ||
25 | .\" * you should have received as part of this distribution. The terms | ||
26 | @@ -40,7 +40,10 @@ | ||
27 | |||
28 | If \fBoutlength\fP is non-NULL, the function will write the length of the | ||
29 | returned string in the integer it points to. This allows an escaped string | ||
30 | -containing %00 to still get used properly after unescaping. | ||
31 | +containing %00 to still get used properly after unescaping. Since this is a | ||
32 | +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no | ||
33 | +longer string can be unescaped if the string length is returned in this | ||
34 | +parameter. | ||
35 | |||
36 | You must \fIcurl_free(3)\fP the returned string when you're done with it. | ||
37 | .SH AVAILABILITY | ||
38 | diff -ruN a/lib/dict.c b/lib/dict.c | ||
39 | --- a/lib/dict.c 2016-02-03 00:02:44.000000000 +0100 | ||
40 | +++ b/lib/dict.c 2016-11-07 09:25:45.999933275 +0100 | ||
41 | @@ -5,7 +5,7 @@ | ||
42 | * | (__| |_| | _ <| |___ | ||
43 | * \___|\___/|_| \_\_____| | ||
44 | * | ||
45 | - * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
46 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
47 | * | ||
48 | * This software is licensed as described in the file COPYING, which | ||
49 | * you should have received as part of this distribution. The terms | ||
50 | @@ -52,7 +52,7 @@ | ||
51 | #include <curl/curl.h> | ||
52 | #include "transfer.h" | ||
53 | #include "sendf.h" | ||
54 | - | ||
55 | +#include "escape.h" | ||
56 | #include "progress.h" | ||
57 | #include "strequal.h" | ||
58 | #include "dict.h" | ||
59 | @@ -96,12 +96,12 @@ | ||
60 | char *newp; | ||
61 | char *dictp; | ||
62 | char *ptr; | ||
63 | - int len; | ||
64 | + size_t len; | ||
65 | char ch; | ||
66 | int olen=0; | ||
67 | |||
68 | - newp = curl_easy_unescape(data, inputbuff, 0, &len); | ||
69 | - if(!newp) | ||
70 | + CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); | ||
71 | + if(!newp || result) | ||
72 | return NULL; | ||
73 | |||
74 | dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ | ||
75 | diff -ruN a/lib/escape.c b/lib/escape.c | ||
76 | --- a/lib/escape.c 2016-02-05 10:02:03.000000000 +0100 | ||
77 | +++ b/lib/escape.c 2016-11-07 09:29:43.073671606 +0100 | ||
78 | @@ -217,8 +217,14 @@ | ||
79 | FALSE); | ||
80 | if(res) | ||
81 | return NULL; | ||
82 | - if(olen) | ||
83 | - *olen = curlx_uztosi(outputlen); | ||
84 | + | ||
85 | + if(olen) { | ||
86 | + if(outputlen <= (size_t) INT_MAX) | ||
87 | + *olen = curlx_uztosi(outputlen); | ||
88 | + else | ||
89 | + /* too large to return in an int, fail! */ | ||
90 | + Curl_safefree(str); | ||
91 | + } | ||
92 | return str; | ||
93 | } | ||
94 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch deleted file mode 100644 index d9ddef6fa8..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8623.patch +++ /dev/null | |||
@@ -1,209 +0,0 @@ | |||
1 | From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2016 23:26:13 +0200 | ||
4 | Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies | ||
5 | |||
6 | Previously it only held references to them, which was reckless as the | ||
7 | thread lock was released so the cookies could get modified by other | ||
8 | handles that share the same cookie jar over the share interface. | ||
9 | |||
10 | CVE: CVE-2016-8623 | ||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Bug: https://curl.haxx.se/docs/adv_20161102I.html | ||
14 | Reported-by: Cure53 | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | --- | ||
17 | lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++--------------------- | ||
18 | lib/cookie.h | 4 ++-- | ||
19 | lib/http.c | 2 +- | ||
20 | 3 files changed, 43 insertions(+), 24 deletions(-) | ||
21 | |||
22 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
23 | index 0f05da2..8607ce3 100644 | ||
24 | --- a/lib/cookie.c | ||
25 | +++ b/lib/cookie.c | ||
26 | @@ -1022,10 +1022,44 @@ static int cookie_sort(const void *p1, const void *p2) | ||
27 | |||
28 | /* sorry, can't be more deterministic */ | ||
29 | return 0; | ||
30 | } | ||
31 | |||
32 | +#define CLONE(field) \ | ||
33 | + do { \ | ||
34 | + if(src->field) { \ | ||
35 | + dup->field = strdup(src->field); \ | ||
36 | + if(!dup->field) \ | ||
37 | + goto fail; \ | ||
38 | + } \ | ||
39 | + } while(0) | ||
40 | + | ||
41 | +static struct Cookie *dup_cookie(struct Cookie *src) | ||
42 | +{ | ||
43 | + struct Cookie *dup = calloc(sizeof(struct Cookie), 1); | ||
44 | + if(dup) { | ||
45 | + CLONE(expirestr); | ||
46 | + CLONE(domain); | ||
47 | + CLONE(path); | ||
48 | + CLONE(spath); | ||
49 | + CLONE(name); | ||
50 | + CLONE(value); | ||
51 | + CLONE(maxage); | ||
52 | + CLONE(version); | ||
53 | + dup->expires = src->expires; | ||
54 | + dup->tailmatch = src->tailmatch; | ||
55 | + dup->secure = src->secure; | ||
56 | + dup->livecookie = src->livecookie; | ||
57 | + dup->httponly = src->httponly; | ||
58 | + } | ||
59 | + return dup; | ||
60 | + | ||
61 | + fail: | ||
62 | + freecookie(dup); | ||
63 | + return NULL; | ||
64 | +} | ||
65 | + | ||
66 | /***************************************************************************** | ||
67 | * | ||
68 | * Curl_cookie_getlist() | ||
