diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-10-09 22:59:03 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-10-09 22:59:03 +0200 |
commit | 972dcfcdbfe75dcfeb777150c136576cf1a71e99 (patch) | |
tree | 97a61cd7e293d7ae9d56ef7ed0f81253365bb026 /meta/recipes-support/curl | |
download | poky-972dcfcdbfe75dcfeb777150c136576cf1a71e99.tar.gz |
initial commit for Enea Linux 5.0 arm
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-support/curl')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2014-3613.patch | 269 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2014-3620.patch | 69 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2014-3707.patch | 416 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2014-8150.patch | 29 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3143.patch | 38 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3144.patch | 45 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3145.patch | 70 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3153.patch | 90 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/configure_ac.patch | 13 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/pkgconfig_fix.patch | 32 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.37.1.bb | 66 |
11 files changed, 1137 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3613.patch b/meta/recipes-support/curl/curl/CVE-2014-3613.patch new file mode 100644 index 0000000000..3e2fee0413 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3613.patch | |||
@@ -0,0 +1,269 @@ | |||
1 | From 545e322cc8c383ccdfb4ad85a1634c2b719a1adf Mon Sep 17 00:00:00 2001 | ||
2 | From: Tim Ruehsen <tim.ruehsen@gmx.de> | ||
3 | Date: Tue, 19 Aug 2014 21:01:28 +0200 | ||
4 | Subject: [PATCH] cookies: only use full host matches for hosts used as IP | ||
5 | address | ||
6 | |||
7 | By not detecting and rejecting domain names for partial literal IP | ||
8 | addresses properly when parsing received HTTP cookies, libcurl can be | ||
9 | fooled to both send cookies to wrong sites and to allow arbitrary sites | ||
10 | to set cookies for others. | ||
11 | |||
12 | CVE-2014-3613 | ||
13 | |||
14 | Bug: http://curl.haxx.se/docs/adv_20140910A.html | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Chong Lu <Chong.Lu@windriver.com> | ||
19 | --- | ||
20 | lib/cookie.c | 50 ++++++++++++++++++++++++++++++++++++++---------- | ||
21 | tests/data/test1105 | 3 +-- | ||
22 | tests/data/test31 | 55 +++++++++++++++++++++++++++-------------------------- | ||
23 | tests/data/test8 | 3 ++- | ||
24 | 4 files changed, 71 insertions(+), 40 deletions(-) | ||
25 | |||
26 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
27 | index 0590643..46904ac 100644 | ||
28 | --- a/lib/cookie.c | ||
29 | +++ b/lib/cookie.c | ||
30 | @@ -93,10 +93,11 @@ Example set of cookies: | ||
31 | #include "curl_memory.h" | ||
32 | #include "share.h" | ||
33 | #include "strtoofft.h" | ||
34 | #include "rawstr.h" | ||
35 | #include "curl_memrchr.h" | ||
36 | +#include "inet_pton.h" | ||
37 | |||
38 | /* The last #include file should be: */ | ||
39 | #include "memdebug.h" | ||
40 | |||
41 | static void freecookie(struct Cookie *co) | ||
42 | @@ -317,10 +318,32 @@ static void remove_expired(struct CookieInfo *cookies) | ||
43 | } | ||
44 | co = nx; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | +/* | ||
49 | + * Return true if the given string is an IP(v4|v6) address. | ||
50 | + */ | ||
51 | +static bool isip(const char *domain) | ||
52 | +{ | ||
53 | + struct in_addr addr; | ||
54 | +#ifdef ENABLE_IPV6 | ||
55 | + struct in6_addr addr6; | ||
56 | +#endif | ||
57 | + | ||
58 | + if(Curl_inet_pton(AF_INET, domain, &addr) | ||
59 | +#ifdef ENABLE_IPV6 | ||
60 | + || Curl_inet_pton(AF_INET6, domain, &addr6) | ||
61 | +#endif | ||
62 | + ) { | ||
63 | + /* domain name given as IP address */ | ||
64 | + return TRUE; | ||
65 | + } | ||
66 | + | ||
67 | + return FALSE; | ||
68 | +} | ||
69 | + | ||
70 | /**************************************************************************** | ||
71 | * | ||
72 | * Curl_cookie_add() | ||
73 | * | ||
