curl: several security fixes

Fixes below listed bugs: 1. CVE-2015-3143 2. CVE-2015-3144 3. CVE-2015-3145 4. CVE-2015-3148 (From OE-Core rev: cd3da9c95f48899e134a5b7ed1754fd18985df4f) Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Maxin B. John <maxin.john@enea.com> 2015-04-27 15:24:46 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-04-27 15:25:43 +0100
commit: e4f3cf8950106bd420e09f463f11c4e607462126 (patch)
tree: 5338685c0a17b5a40da4c8da728d173027bc8a27
parent: 2a9486875d65bd7423b7a6f99bc817debe1242db (diff)
download: poky-e4f3cf8950106bd420e09f463f11c4e607462126.tar.gz
5 files changed, 207 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
new file mode 100644
index 0000000000..745e9456f3
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
@@ -0,0 +1,38 @@
+From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 13:26:46 +0200
+Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
+ match
+Upstream-Status: Backport
+CVE-2015-3143
+Bug: http://curl.haxx.se/docs/adv_20150422A.html
+Reported-by: Paras Sethia
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/url.c b/lib/url.c
+index 018bb88..ee3d176 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data,
+            strcmp(check->localdev, needle->localdev))
+           continue;
+       }
+ 
+       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+-         wantNTLMhttp) {
+         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+           /* one of them was different */
+-- 
+2.1.4
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
new file mode 100644
index 0000000000..ca6d7448a1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
@@ -0,0 +1,45 @@
+From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 23:52:04 +0200
+Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport
+If a URL is given with a zero-length host name, like in "http://:80" or
+just ":80", `fix_hostname()` will index the host name pointer with a -1
+offset (as it blindly assumes a non-zero length) and both read and
+assign that address.
+CVE-2015-3144
+Bug: http://curl.haxx.se/docs/adv_20150422D.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/url.c b/lib/url.c
+index ee3d176..f033dbc 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
+ 
+   /* set the name we use to display the host name */
+   host->dispname = host->name;
+ 
+   len = strlen(host->name);
+-  if(host->name[len-1] == '.')
+  if(len && (host->name[len-1] == '.'))
+     /* strip off a single trailing dot if present, primarily for SNI but
+        there's no use for it */
+     host->name[len-1]=0;
+ 
+   if(!is_ASCII_name(host->name)) {
+-- 
+2.1.4
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
new file mode 100644
index 0000000000..15a998289e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
@@ -0,0 +1,70 @@
+From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 16:37:40 +0200
+Subject: [PATCH] cookie: cookie parser out of boundary memory access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport
+The internal libcurl function called sanitize_cookie_path() that cleans
+up the path element as given to it from a remote site or when read from
+a file, did not properly validate the input. If given a path that
+consisted of a single double-quote, libcurl would index a newly
+allocated memory area with index -1 and assign a zero to it, thus
+destroying heap memory it wasn't supposed to.
+CVE-2015-3145
+Bug: http://curl.haxx.se/docs/adv_20150422C.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/cookie.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0864f6b..0127926 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   char *new_path = strdup(cookie_path);
+   if(!new_path)
+     return NULL;
+ 
+   /* some stupid site sends path attribute with '"'. */
+  len = strlen(new_path);
+   if(new_path[0] == '\"') {
+-    memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
+    memmove((void *)new_path, (const void *)(new_path + 1), len);
+    len--;
+   }
+-  if(new_path[strlen(new_path) - 1] == '\"') {
+-    new_path[strlen(new_path) - 1] = 0x0;
+  if(len && (new_path[len - 1] == '\"')) {
+    new_path[len - 1] = 0x0;
+    len--;
+   }
+ 
+   /* RFC6265 5.2.4 The Path Attribute */
+   if(new_path[0] != '/') {
+     /* Let cookie-path be the default-path. */
+@@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path)
+     new_path = strdup("/");
+     return new_path;
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  len = strlen(new_path);
+-  if(1 < len && new_path[len - 1] == '/') {
+  if(len && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+   return new_path;
+ }
+-- 
+2.1.4
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3148.patch b/meta/recipes-support/curl/curl/CVE-2015-3148.patch
new file mode 100644
index 0000000000..13df14e5c4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3148.patch
@@ -0,0 +1,50 @@
+From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 18 Apr 2015 23:50:16 +0200
+Subject: [PATCH] http_done: close Negotiate connections when done
+Upstream-Status: Backport
+When doing HTTP requests Negotiate authenticated, the entire connnection
+may become authenticated and not just the specific HTTP request which is
+otherwise how HTTP works, as Negotiate can basically use NTLM under the
+hood. curl was not adhering to this fact but would assume that such
+requests would also be authenticated per request.
+CVE-2015-3148
+Bug: http://curl.haxx.se/docs/adv_20150422B.html
+Reported-by: Isaac Boukris
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/http.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/lib/http.c b/lib/http.c
+index 4c1cfc5..2a226fb 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -1433,12 +1433,18 @@ CURLcode Curl_http_done(struct connectdata *conn,
+ 
+   Curl_unencode_cleanup(conn);
+ 
+ #ifdef USE_SPNEGO
+   if(data->state.proxyneg.state == GSS_AUTHSENT ||
+-      data->state.negotiate.state == GSS_AUTHSENT)
+      data->state.negotiate.state == GSS_AUTHSENT) {
+    /* add forbid re-use if http-code != 401 as a WA
+     * only needed for 401 that failed handling
+     * otherwie state will be RECV with current code */
+    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
+      connclose(conn, "Negotiate transfer completed");
+     Curl_cleanup_negotiate(data);
+  }
+ #endif
+ 
+   /* set the proper values (possibly modified on POST) */
+   conn->fread_func = data->set.fread_func; /* restore */
+   conn->fread_in = data->set.in; /* restore */
+-- 
+2.1.4
diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb
index 4cde9c6baa..2b39d11411 100644
--- a/meta/recipes-support/curl/curl_7.40.0.bb
+++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e66
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://pkgconfig_fix.patch \
+           file://CVE-2015-3143.patch \
+           file://CVE-2015-3144.patch \
+           file://CVE-2015-3145.patch \
+           file://CVE-2015-3148.patch \
          "
 # curl likes to set -g0 in CFLAGS, so we stop it
author	Maxin B. John <maxin.john@enea.com>	2015-04-27 15:24:46 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-04-27 15:25:43 +0100
commit	e4f3cf8950106bd420e09f463f11c4e607462126 (patch)
tree	5338685c0a17b5a40da4c8da728d173027bc8a27
parent	2a9486875d65bd7423b7a6f99bc817debe1242db (diff)
download	poky-e4f3cf8950106bd420e09f463f11c4e607462126.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch new file mode 100644 index 0000000000..745e9456f3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
@@ -0,0 +1,38 @@
		1	From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 16 Apr 2015 13:26:46 +0200
		4	Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
		5	match
		6
		7	Upstream-Status: Backport
		8
		9	CVE-2015-3143
		10
		11	Bug: http://curl.haxx.se/docs/adv_20150422A.html
		12	Reported-by: Paras Sethia
		13	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
		14	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		15	---
		16	lib/url.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/lib/url.c b/lib/url.c
		20	index 018bb88..ee3d176 100644
		21	--- a/lib/url.c
		22	+++ b/lib/url.c
		23	@@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data,
		24	strcmp(check->localdev, needle->localdev))
		25	continue;
		26	}
		27
		28	if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) \|\|
		29	- wantNTLMhttp) {
		30	+ (wantNTLMhttp \|\| check->ntlm.state != NTLMSTATE_NONE)) {
		31	/* This protocol requires credentials per connection or is HTTP+NTLM,
		32	so verify that we're using the same name and password as well */
		33	if(!strequal(needle->user, check->user) \|\|
		34	!strequal(needle->passwd, check->passwd)) {
		35	/* one of them was different */
		36	--
		37	2.1.4
		38


diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch new file mode 100644 index 0000000000..ca6d7448a1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
@@ -0,0 +1,45 @@
		1	From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 16 Apr 2015 23:52:04 +0200
		4	Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Upstream-Status: Backport
		10
		11	If a URL is given with a zero-length host name, like in "http://:80" or
		12	just ":80", `fix_hostname()` will index the host name pointer with a -1
		13	offset (as it blindly assumes a non-zero length) and both read and
		14	assign that address.
		15
		16	CVE-2015-3144
		17
		18	Bug: http://curl.haxx.se/docs/adv_20150422D.html
		19	Reported-by: Hanno Böck
		20	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
		21	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		22	---
		23	lib/url.c \| 2 +-
		24	1 file changed, 1 insertion(+), 1 deletion(-)
		25
		26	diff --git a/lib/url.c b/lib/url.c
		27	index ee3d176..f033dbc 100644
		28	--- a/lib/url.c
		29	+++ b/lib/url.c
		30	@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
		31
		32	/* set the name we use to display the host name */
		33	host->dispname = host->name;
		34
		35	len = strlen(host->name);
		36	- if(host->name[len-1] == '.')
		37	+ if(len && (host->name[len-1] == '.'))
		38	/* strip off a single trailing dot if present, primarily for SNI but
		39	there's no use for it */
		40	host->name[len-1]=0;
		41
		42	if(!is_ASCII_name(host->name)) {
		43	--
		44	2.1.4
		45


diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch new file mode 100644 index 0000000000..15a998289e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
@@ -0,0 +1,70 @@
		1	From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 16 Apr 2015 16:37:40 +0200
		4	Subject: [PATCH] cookie: cookie parser out of boundary memory access
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Upstream-Status: Backport
		10
		11	The internal libcurl function called sanitize_cookie_path() that cleans
		12	up the path element as given to it from a remote site or when read from
		13	a file, did not properly validate the input. If given a path that
		14	consisted of a single double-quote, libcurl would index a newly
		15	allocated memory area with index -1 and assign a zero to it, thus
		16	destroying heap memory it wasn't supposed to.
		17
		18	CVE-2015-3145
		19
		20	Bug: http://curl.haxx.se/docs/adv_20150422C.html
		21	Reported-by: Hanno Böck
		22	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
		23	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		24	---
		25	lib/cookie.c \| 12 +++++++-----
		26	1 file changed, 7 insertions(+), 5 deletions(-)
		27
		28	diff --git a/lib/cookie.c b/lib/cookie.c
		29	index 0864f6b..0127926 100644
		30	--- a/lib/cookie.c
		31	+++ b/lib/cookie.c
		32	@@ -223,15 +223,18 @@ static char sanitize_cookie_path(const char cookie_path)
		33	char *new_path = strdup(cookie_path);
		34	if(!new_path)
		35	return NULL;
		36
		37	/* some stupid site sends path attribute with '"'. */
		38	+ len = strlen(new_path);
		39	if(new_path[0] == '\"') {
		40	- memmove((void )new_path, (const void )(new_path + 1), strlen(new_path));
		41	+ memmove((void )new_path, (const void )(new_path + 1), len);
		42	+ len--;
		43	}
		44	- if(new_path[strlen(new_path) - 1] == '\"') {
		45	- new_path[strlen(new_path) - 1] = 0x0;
		46	+ if(len && (new_path[len - 1] == '\"')) {
		47	+ new_path[len - 1] = 0x0;
		48	+ len--;
		49	}
		50
		51	/* RFC6265 5.2.4 The Path Attribute */
		52	if(new_path[0] != '/') {
		53	/* Let cookie-path be the default-path. */
		54	@@ -239,12 +242,11 @@ static char sanitize_cookie_path(const char cookie_path)
		55	new_path = strdup("/");
		56	return new_path;
		57	}
		58
		59	/* convert /hoge/ to /hoge */
		60	- len = strlen(new_path);
		61	- if(1 < len && new_path[len - 1] == '/') {
		62	+ if(len && new_path[len - 1] == '/') {
		63	new_path[len - 1] = 0x0;
		64	}
		65
		66	return new_path;
		67	}
		68	--
		69	2.1.4
		70


diff --git a/meta/recipes-support/curl/curl/CVE-2015-3148.patch b/meta/recipes-support/curl/curl/CVE-2015-3148.patch new file mode 100644 index 0000000000..13df14e5c4 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3148.patch
@@ -0,0 +1,50 @@
		1	From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Sat, 18 Apr 2015 23:50:16 +0200
		4	Subject: [PATCH] http_done: close Negotiate connections when done
		5
		6	Upstream-Status: Backport
		7
		8	When doing HTTP requests Negotiate authenticated, the entire connnection
		9	may become authenticated and not just the specific HTTP request which is
		10	otherwise how HTTP works, as Negotiate can basically use NTLM under the
		11	hood. curl was not adhering to this fact but would assume that such
		12	requests would also be authenticated per request.
		13
		14	CVE-2015-3148
		15
		16	Bug: http://curl.haxx.se/docs/adv_20150422B.html
		17	Reported-by: Isaac Boukris
		18	Signed-off-by: Daniel Stenberg <daniel@haxx.se>
		19	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		20	---
		21	lib/http.c \| 8 +++++++-
		22	1 file changed, 7 insertions(+), 1 deletion(-)
		23
		24	diff --git a/lib/http.c b/lib/http.c
		25	index 4c1cfc5..2a226fb 100644
		26	--- a/lib/http.c
		27	+++ b/lib/http.c
		28	@@ -1433,12 +1433,18 @@ CURLcode Curl_http_done(struct connectdata *conn,
		29
		30	Curl_unencode_cleanup(conn);
		31
		32	#ifdef USE_SPNEGO
		33	if(data->state.proxyneg.state == GSS_AUTHSENT \|\|
		34	- data->state.negotiate.state == GSS_AUTHSENT)
		35	+ data->state.negotiate.state == GSS_AUTHSENT) {
		36	+ /* add forbid re-use if http-code != 401 as a WA
		37	+ * only needed for 401 that failed handling
		38	+ * otherwie state will be RECV with current code */
		39	+ if((data->req.httpcode != 401) && (data->req.httpcode != 407))
		40	+ connclose(conn, "Negotiate transfer completed");
		41	Curl_cleanup_negotiate(data);
		42	+ }
		43	#endif
		44
		45	/* set the proper values (possibly modified on POST) */
		46	conn->fread_func = data->set.fread_func; /* restore */
		47	conn->fread_in = data->set.in; /* restore */
		48	--
		49	2.1.4
		50


diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb index 4cde9c6baa..2b39d11411 100644 --- a/meta/recipes-support/curl/curl_7.40.0.bb +++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e66
7		7
8	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \	8	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
9	file://pkgconfig_fix.patch \	9	file://pkgconfig_fix.patch \
		10	file://CVE-2015-3143.patch \
		11	file://CVE-2015-3144.patch \
		12	file://CVE-2015-3145.patch \
		13	file://CVE-2015-3148.patch \
10	"	14	"
11		15
12	# curl likes to set -g0 in CFLAGS, so we stop it	16	# curl likes to set -g0 in CFLAGS, so we stop it