69 | * | ||
70 | * For a given host and path, return a linked list of cookies that the | ||
71 | @@ -1077,15 +1111,12 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
72 | if(!co->spath || pathmatch(co->spath, path) ) { | ||
73 | |||
74 | /* and now, we know this is a match and we should create an | ||
75 | entry for the return-linked-list */ | ||
76 | |||
77 | - newco = malloc(sizeof(struct Cookie)); | ||
78 | + newco = dup_cookie(co); | ||
79 | if(newco) { | ||
80 | - /* first, copy the whole source cookie: */ | ||
81 | - memcpy(newco, co, sizeof(struct Cookie)); | ||
82 | - | ||
83 | /* then modify our next */ | ||
84 | newco->next = mainco; | ||
85 | |||
86 | /* point the main to us */ | ||
87 | mainco = newco; | ||
88 | @@ -1093,16 +1124,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
89 | matches++; | ||
90 | } | ||
91 | else { | ||
92 | fail: | ||
93 | /* failure, clear up the allocated chain and return NULL */ | ||
94 | - while(mainco) { | ||
95 | - co = mainco->next; | ||
96 | - free(mainco); | ||
97 | - mainco = co; | ||
98 | - } | ||
99 | - | ||
100 | + Curl_cookie_freelist(mainco); | ||
101 | return NULL; | ||
102 | } | ||
103 | } | ||
104 | } | ||
105 | } | ||
106 | @@ -1150,11 +1176,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
107 | * | ||
108 | ****************************************************************************/ | ||
109 | void Curl_cookie_clearall(struct CookieInfo *cookies) | ||
110 | { | ||
111 | if(cookies) { | ||
112 | - Curl_cookie_freelist(cookies->cookies, TRUE); | ||
113 | + Curl_cookie_freelist(cookies->cookies); | ||
114 | cookies->cookies = NULL; | ||
115 | cookies->numcookies = 0; | ||
116 | } | ||
117 | } | ||
118 | |||
119 | @@ -1162,25 +1188,18 @@ void Curl_cookie_clearall(struct CookieInfo *cookies) | ||
120 | * | ||
121 | * Curl_cookie_freelist() | ||
122 | * | ||
123 | * Free a list of cookies previously returned by Curl_cookie_getlist(); | ||
124 | * | ||
125 | - * The 'cookiestoo' argument tells this function whether to just free the | ||
126 | - * list or actually also free all cookies within the list as well. | ||
127 | - * | ||
128 | ****************************************************************************/ | ||
129 | |||
130 | -void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo) | ||
131 | +void Curl_cookie_freelist(struct Cookie *co) | ||
132 | { | ||
133 | struct Cookie *next; | ||
134 | while(co) { | ||
135 | next = co->next; | ||
136 | - if(cookiestoo) | ||
137 | - freecookie(co); | ||
138 | - else | ||
139 | - free(co); /* we only free the struct since the "members" are all just | ||
140 | - pointed out in the main cookie list! */ | ||
141 | + freecookie(co); | ||
142 | co = next; | ||
143 | } | ||
144 | } | ||
145 | |||
146 | |||
147 | @@ -1231,11 +1250,11 @@ void Curl_cookie_clearsess(struct CookieInfo *cookies) | ||
148 | ****************************************************************************/ | ||
149 | void Curl_cookie_cleanup(struct CookieInfo *c) | ||
150 | { | ||
151 | if(c) { | ||
152 | free(c->filename); | ||
153 | - Curl_cookie_freelist(c->cookies, TRUE); | ||
154 | + Curl_cookie_freelist(c->cookies); | ||
155 | free(c); /* free the base struct as well */ | ||
156 | } | ||
157 | } | ||
158 | |||
159 | /* get_netscape_format() | ||
160 | diff --git a/lib/cookie.h b/lib/cookie.h | ||
161 | index cd7c54a..a9a4578 100644 | ||
162 | --- a/lib/cookie.h | ||
163 | +++ b/lib/cookie.h | ||
164 | @@ -5,11 +5,11 @@ | ||
165 | * Project ___| | | | _ \| | | ||
166 | * / __| | | | |_) | | | ||
167 | * | (__| |_| | _ <| |___ | ||
168 | * \___|\___/|_| \_\_____| | ||
169 | * | ||
170 | - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
171 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
172 | * | ||
173 | * This software is licensed as described in the file COPYING, which | ||
174 | * you should have received as part of this distribution. The terms | ||
175 | * are also available at https://curl.haxx.se/docs/copyright.html. | ||
176 | * | ||
177 | @@ -80,11 +80,11 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, | ||
178 | struct CookieInfo *, bool header, char *lineptr, | ||
179 | const char *domain, const char *path); | ||
180 | |||
181 | struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, | ||
182 | const char *, bool); | ||
183 | -void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo); | ||
184 | +void Curl_cookie_freelist(struct Cookie *cookies); | ||
185 | void Curl_cookie_clearall(struct CookieInfo *cookies); | ||
186 | void Curl_cookie_clearsess(struct CookieInfo *cookies); | ||
187 | |||
188 | #if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_COOKIES) | ||
189 | #define Curl_cookie_list(x) NULL | ||
190 | diff --git a/lib/http.c b/lib/http.c | ||
191 | index 65c145a..e6e7d37 100644 | ||
192 | --- a/lib/http.c | ||
193 | +++ b/lib/http.c | ||
194 | @@ -2382,11 +2382,11 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) | ||
195 | break; | ||
196 | count++; | ||
197 | } | ||
198 | co = co->next; /* next cookie please */ | ||
199 | } | ||
200 | - Curl_cookie_freelist(store, FALSE); /* free the cookie list */ | ||