74 | * Add a single cookie line to the cookie keeping object. | ||
75 | @@ -437,28 +460,31 @@ Curl_cookie_add(struct SessionHandle *data, | ||
76 | badcookie = TRUE; /* out of memory bad */ | ||
77 | break; | ||
78 | } | ||
79 | } | ||
80 | else if(Curl_raw_equal("domain", name)) { | ||
81 | + bool is_ip; | ||
82 | + | ||
83 | /* Now, we make sure that our host is within the given domain, | ||
84 | or the given domain is not valid and thus cannot be set. */ | ||
85 | |||
86 | if('.' == whatptr[0]) | ||
87 | whatptr++; /* ignore preceding dot */ | ||
88 | |||
89 | - if(!domain || tailmatch(whatptr, domain)) { | ||
90 | - const char *tailptr=whatptr; | ||
91 | - if(tailptr[0] == '.') | ||
92 | - tailptr++; | ||
93 | - strstore(&co->domain, tailptr); /* don't prefix w/dots | ||
94 | - internally */ | ||
95 | + is_ip = isip(domain ? domain : whatptr); | ||
96 | + | ||
97 | + if(!domain | ||
98 | + || (is_ip && !strcmp(whatptr, domain)) | ||
99 | + || (!is_ip && tailmatch(whatptr, domain))) { | ||
100 | + strstore(&co->domain, whatptr); | ||
101 | if(!co->domain) { | ||
102 | badcookie = TRUE; | ||
103 | break; | ||
104 | } | ||
105 | - co->tailmatch=TRUE; /* we always do that if the domain name was | ||
106 | - given */ | ||
107 | + if(!is_ip) | ||
108 | + co->tailmatch=TRUE; /* we always do that if the domain name was | ||
109 | + given */ | ||
110 | } | ||
111 | else { | ||
112 | /* we did not get a tailmatch and then the attempted set domain | ||
113 | is not a domain to which the current host belongs. Mark as | ||
114 | bad. */ | ||
115 | @@ -966,17 +992,21 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
116 | struct Cookie *newco; | ||
117 | struct Cookie *co; | ||
118 | time_t now = time(NULL); | ||
119 | struct Cookie *mainco=NULL; | ||
120 | size_t matches = 0; | ||
121 | + bool is_ip; | ||
122 | |||
123 | if(!c || !c->cookies) | ||
124 | return NULL; /* no cookie struct or no cookies in the struct */ | ||
125 | |||
126 | /* at first, remove expired cookies */ | ||
127 | remove_expired(c); | ||
128 | |||
129 | + /* check if host is an IP(v4|v6) address */ | ||
130 | + is_ip = isip(host); | ||
131 | + | ||
132 | co = c->cookies; | ||
133 | |||
134 | while(co) { | ||
135 | /* only process this cookie if it is not expired or had no expire | ||
136 | date AND that if the cookie requires we're secure we must only | ||
137 | @@ -984,12 +1014,12 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
138 | if((!co->expires || (co->expires > now)) && | ||
139 | (co->secure?secure:TRUE)) { | ||
140 | |||
141 | /* now check if the domain is correct */ | ||
142 | if(!co->domain || | ||
143 | - (co->tailmatch && tailmatch(co->domain, host)) || | ||
144 | - (!co->tailmatch && Curl_raw_equal(host, co->domain)) ) { | ||
145 | + (co->tailmatch && !is_ip && tailmatch(co->domain, host)) || | ||
146 | + ((!co->tailmatch || is_ip) && Curl_raw_equal(host, co->domain)) ) { | ||
147 | /* the right part of the host matches the domain stuff in the | ||
148 | cookie data */ | ||
149 | |||
150 | /* now check the left part of the path with the cookies path | ||
151 | requirement */ | ||
152 | diff --git a/tests/data/test1105 b/tests/data/test1105 | ||
153 | index 25f194c..9564775 100644 | ||
154 | --- a/tests/data/test1105 | ||
155 | +++ b/tests/data/test1105 | ||
156 | @@ -57,10 +57,9 @@ userid=myname&password=mypassword | ||
157 | # Netscape HTTP Cookie File | ||
158 | # http://curl.haxx.se/docs/http-cookies.html | ||
159 | # This file was generated by libcurl! Edit at your own risk. | ||
160 | |||
161 | 127.0.0.1 FALSE /we/want/ FALSE 0 foobar name | ||
162 | -.127.0.0.1 TRUE "/silly/" FALSE 0 mismatch this | ||
163 | -.0.0.1 TRUE / FALSE 0 partmatch present | ||
164 | +127.0.0.1 FALSE "/silly/" FALSE 0 mismatch this | ||
165 | </file> | ||
166 | </verify> | ||
167 | </testcase> | ||
168 | diff --git a/tests/data/test31 b/tests/data/test31 | ||
169 | index 38af83b..dfcac04 100644 | ||
170 | --- a/tests/data/test31 | ||
171 | +++ b/tests/data/test31 | ||
172 | @@ -49,11 +49,12 @@ Set-Cookie: nodomainnovalue | ||
173 | Set-Cookie: nodomain=value; expires=Fri Feb 2 11:56:27 GMT 2035 | ||