201 | + Curl_cookie_freelist(store); | ||
202 | } | ||
203 | if(addcookies && !result) { | ||
204 | if(!count) | ||
205 | result = Curl_add_bufferf(req_buffer, "Cookie: "); | ||
206 | if(!result) { | ||
207 | -- | ||
208 | 2.9.3 | ||
209 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8624.patch b/meta/recipes-support/curl/curl/CVE-2016-8624.patch deleted file mode 100644 index 009f7d0601..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8624.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From 3bb273db7e40ebc284cff45f3ce3f0475c8339c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 11 Oct 2016 00:48:35 +0200 | ||
4 | Subject: [PATCH] urlparse: accept '#' as end of host name | ||
5 | |||
6 | 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com | ||
7 | for the '/' document with the rest of the URL being a fragment. | ||
8 | |||
9 | CVE: CVE-2016-8624 | ||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Bug: https://curl.haxx.se/docs/adv_20161102J.html | ||
13 | Reported-by: Fernando Muñoz | ||
14 | |||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | |||
17 | diff -ruN a/lib/url.c b/lib/url.c | ||
18 | --- a/lib/url.c 2016-11-07 08:50:23.030126833 +0100 | ||
19 | +++ b/lib/url.c 2016-11-07 10:16:13.562089428 +0100 | ||
20 | @@ -4086,7 +4086,7 @@ | ||
21 | path[0]=0; | ||
22 | |||
23 | if(2 > sscanf(data->change.url, | ||
24 | - "%15[^\n:]://%[^\n/?]%[^\n]", | ||
25 | + "%15[^\n:]://%[^\n/?#]%[^\n]", | ||
26 | protobuf, | ||
27 | conn->host.name, path)) { | ||
28 | |||
29 | @@ -4094,7 +4094,7 @@ | ||
30 | * The URL was badly formatted, let's try the browser-style _without_ | ||
31 | * protocol specified like 'http://'. | ||
32 | */ | ||
33 | - rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); | ||
34 | + rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); | ||
35 | if(1 > rc) { | ||
36 | /* | ||
37 | * We couldn't even get this format. | ||
38 | @@ -4184,10 +4184,10 @@ | ||
39 | } | ||
40 | |||
41 | /* If the URL is malformatted (missing a '/' after hostname before path) we | ||
42 | - * insert a slash here. The only letter except '/' we accept to start a path | ||
43 | - * is '?'. | ||
44 | + * insert a slash here. The only letters except '/' that can start a path is | ||
45 | + * '?' and '#' - as controlled by the two sscanf() patterns above. | ||
46 | */ | ||
47 | - if(path[0] == '?') { | ||
48 | + if(path[0] != '/') { | ||
49 | /* We need this function to deal with overlapping memory areas. We know | ||
50 | that the memory area 'path' points to is 'urllen' bytes big and that | ||
51 | is bigger than the path. Use +1 to move the zero byte too. */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8625.patch b/meta/recipes-support/curl/curl/CVE-2016-8625.patch deleted file mode 100755 index b61827729a..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2016-8625.patch +++ /dev/null | |||
@@ -1,615 +0,0 @@ | |||
1 | commit 914aae739463ec72340130ea9ad42e04b02a5338 | ||
2 | Author: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed Oct 12 09:01:06 2016 +0200 | ||
4 | |||
5 | idn: switch to libidn2 use and IDNA2008 support | ||
6 | |||
7 | CVE: CVE-2016-8625 | ||
8 | Upstream-Status: Backport | ||
9 | |||
10 | Bug: https://curl.haxx.se/docs/adv_20161102K.html | ||
11 | Reported-by: Christian Heimes | ||
12 | |||
13 | Conflicts: | ||
14 | CMakeLists.txt | ||
15 | lib/url.c | ||
16 | |||
17 | Signed-off-by: Martin Borg <martin.borg@enea.com> | ||
18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
19 | diff --git a/CMakeLists.txt b/CMakeLists.txt | ||
20 | index 06f18cf..c3e5c7c 100644 | ||
21 | --- a/CMakeLists.txt | ||
22 | +++ b/CMakeLists.txt | ||
23 | @@ -440,7 +440,7 @@ if(NOT CURL_DISABLE_LDAPS) | ||
24 | endif() | ||
25 | |||
26 | # Check for idn | ||
27 | -check_library_exists_concat("idn" idna_to_ascii_lz HAVE_LIBIDN) | ||
28 | +check_library_exists_concat("idn2" idn2_lookup_ul HAVE_LIBIDN2) | ||
29 | |||
30 | # Check for symbol dlopen (same as HAVE_LIBDL) | ||
31 | check_library_exists("${CURL_LIBS}" dlopen "" HAVE_DLOPEN) | ||
32 | @@ -608,7 +608,7 @@ check_include_file_concat("des.h" HAVE_DES_H) | ||
33 | check_include_file_concat("err.h" HAVE_ERR_H) | ||
34 | check_include_file_concat("errno.h" HAVE_ERRNO_H) | ||
35 | check_include_file_concat("fcntl.h" HAVE_FCNTL_H) | ||
36 | -check_include_file_concat("idn-free.h" HAVE_IDN_FREE_H) | ||
37 | +check_include_file_concat("idn2.h" HAVE_IDN2_H) | ||
38 | check_include_file_concat("ifaddrs.h" HAVE_IFADDRS_H) | ||
39 | check_include_file_concat("io.h" HAVE_IO_H) | ||
40 | check_include_file_concat("krb.h" HAVE_KRB_H) | ||
41 | @@ -638,7 +638,6 @@ check_include_file_concat("stropts.h" HAVE_STROPTS_H) | ||
42 | check_include_file_concat("termio.h" HAVE_TERMIO_H) | ||
43 | check_include_file_concat("termios.h" HAVE_TERMIOS_H) | ||
44 | check_include_file_concat("time.h" HAVE_TIME_H) | ||
45 | -check_include_file_concat("tld.h" HAVE_TLD_H) | ||
46 | check_include_file_concat("unistd.h" HAVE_UNISTD_H) | ||
47 | check_include_file_concat("utime.h" HAVE_UTIME_H) | ||
48 | check_include_file_concat("x509.h" HAVE_X509_H) | ||
49 | @@ -652,9 +651,6 @@ check_include_file_concat("netinet/if_ether.h" HAVE_NETINET_IF_ETHER_H) | ||
50 | check_include_file_concat("stdint.h" HAVE_STDINT_H) | ||
51 | check_include_file_concat("sockio.h" HAVE_SOCKIO_H) | ||
52 | check_include_file_concat("sys/utsname.h" HAVE_SYS_UTSNAME_H) | ||
53 | -check_include_file_concat("idna.h" HAVE_IDNA_H) | ||
54 | - | ||
55 | - | ||
56 | |||
57 | check_type_size(size_t SIZEOF_SIZE_T) | ||
58 | check_type_size(ssize_t SIZEOF_SSIZE_T) | ||
59 | @@ -802,9 +798,6 @@ check_symbol_exists(pipe "${CURL_INCLUDES}" HAVE_PIPE) | ||
60 | check_symbol_exists(ftruncate "${CURL_INCLUDES}" HAVE_FTRUNCATE) | ||
61 | check_symbol_exists(getprotobyname "${CURL_INCLUDES}" HAVE_GETPROTOBYNAME) | ||
62 | check_symbol_exists(getrlimit "${CURL_INCLUDES}" HAVE_GETRLIMIT) | ||
63 | -check_symbol_exists(idn_free "${CURL_INCLUDES}" HAVE_IDN_FREE) | ||
64 | -check_symbol_exists(idna_strerror "${CURL_INCLUDES}" HAVE_IDNA_STRERROR) | ||
65 | -check_symbol_exists(tld_strerror "${CURL_INCLUDES}" HAVE_TLD_STRERROR) | ||
66 | check_symbol_exists(setlocale "${CURL_INCLUDES}" HAVE_SETLOCALE) | ||
67 | check_symbol_exists(setrlimit "${CURL_INCLUDES}" HAVE_SETRLIMIT) | ||
68 | check_symbol_exists(fcntl "${CURL_INCLUDES}" HAVE_FCNTL) | ||
69 | @@ -1067,7 +1060,7 @@ _add_if("IPv6" ENABLE_IPV6) | ||
70 | _add_if("unix-sockets" USE_UNIX_SOCKETS) | ||
71 | _add_if("libz" HAVE_LIBZ) | ||
72 | _add_if("AsynchDNS" USE_ARES OR USE_THREADS_POSIX) | ||
73 | -_add_if("IDN" HAVE_LIBIDN) | ||
74 | +_add_if("IDN" HAVE_LIBIDN2) | ||
75 | # TODO SSP1 (WinSSL) check is missing | ||
76 | _add_if("SSPI" USE_WINDOWS_SSPI) | ||
77 | _add_if("GSS-API" HAVE_GSSAPI) | ||
78 | diff --git a/configure.ac b/configure.ac | ||
79 | index 4c9862f..c8e2721 100644 | ||
80 | --- a/configure.ac | ||
81 | +++ b/configure.ac | ||
82 | @@ -157,7 +157,7 @@ curl_tls_srp_msg="no (--enable-tls-srp)" | ||
83 | curl_res_msg="default (--enable-ares / --enable-threaded-resolver)" | ||
84 | curl_ipv6_msg="no (--enable-ipv6)" | ||
85 | curl_unix_sockets_msg="no (--enable-unix-sockets)" | ||
86 | - curl_idn_msg="no (--with-{libidn,winidn})" | ||
87 | + curl_idn_msg="no (--with-{libidn2,winidn})" | ||
88 | curl_manual_msg="no (--enable-manual)" | ||
89 | curl_libcurl_msg="enabled (--disable-libcurl-option)" | ||
90 | curl_verbose_msg="enabled (--disable-verbose)" | ||
91 | @@ -2825,15 +2825,15 @@ dnl ********************************************************************** | ||
92 | dnl Check for the presence of IDN libraries and headers | ||
93 | dnl ********************************************************************** | ||
94 | |||
95 | -AC_MSG_CHECKING([whether to build with libidn]) | ||
96 | +AC_MSG_CHECKING([whether to build with libidn2]) | ||
97 | OPT_IDN="default" | ||
98 | AC_ARG_WITH(libidn, | ||
99 | -AC_HELP_STRING([--with-libidn=PATH],[Enable libidn usage]) | ||
100 | -AC_HELP_STRING([--without-libidn],[Disable libidn usage]), | ||
101 | +AC_HELP_STRING([--with-libidn2=PATH],[Enable libidn2 usage]) | ||
102 | +AC_HELP_STRING([--without-libidn2],[Disable libidn2 usage]), | ||
103 | [OPT_IDN=$withval]) | ||
104 | case "$OPT_IDN" in | ||
105 | no) | ||
106 | - dnl --without-libidn option used | ||
107 | + dnl --without-libidn2 option used | ||
108 | want_idn="no" | ||
109 | AC_MSG_RESULT([no]) | ||
110 | ;; | ||
111 | @@ -2844,13 +2844,13 @@ case "$OPT_IDN" in | ||
112 | AC_MSG_RESULT([(assumed) yes]) | ||
113 | ;; | ||
114 | yes) | ||
115 | - dnl --with-libidn option used without path | ||
116 | + dnl --with-libidn2 option used without path | ||
117 | want_idn="yes" | ||
118 | want_idn_path="default" | ||
119 | AC_MSG_RESULT([yes]) | ||
120 | ;; | ||
121 | *) | ||
122 | - dnl --with-libidn option used with path | ||
123 | + dnl --with-libidn2 option used with path | ||
124 | want_idn="yes" | ||
125 | want_idn_path="$withval" | ||
126 | AC_MSG_RESULT([yes ($withval)]) | ||
127 | @@ -2867,33 +2867,33 @@ if test "$want_idn" = "yes"; then | ||
128 | if test "$want_idn_path" != "default"; then | ||
129 | dnl path has been specified | ||
130 | IDN_PCDIR="$want_idn_path/lib$libsuff/pkgconfig" | ||
131 | - CURL_CHECK_PKGCONFIG(libidn, [$IDN_PCDIR]) | ||
132 | + CURL_CHECK_PKGCONFIG(libidn2, [$IDN_PCDIR]) | ||
133 | if test "$PKGCONFIG" != "no"; then | ||
134 | IDN_LIBS=`CURL_EXPORT_PCDIR([$IDN_PCDIR]) dnl | ||
135 | - $PKGCONFIG --libs-only-l libidn 2>/dev/null` | ||
136 | + $PKGCONFIG --libs-only-l libidn2 2>/dev/null` | ||
137 | IDN_LDFLAGS=`CURL_EXPORT_PCDIR([$IDN_PCDIR]) dnl | ||
138 | - $PKGCONFIG --libs-only-L libidn 2>/dev/null` | ||
139 | + $PKGCONFIG --libs-only-L libidn2 2>/dev/null` | ||
140 | IDN_CPPFLAGS=`CURL_EXPORT_PCDIR([$IDN_PCDIR]) dnl | ||
141 | - $PKGCONFIG --cflags-only-I libidn 2>/dev/null` | ||
142 | + $PKGCONFIG --cflags-only-I libidn2 2>/dev/null` | ||
143 | IDN_DIR=`echo $IDN_LDFLAGS | $SED -e 's/-L//'` | ||
144 | else | ||
145 | dnl pkg-config not available or provides no info | ||
146 | - IDN_LIBS="-lidn" | ||
147 | + IDN_LIBS="-lidn2" | ||
148 | IDN_LDFLAGS="-L$want_idn_path/lib$libsuff" | ||
149 | IDN_CPPFLAGS="-I$want_idn_path/include" | ||
150 | IDN_DIR="$want_idn_path/lib$libsuff" | ||