174 | Set-Cookie: novalue; domain=reallysilly | ||
175 | Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030 | ||
176 | Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030 | ||
177 | Set-Cookie: magic=yessir; path=/silly/; HttpOnly | ||
178 | -Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; | ||
179 | +Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad; | ||
180 | +Set-Cookie: partialip=nono; domain=.0.0.1; | ||
181 | |||
182 | boo | ||
183 | </data> | ||
184 | </reply> | ||
185 | |||
186 | @@ -93,36 +94,36 @@ Accept: */* | ||
187 | <file name="log/jar31.txt" mode="text"> | ||
188 | # Netscape HTTP Cookie File | ||
189 | # http://curl.haxx.se/docs/http-cookies.html | ||
190 | # This file was generated by libcurl! Edit at your own risk. | ||
191 | |||
192 | -.127.0.0.1 TRUE /silly/ FALSE 0 ismatch this | ||
193 | -.127.0.0.1 TRUE /overwrite FALSE 0 overwrite this2 | ||
194 | -.127.0.0.1 TRUE /secure1/ TRUE 0 sec1value secure1 | ||
195 | -.127.0.0.1 TRUE /secure2/ TRUE 0 sec2value secure2 | ||
196 | -.127.0.0.1 TRUE /secure3/ TRUE 0 sec3value secure3 | ||
197 | -.127.0.0.1 TRUE /secure4/ TRUE 0 sec4value secure4 | ||
198 | -.127.0.0.1 TRUE /secure5/ TRUE 0 sec5value secure5 | ||
199 | -.127.0.0.1 TRUE /secure6/ TRUE 0 sec6value secure6 | ||
200 | -.127.0.0.1 TRUE /secure7/ TRUE 0 sec7value secure7 | ||
201 | -.127.0.0.1 TRUE /secure8/ TRUE 0 sec8value secure8 | ||
202 | -.127.0.0.1 TRUE /secure9/ TRUE 0 secure very1 | ||
203 | -#HttpOnly_.127.0.0.1 TRUE /p1/ FALSE 0 httpo1 value1 | ||
204 | -#HttpOnly_.127.0.0.1 TRUE /p2/ FALSE 0 httpo2 value2 | ||
205 | -#HttpOnly_.127.0.0.1 TRUE /p3/ FALSE 0 httpo3 value3 | ||
206 | -#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httpo4 value4 | ||
207 | -#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httponly myvalue1 | ||
208 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec myvalue2 | ||
209 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec2 myvalue3 | ||
210 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec3 myvalue4 | ||
211 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec4 myvalue5 | ||
212 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec5 myvalue6 | ||
213 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec6 myvalue7 | ||
214 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec7 myvalue8 | ||
215 | -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec8 myvalue9 | ||
216 | -.127.0.0.1 TRUE / FALSE 0 partmatch present | ||
217 | +127.0.0.1 FALSE /silly/ FALSE 0 ismatch this | ||
218 | +127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2 | ||
219 | +127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1 | ||
220 | +127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2 | ||
221 | +127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3 | ||
222 | +127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4 | ||
223 | +127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5 | ||
224 | +127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6 | ||
225 | +127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7 | ||
226 | +127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8 | ||
227 | +127.0.0.1 FALSE /secure9/ TRUE 0 secure very1 | ||
228 | +#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1 | ||
229 | +#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2 | ||
230 | +#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3 | ||
231 | +#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4 | ||
232 | +#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1 | ||
233 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2 | ||
234 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3 | ||
235 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4 | ||
236 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5 | ||
237 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6 | ||
238 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7 | ||
239 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8 | ||
240 | +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9 | ||
241 | +127.0.0.1 FALSE / FALSE 0 partmatch present | ||