151 | fi | ||
152 | else | ||
153 | dnl path not specified | ||
154 | - CURL_CHECK_PKGCONFIG(libidn) | ||
155 | + CURL_CHECK_PKGCONFIG(libidn2) | ||
156 | if test "$PKGCONFIG" != "no"; then | ||
157 | - IDN_LIBS=`$PKGCONFIG --libs-only-l libidn 2>/dev/null` | ||
158 | - IDN_LDFLAGS=`$PKGCONFIG --libs-only-L libidn 2>/dev/null` | ||
159 | - IDN_CPPFLAGS=`$PKGCONFIG --cflags-only-I libidn 2>/dev/null` | ||
160 | + IDN_LIBS=`$PKGCONFIG --libs-only-l libidn2 2>/dev/null` | ||
161 | + IDN_LDFLAGS=`$PKGCONFIG --libs-only-L libidn2 2>/dev/null` | ||
162 | + IDN_CPPFLAGS=`$PKGCONFIG --cflags-only-I libidn2 2>/dev/null` | ||
163 | IDN_DIR=`echo $IDN_LDFLAGS | $SED -e 's/-L//'` | ||
164 | else | ||
165 | dnl pkg-config not available or provides no info | ||
166 | - IDN_LIBS="-lidn" | ||
167 | + IDN_LIBS="-lidn2" | ||
168 | fi | ||
169 | fi | ||
170 | # | ||
171 | @@ -2913,9 +2913,9 @@ if test "$want_idn" = "yes"; then | ||
172 | LDFLAGS="$IDN_LDFLAGS $LDFLAGS" | ||
173 | LIBS="$IDN_LIBS $LIBS" | ||
174 | # | ||
175 | - AC_MSG_CHECKING([if idna_to_ascii_4i can be linked]) | ||
176 | + AC_MSG_CHECKING([if idn2_lookup_ul can be linked]) | ||
177 | AC_LINK_IFELSE([ | ||
178 | - AC_LANG_FUNC_LINK_TRY([idna_to_ascii_4i]) | ||
179 | + AC_LANG_FUNC_LINK_TRY([idn2_lookup_ul]) | ||
180 | ],[ | ||
181 | AC_MSG_RESULT([yes]) | ||
182 | tst_links_libidn="yes" | ||
183 | @@ -2923,37 +2923,19 @@ if test "$want_idn" = "yes"; then | ||
184 | AC_MSG_RESULT([no]) | ||
185 | tst_links_libidn="no" | ||
186 | ]) | ||
187 | - if test "$tst_links_libidn" = "no"; then | ||
188 | - AC_MSG_CHECKING([if idna_to_ascii_lz can be linked]) | ||
189 | - AC_LINK_IFELSE([ | ||
190 | - AC_LANG_FUNC_LINK_TRY([idna_to_ascii_lz]) | ||
191 | - ],[ | ||
192 | - AC_MSG_RESULT([yes]) | ||
193 | - tst_links_libidn="yes" | ||
194 | - ],[ | ||
195 | - AC_MSG_RESULT([no]) | ||
196 | - tst_links_libidn="no" | ||
197 | - ]) | ||
198 | - fi | ||
199 | # | ||
200 | + AC_CHECK_HEADERS( idn2.h ) | ||
201 | + | ||
202 | if test "$tst_links_libidn" = "yes"; then | ||
203 | - AC_DEFINE(HAVE_LIBIDN, 1, [Define to 1 if you have the `idn' library (-lidn).]) | ||
204 | + AC_DEFINE(HAVE_LIBIDN2, 1, [Define to 1 if you have the `idn2' library (-lidn2).]) | ||
205 | dnl different versions of libidn have different setups of these: | ||
206 | - AC_CHECK_FUNCS( idn_free idna_strerror tld_strerror ) | ||
207 | - AC_CHECK_HEADERS( idn-free.h tld.h ) | ||
208 | - if test "x$ac_cv_header_tld_h" = "xyes"; then | ||
209 | - AC_SUBST([IDN_ENABLED], [1]) | ||
210 | - curl_idn_msg="enabled" | ||
211 | - if test -n "$IDN_DIR" -a "x$cross_compiling" != "xyes"; then | ||
212 | - LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$IDN_DIR" | ||
213 | - export LD_LIBRARY_PATH | ||
214 | - AC_MSG_NOTICE([Added $IDN_DIR to LD_LIBRARY_PATH]) | ||
215 | - fi | ||
216 | - else | ||
217 | - AC_MSG_WARN([Libraries for IDN support too old: IDN disabled]) | ||
218 | - CPPFLAGS="$clean_CPPFLAGS" | ||
219 | - LDFLAGS="$clean_LDFLAGS" | ||
220 | - LIBS="$clean_LIBS" | ||
221 | + | ||
222 | + AC_SUBST([IDN_ENABLED], [1]) | ||
223 | + curl_idn_msg="enabled (libidn2)" | ||
224 | + if test -n "$IDN_DIR" -a "x$cross_compiling" != "xyes"; then | ||
225 | + LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$IDN_DIR" | ||
226 | + export LD_LIBRARY_PATH | ||
227 | + AC_MSG_NOTICE([Added $IDN_DIR to LD_LIBRARY_PATH]) | ||
228 | fi | ||
229 | else | ||
230 | AC_MSG_WARN([Cannot find libraries for IDN support: IDN disabled]) | ||
231 | diff --git a/lib/curl_setup.h b/lib/curl_setup.h | ||
232 | index 33ad129..5fb241b 100644 | ||
233 | --- a/lib/curl_setup.h | ||
234 | +++ b/lib/curl_setup.h | ||
235 | @@ -590,10 +590,9 @@ int netware_init(void); | ||
236 | #endif | ||
237 | #endif | ||
238 | |||
239 | -#if defined(HAVE_LIBIDN) && defined(HAVE_TLD_H) | ||
240 | -/* The lib was present and the tld.h header (which is missing in libidn 0.3.X | ||
241 | - but we only work with libidn 0.4.1 or later) */ | ||
242 | -#define USE_LIBIDN | ||
243 | +#if defined(HAVE_LIBIDN2) && defined(HAVE_IDN2_H) | ||
244 | +/* The lib and header are present */ | ||
245 | +#define USE_LIBIDN2 | ||
246 | #endif | ||
247 | |||
248 | #ifndef SIZEOF_TIME_T | ||
249 | diff --git a/lib/easy.c b/lib/easy.c | ||
250 | index d529da8..51d57e3 100644 | ||
251 | --- a/lib/easy.c | ||
252 | +++ b/lib/easy.c | ||
253 | @@ -144,28 +144,6 @@ static CURLcode win32_init(void) | ||
254 | return CURLE_OK; | ||
255 | } | ||
256 | |||
257 | -#ifdef USE_LIBIDN | ||
258 | -/* | ||
259 | - * Initialise use of IDNA library. | ||
260 | - * It falls back to ASCII if $CHARSET isn't defined. This doesn't work for | ||
261 | - * idna_to_ascii_lz(). | ||
262 | - */ | ||
263 | -static void idna_init (void) | ||
264 | -{ | ||
265 | -#ifdef WIN32 | ||
266 | - char buf[60]; | ||
267 | - UINT cp = GetACP(); | ||
268 | - | ||
269 | - if(!getenv("CHARSET") && cp > 0) { | ||
270 | - snprintf(buf, sizeof(buf), "CHARSET=cp%u", cp); | ||
271 | - putenv(buf); | ||
272 | - } | ||
273 | -#else | ||
274 | - /* to do? */ | ||
275 | -#endif | ||
276 | -} | ||
277 | -#endif /* USE_LIBIDN */ | ||
278 | - | ||