242 | 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value | ||
243 | #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir | ||
244 | -.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes | ||
245 | +127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes | ||
246 | </file> | ||
247 | </verify> | ||
248 | </testcase> | ||
249 | diff --git a/tests/data/test8 b/tests/data/test8 | ||
250 | index 4d54541..030fd55 100644 | ||
251 | --- a/tests/data/test8 | ||
252 | +++ b/tests/data/test8 | ||
253 | @@ -40,11 +40,12 @@ Set-Cookie: mismatch=this; domain=%HOSTIP; path="/silly/"; | ||
254 | Set-Cookie: partmatch=present; domain=.0.0.1; path=/w; | ||
255 | Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey; | ||
256 | Set-Cookie: cookie=yes; path=/we; | ||
257 | Set-Cookie: cookie=perhaps; path=/we/want; | ||
258 | Set-Cookie: nocookie=yes; path=/WE; | ||
259 | -Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; | ||
260 | +Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; | ||
261 | +Set-Cookie: partialip=nono; domain=.0.0.1; | ||
262 | |||
263 | </file> | ||
264 | <precheck> | ||
265 | perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs ending with .0.0.1"; exit(1)}' | ||
266 | </precheck> | ||
267 | -- | ||
268 | 2.1.0 | ||
269 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch new file mode 100644 index 0000000000..d11f1908af --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 19 Aug 2014 21:11:20 +0200 | ||
4 | Subject: [PATCH] cookies: reject incoming cookies set for TLDs | ||
5 | |||
6 | Test 61 was modified to verify this. | ||
7 | |||
8 | CVE-2014-3620 | ||
9 | |||
10 | Reported-by: Tim Ruehsen | ||
11 | URL: http://curl.haxx.se/docs/adv_20140910B.html | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chong Lu <Chong.Lu@windriver.com> | ||
16 | --- | ||
17 | lib/cookie.c | 6 ++++++ | ||
18 | tests/data/test61 | 1 + | ||
19 | 2 files changed, 7 insertions(+) | ||
20 | |||
21 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
22 | index 46904ac..375485f 100644 | ||
23 | --- a/lib/cookie.c | ||
24 | +++ b/lib/cookie.c | ||
25 | @@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data, | ||
26 | break; | ||
27 | } | ||
28 | } | ||
29 | else if(Curl_raw_equal("domain", name)) { | ||
30 | bool is_ip; | ||
31 | + const char *dotp; | ||
32 | |||
33 | /* Now, we make sure that our host is within the given domain, | ||
34 | or the given domain is not valid and thus cannot be set. */ | ||
35 | |||
36 | if('.' == whatptr[0]) | ||
37 | whatptr++; /* ignore preceding dot */ | ||
38 | |||
39 | is_ip = isip(domain ? domain : whatptr); | ||
40 | |||
41 | + /* check for more dots */ | ||
42 | + dotp = strchr(whatptr, '.'); | ||
43 | + if(!dotp) | ||
44 | + domain=":"; | ||
45 | + | ||
46 | if(!domain | ||
47 | || (is_ip && !strcmp(whatptr, domain)) | ||
48 | || (!is_ip && tailmatch(whatptr, domain))) { | ||
49 | strstore(&co->domain, whatptr); | ||
50 | if(!co->domain) { | ||
51 | diff --git a/tests/data/test61 b/tests/data/test61 | ||
52 | index d2de279..e6dbbb9 100644 | ||
53 | --- a/tests/data/test61 | ||
54 | +++ b/tests/data/test61 | ||
55 | @@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2 | ||
56 | SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035 | ||
57 | Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure | ||
58 | Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure | ||
59 | Set-Cookie: test5=name; domain=anything.com; path=/ ; secure | ||
60 | Set-Cookie: fake=fooledyou; domain=..com; path=/; | ||
61 | +Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M | ||
62 | Content-Length: 4 | ||
63 | |||
64 | boo | ||
65 | </data> | ||
66 | </reply> | ||
67 | -- | ||
68 | 2.1.0 | ||
69 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3707.patch b/meta/recipes-support/curl/curl/CVE-2014-3707.patch new file mode 100644 index 0000000000..7ff38a65e8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3707.patch | |||
@@ -0,0 +1,416 @@ | |||
1 | From 3696fc1ba79d9b34660c44150be5e93ecf87dd9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 17 Oct 2014 12:59:32 +0200 | ||