279 | /* true globals -- for curl_global_init() and curl_global_cleanup() */ | ||
280 | static unsigned int initialized; | ||
281 | static long init_flags; | ||
282 | @@ -262,10 +240,6 @@ static CURLcode global_init(long flags, bool memoryfuncs) | ||
283 | } | ||
284 | #endif | ||
285 | |||
286 | -#ifdef USE_LIBIDN | ||
287 | - idna_init(); | ||
288 | -#endif | ||
289 | - | ||
290 | if(Curl_resolver_global_init()) { | ||
291 | DEBUGF(fprintf(stderr, "Error: resolver_global_init failed\n")); | ||
292 | return CURLE_FAILED_INIT; | ||
293 | diff --git a/lib/strerror.c b/lib/strerror.c | ||
294 | index d222a1f..bf4faae 100644 | ||
295 | --- a/lib/strerror.c | ||
296 | +++ b/lib/strerror.c | ||
297 | @@ -35,8 +35,8 @@ | ||
298 | |||
299 | #include <curl/curl.h> | ||
300 | |||
301 | -#ifdef USE_LIBIDN | ||
302 | -#include <idna.h> | ||
303 | +#ifdef USE_LIBIDN2 | ||
304 | +#include <idn2.h> | ||
305 | #endif | ||
306 | |||
307 | #ifdef USE_WINDOWS_SSPI | ||
308 | @@ -723,83 +723,6 @@ const char *Curl_strerror(struct connectdata *conn, int err) | ||
309 | return buf; | ||
310 | } | ||
311 | |||
312 | -#ifdef USE_LIBIDN | ||
313 | -/* | ||
314 | - * Return error-string for libidn status as returned from idna_to_ascii_lz(). | ||
315 | - */ | ||
316 | -const char *Curl_idn_strerror (struct connectdata *conn, int err) | ||
317 | -{ | ||
318 | -#ifdef HAVE_IDNA_STRERROR | ||
319 | - (void)conn; | ||
320 | - return idna_strerror((Idna_rc) err); | ||
321 | -#else | ||
322 | - const char *str; | ||
323 | - char *buf; | ||
324 | - size_t max; | ||
325 | - | ||
326 | - DEBUGASSERT(conn); | ||
327 | - | ||
328 | - buf = conn->syserr_buf; | ||
329 | - max = sizeof(conn->syserr_buf)-1; | ||
330 | - *buf = '\0'; | ||
331 | - | ||
332 | -#ifndef CURL_DISABLE_VERBOSE_STRINGS | ||
333 | - switch ((Idna_rc)err) { | ||
334 | - case IDNA_SUCCESS: | ||
335 | - str = "No error"; | ||
336 | - break; | ||
337 | - case IDNA_STRINGPREP_ERROR: | ||
338 | - str = "Error in string preparation"; | ||
339 | - break; | ||
340 | - case IDNA_PUNYCODE_ERROR: | ||
341 | - str = "Error in Punycode operation"; | ||
342 | - break; | ||
343 | - case IDNA_CONTAINS_NON_LDH: | ||
344 | - str = "Illegal ASCII characters"; | ||
345 | - break; | ||
346 | - case IDNA_CONTAINS_MINUS: | ||
347 | - str = "Contains minus"; | ||
348 | - break; | ||
349 | - case IDNA_INVALID_LENGTH: | ||
350 | - str = "Invalid output length"; | ||
351 | - break; | ||
352 | - case IDNA_NO_ACE_PREFIX: | ||
353 | - str = "No ACE prefix (\"xn--\")"; | ||
354 | - break; | ||
355 | - case IDNA_ROUNDTRIP_VERIFY_ERROR: | ||
356 | - str = "Round trip verify error"; | ||
357 | - break; | ||
358 | - case IDNA_CONTAINS_ACE_PREFIX: | ||
359 | - str = "Already have ACE prefix (\"xn--\")"; | ||
360 | - break; | ||
361 | - case IDNA_ICONV_ERROR: | ||
362 | - str = "Locale conversion failed"; | ||
363 | - break; | ||
364 | - case IDNA_MALLOC_ERROR: | ||
365 | - str = "Allocation failed"; | ||
366 | - break; | ||
367 | - case IDNA_DLOPEN_ERROR: | ||
368 | - str = "dlopen() error"; | ||
369 | - break; | ||
370 | - default: | ||
371 | - snprintf(buf, max, "error %d", err); | ||
372 | - str = NULL; | ||
373 | - break; | ||
374 | - } | ||
375 | -#else | ||
376 | - if((Idna_rc)err == IDNA_SUCCESS) | ||
377 | - str = "No error"; | ||
378 | - else | ||
379 | - str = "Error"; | ||
380 | -#endif | ||
381 | - if(str) | ||
382 | - strncpy(buf, str, max); | ||
383 | - buf[max] = '\0'; | ||
384 | - return (buf); | ||
385 | -#endif | ||
386 | -} | ||
387 | -#endif /* USE_LIBIDN */ | ||
388 | - | ||
389 | #ifdef USE_WINDOWS_SSPI | ||
390 | const char *Curl_sspi_strerror (struct connectdata *conn, int err) | ||
391 | { | ||
392 | diff --git a/lib/strerror.h b/lib/strerror.h | ||
393 | index ae8c96b..627273e 100644 | ||
394 | --- a/lib/strerror.h | ||
395 | +++ b/lib/strerror.h | ||
396 | @@ -7,7 +7,7 @@ | ||
397 | * | (__| |_| | _ <| |___ | ||
398 | * \___|\___/|_| \_\_____| | ||
399 | * | ||
400 | - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
401 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
402 | * | ||
403 | * This software is licensed as described in the file COPYING, which | ||
404 | * you should have received as part of this distribution. The terms | ||
405 | @@ -26,7 +26,7 @@ | ||
406 | |||
407 | const char *Curl_strerror (struct connectdata *conn, int err); | ||
408 | |||
409 | -#ifdef USE_LIBIDN | ||
410 | +#ifdef USE_LIBIDN2 | ||
411 | const char *Curl_idn_strerror (struct connectdata *conn, int err); | ||
412 | #endif | ||
413 | |||
414 | diff --git a/lib/url.c b/lib/url.c | ||
415 | index 8832989..8d52152 100644 | ||
416 | --- a/lib/url.c | ||
417 | +++ b/lib/url.c | ||
418 | @@ -59,24 +59,15 @@ | ||
419 | #include <limits.h> | ||
420 | #endif | ||
421 | |||
422 | -#ifdef USE_LIBIDN | ||
423 | -#include <idna.h> | ||
424 | -#include <tld.h> | ||
425 | -#include <stringprep.h> | ||
426 | -#ifdef HAVE_IDN_FREE_H | ||
427 | -#include <idn-free.h> | ||
428 | -#else | ||
429 | -/* prototype from idn-free.h, not provided by libidn 0.4.5's make install! */ | ||
430 | -void idn_free (void *ptr); | ||
431 | -#endif | ||
432 | -#ifndef HAVE_IDN_FREE | ||
433 | -/* if idn_free() was not found in this version of libidn use free() instead */ | ||
434 | -#define idn_free(x) (free)(x) | ||
435 | -#endif | ||
436 | +#ifdef USE_LIBIDN2 | ||
437 | +#include <idn2.h> | ||
438 | + | ||
439 | #elif defined(USE_WIN32_IDN) | ||
440 | /* prototype for curl_win32_idn_to_ascii() */ | ||
441 | int curl_win32_idn_to_ascii(const char *in, char **out); | ||
442 | -#endif /* USE_LIBIDN */ | ||
443 | +#endif /* USE_LIBIDN2 */ | ||
444 | + | ||
445 | +#include <idn2.h> | ||
446 | |||
447 | #include "urldata.h" | ||
448 | #include "netrc.h" | ||
449 | @@ -3693,59 +3684,15 @@ static bool is_ASCII_name(const char *hostname) | ||
450 | return TRUE; | ||
451 | } | ||
452 | |||
453 | -#ifdef USE_LIBIDN | ||
454 | -/* | ||
455 | - * Check if characters in hostname is allowed in Top Level Domain. | ||
456 | - */ | ||
457 | -static bool tld_check_name(struct SessionHandle *data, | ||
458 | - const char *ace_hostname) | ||
459 | -{ | ||
460 | - size_t err_pos; | ||
461 | - char *uc_name = NULL; | ||
462 | - int rc; | ||
463 | -#ifndef CURL_DISABLE_VERBOSE_STRINGS | ||
464 | - const char *tld_errmsg = "<no msg>"; | ||
465 | -#else | ||
466 | - (void)data; | ||
467 | -#endif | ||
468 | - | ||
469 | - /* Convert (and downcase) ACE-name back into locale's character set */ | ||
470 | - rc = idna_to_unicode_lzlz(ace_hostname, &uc_name, 0); | ||
471 | - if(rc != IDNA_SUCCESS) | ||
472 | - return FALSE; | ||
473 | - | ||
474 | - rc = tld_check_lz(uc_name, &err_pos, NULL); | ||
475 | -#ifndef CURL_DISABLE_VERBOSE_STRINGS | ||
476 | -#ifdef HAVE_TLD_STRERROR | ||
477 | - if(rc != TLD_SUCCESS) | ||
478 | - tld_errmsg = tld_strerror((Tld_rc)rc); | ||
479 | -#endif | ||
480 | - if(rc == TLD_INVALID) | ||
481 | - infof(data, "WARNING: %s; pos %u = `%c'/0x%02X\n", | ||
482 | - tld_errmsg, err_pos, uc_name[err_pos], | ||
483 | - uc_name[err_pos] & 255); | ||
484 | - else if(rc != TLD_SUCCESS) | ||
485 | - infof(data, "WARNING: TLD check for %s failed; %s\n", | ||
486 | - uc_name, tld_errmsg); | ||
487 | -#endif /* CURL_DISABLE_VERBOSE_STRINGS */ | ||
488 | - if(uc_name) | ||
489 | - idn_free(uc_name); | ||
490 | - if(rc != TLD_SUCCESS) | ||
491 | - return FALSE; | ||
492 | - | ||
493 | - return TRUE; | ||
494 | -} | ||
495 | -#endif | ||
496 | - | ||
497 | /* | ||
498 | * Perform any necessary IDN conversion of hostname | ||
499 | */ | ||
500 | -static void fix_hostname(struct SessionHandle *data, | ||
501 | - struct connectdata *conn, struct hostname *host) | ||
502 | +static void fix_hostname(struct connectdata *conn, struct hostname *host) | ||
503 | { | ||
504 | size_t len; | ||
505 | + struct Curl_easy *data = conn->data; | ||
506 | |||
507 | -#ifndef USE_LIBIDN | ||
508 | +#ifndef USE_LIBIDN2 | ||
509 | (void)data; | ||
510 | (void)conn; | ||
511 | #elif defined(CURL_DISABLE_VERBOSE_STRINGS) | ||
512 | @@ -3762,26 +3709,18 @@ static void fix_hostname(struct SessionHandle *data, | ||
513 | host->name[len-1]=0; | ||
514 | |||
515 | if(!is_ASCII_name(host->name)) { | ||
516 | -#ifdef USE_LIBIDN | ||
517 | - /************************************************************* | ||
518 | - * Check name for non-ASCII and convert hostname to ACE form. | ||
519 | - *************************************************************/ | ||
520 | - if(stringprep_check_version(LIBIDN_REQUIRED_VERSION)) { | ||
521 | - char *ace_hostname = NULL; | ||
522 | - int rc = idna_to_ascii_lz(host->name, &ace_hostname, 0); | ||
523 | - infof (data, "Input domain encoded as `%s'\n", | ||
524 | - stringprep_locale_charset ()); | ||
525 | - if(rc != IDNA_SUCCESS) | ||
526 | - infof(data, "Failed to convert %s to ACE; %s\n", | ||
527 | - host->name, Curl_idn_strerror(conn, rc)); | ||
528 | - else { | ||
529 | - /* tld_check_name() displays a warning if the host name contains | ||
530 | - "illegal" characters for this TLD */ | ||
531 | - (void)tld_check_name(data, ace_hostname); | ||
532 | - | ||
533 | - host->encalloc = ace_hostname; | ||
534 | - /* change the name pointer to point to the encoded hostname */ | ||
535 | - host->name = host->encalloc; | ||
536 | +#ifdef USE_LIBIDN2 | ||
537 | + if(idn2_check_version(IDN2_VERSION)) { | ||
538 | + char *ace_hostname = NULL; | ||
539 | + int rc = idn2_lookup_ul((const char *)host->name, &ace_hostname, 0); | ||
540 | + if(rc == IDN2_OK) { | ||
541 | + host->encalloc = (char *)ace_hostname; | ||
542 | + /* change the name pointer to point to the encoded hostname */ | ||
543 | + host->name = host->encalloc; | ||
544 | + } | ||
545 | + else | ||
546 | + infof(data, "Failed to convert %s to ACE; %s\n", host->name, | ||
547 | + idn2_strerror(rc)); | ||
548 | } | ||
549 | } | ||
550 | #elif defined(USE_WIN32_IDN) | ||
551 | @@ -3809,9 +3748,9 @@ static void fix_hostname(struct SessionHandle *data, | ||
552 | */ | ||
553 | static void free_fixed_hostname(struct hostname *host) | ||
554 | { | ||
555 | -#if defined(USE_LIBIDN) | ||
556 | +#if defined(USE_LIBIDN2) | ||
557 | if(host->encalloc) { | ||
558 | - idn_free(host->encalloc); /* must be freed with idn_free() since this was | ||
559 | + idn2_free(host->encalloc); /* must be freed with idn2_free() since this was | ||
560 | allocated by libidn */ | ||
561 | host->encalloc = NULL; | ||
562 | } | ||
563 | @@ -5707,9 +5646,9 @@ static CURLcode create_conn(struct SessionHandle *data, | ||
564 | /************************************************************* | ||
565 | * IDN-fix the hostnames | ||
566 | *************************************************************/ | ||
567 | - fix_hostname(data, conn, &conn->host); | ||
568 | + fix_hostname(conn, &conn->host); | ||
569 | if(conn->proxy.name && *conn->proxy.name) | ||
570 | - fix_hostname(data, conn, &conn->proxy); | ||
571 | + fix_hostname(conn, &conn->proxy); | ||
572 | |||
573 | /************************************************************* | ||
574 | * Setup internals depending on protocol. Needs to be done after | ||
575 | diff --git a/lib/version.c b/lib/version.c | ||
576 | index 7f14fa5..a5c9811 100644 | ||
577 | --- a/lib/version.c | ||
578 | +++ b/lib/version.c | ||
579 | @@ -36,8 +36,8 @@ | ||
580 | # include <ares.h> | ||
581 | #endif | ||
582 | |||
583 | -#ifdef USE_LIBIDN | ||
584 | -#include <stringprep.h> | ||
585 | +#ifdef USE_LIBIDN2 | ||
586 | +#include <idn2.h> | ||
587 | #endif | ||
588 | |||
589 | #ifdef USE_LIBPSL | ||
590 | @@ -97,9 +97,9 @@ char *curl_version(void) | ||
591 | left -= len; | ||
592 | ptr += len; | ||
593 | #endif | ||
594 | -#ifdef USE_LIBIDN | ||
595 | - if(stringprep_check_version(LIBIDN_REQUIRED_VERSION)) { | ||
596 | - len = snprintf(ptr, left, " libidn/%s", stringprep_check_version(NULL)); | ||
597 | +#ifdef USE_LIBIDN2 | ||
598 | + if(idn2_check_version(IDN2_VERSION)) { | ||
599 | + len = snprintf(ptr, left, " libidn2/%s", idn2_check_version(NULL)); | ||
600 | left -= len; | ||
601 | ptr += len; | ||
602 | } | ||
603 | @@ -344,10 +344,10 @@ curl_version_info_data *curl_version_info(CURLversion stamp) | ||
604 | version_info.ares_num = aresnum; | ||
605 | } | ||
606 | #endif | ||
607 | -#ifdef USE_LIBIDN | ||
608 | +#ifdef USE_LIBIDN2 | ||
609 | /* This returns a version string if we use the given version or later, | ||
610 | otherwise it returns NULL */ | ||
611 | - version_info.libidn = stringprep_check_version(LIBIDN_REQUIRED_VERSION); | ||
612 | + version_info.libidn = idn2_check_version(IDN2_VERSION); | ||
613 | if(version_info.libidn) | ||
614 | version_info.features |= CURL_VERSION_IDN; | ||
615 | #elif defined(USE_WIN32_IDN) | ||
diff --git a/meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch b/meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch deleted file mode 100644 index 3549101020..0000000000 --- a/meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From c27013c05d99d92370b57e1a7af1b854eef4e7c1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 31 Oct 2016 09:49:50 +0100 | ||
4 | Subject: [PATCH] url: remove unconditional idn2.h include | ||
5 | |||
6 | Mistake brought by 9c91ec778104a [fix to CVE-2016-8625] | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
10 | --- | ||
11 | lib/url.c | 2 -- | ||
12 | 1 file changed, 2 deletions(-) | ||
13 | |||
14 | diff --git a/lib/url.c b/lib/url.c | ||
15 | index c90a1c5..b997f41 100644 | ||
16 | --- a/lib/url.c | ||
17 | +++ b/lib/url.c | ||
18 | @@ -67,8 +67,6 @@ | ||
19 | bool curl_win32_idn_to_ascii(const char *in, char **out); | ||
20 | #endif /* USE_LIBIDN2 */ | ||
21 | |||
22 | -#include <idn2.h> | ||
23 | - | ||
24 | #include "urldata.h" | ||
25 | #include "netrc.h" | ||
26 | |||
27 | -- | ||
28 | 1.9.1 | ||
29 | |||
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.53.1.bb index 7fab7cf7e8..9eb9720b6d 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.53.1.bb | |||
@@ -10,27 +10,10 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2" | |||
10 | # curl likes to set -g0 in CFLAGS, so we stop it | 10 | # curl likes to set -g0 in CFLAGS, so we stop it |
11 | # from mucking around with debug options | 11 | # from mucking around with debug options |
12 | # | 12 | # |
13 | SRC_URI += " file://configure_ac.patch \ | 13 | SRC_URI += " file://configure_ac.patch" |
14 | file://CVE-2016-5419.patch \ | ||
15 | file://CVE-2016-5420.patch \ | ||
16 | file://CVE-2016-5421.patch \ | ||
17 | file://CVE-2016-7141.patch \ | ||
18 | file://CVE-2016-8615.patch \ | ||
19 | file://CVE-2016-8616.patch \ | ||
20 | file://CVE-2016-8617.patch \ | ||
21 | file://CVE-2016-8618.patch \ | ||
22 | file://CVE-2016-8619.patch \ | ||
23 | file://CVE-2016-8620.patch \ | ||
24 | file://CVE-2016-8621.patch \ | ||
25 | file://CVE-2016-8622.patch \ | ||
26 | file://CVE-2016-8623.patch \ | ||
27 | file://CVE-2016-8624.patch \ | ||
28 | file://CVE-2016-8625.patch \ | ||
29 | file://url-remove-unconditional-idn2.h-include.patch \ | ||
30 | " | ||
31 | 14 | ||
32 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" | 15 | SRC_URI[md5sum] = "fb1f03a142236840c1a77c035fa4c542" |
33 | SRC_URI[sha256sum] = "ddc643ab9382e24bbe4747d43df189a0a6ce38fcb33df041b9cb0b3cd47ae98f" | 16 | SRC_URI[sha256sum] = "1c7207c06d75e9136a944a2e0528337ce76f15b9ec9ae4bb30d703b59bf530e8" |
34 | 17 | ||
35 | inherit autotools pkgconfig binconfig multilib_header | 18 | inherit autotools pkgconfig binconfig multilib_header |
36 | 19 | ||