4 | Subject: [PATCH] curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of | ||
5 | bounds | ||
6 | |||
7 | When duplicating a handle, the data to post was duplicated using | ||
8 | strdup() when it could be binary and contain zeroes and it was not even | ||
9 | zero terminated! This caused read out of bounds crashes/segfaults. | ||
10 | |||
11 | Since the lib/strdup.c file no longer is easily shared with the curl | ||
12 | tool with this change, it now uses its own version instead. | ||
13 | |||
14 | Bug: http://curl.haxx.se/docs/adv_20141105.html | ||
15 | CVE: CVE-2014-3707 | ||
16 | Reported-By: Symeon Paraschoudis | ||
17 | --- | ||
18 | lib/formdata.c | 52 +++++++++------------------------------------------- | ||
19 | lib/strdup.c | 32 +++++++++++++++++++++++++++----- | ||
20 | lib/strdup.h | 3 ++- | ||
21 | lib/url.c | 22 +++++++++++++++++----- | ||
22 | lib/urldata.h | 11 +++++++++-- | ||
23 | src/Makefile.inc | 4 ++-- | ||
24 | src/tool_setup.h | 5 ++--- | ||
25 | src/tool_strdup.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ | ||
26 | src/tool_strdup.h | 30 ++++++++++++++++++++++++++++++ | ||
27 | 9 files changed, 145 insertions(+), 61 deletions(-) | ||
28 | create mode 100644 src/tool_strdup.c | ||
29 | create mode 100644 src/tool_strdup.h | ||
30 | |||
31 | Index: curl-7.37.1/lib/formdata.c | ||
32 | =================================================================== | ||
33 | --- curl-7.37.1.orig/lib/formdata.c | ||
34 | +++ curl-7.37.1/lib/formdata.c | ||
35 | @@ -36,6 +36,7 @@ | ||
36 | #include "strequal.h" | ||
37 | #include "curl_memory.h" | ||
38 | #include "sendf.h" | ||
39 | +#include "strdup.h" | ||
40 | |||
41 | #define _MPRINTF_REPLACE /* use our functions only */ | ||
42 | #include <curl/mprintf.h> | ||
43 | @@ -214,46 +215,6 @@ static const char *ContentTypeForFilenam | ||
44 | |||
45 | /*************************************************************************** | ||
46 | * | ||
47 | - * memdup() | ||
48 | - * | ||
49 | - * Copies the 'source' data to a newly allocated buffer buffer (that is | ||
50 | - * returned). Uses buffer_length if not null, else uses strlen to determine | ||
51 | - * the length of the buffer to be copied | ||
52 | - * | ||
53 | - * Returns the new pointer or NULL on failure. | ||
54 | - * | ||
55 | - ***************************************************************************/ | ||
56 | -static char *memdup(const char *src, size_t buffer_length) | ||
57 | -{ | ||
58 | - size_t length; | ||
59 | - bool add = FALSE; | ||
60 | - char *buffer; | ||
61 | - | ||
62 | - if(buffer_length) | ||
63 | - length = buffer_length; | ||
64 | - else if(src) { | ||
65 | - length = strlen(src); | ||
66 | - add = TRUE; | ||
67 | - } | ||
68 | - else | ||
69 | - /* no length and a NULL src pointer! */ | ||
70 | - return strdup(""); | ||
71 | - | ||
72 | - buffer = malloc(length+add); | ||
73 | - if(!buffer) | ||
74 | - return NULL; /* fail */ | ||
75 | - | ||
76 | - memcpy(buffer, src, length); | ||
77 | - | ||
78 | - /* if length unknown do null termination */ | ||
79 | - if(add) | ||
80 | - buffer[length] = '\0'; | ||
81 | - | ||
82 | - return buffer; | ||
83 | -} | ||
84 | - | ||
85 | -/*************************************************************************** | ||
86 | - * | ||
87 | * FormAdd() | ||
88 | * | ||
89 | * Stores a formpost parameter and builds the appropriate linked list. | ||
90 | @@ -682,9 +643,12 @@ CURLFORMcode FormAdd(struct curl_httppos | ||
91 | (form == first_form) ) { | ||
92 | /* Note that there's small risk that form->name is NULL here if the | ||
93 | app passed in a bad combo, so we better check for that first. */ | ||
94 | - if(form->name) | ||
95 | + if(form->name) { | ||
96 | /* copy name (without strdup; possibly contains null characters) */ | ||
97 | - form->name = memdup(form->name, form->namelength); | ||
98 | + form->name = Curl_memdup(form->name, form->namelength? | ||
99 | + form->namelength: | ||
100 | + strlen(form->name)+1); | ||
101 | + } | ||
102 | if(!form->name) { | ||
103 | return_value = CURL_FORMADD_MEMORY; | ||
104 | break; | ||
105 | @@ -695,7 +659,7 @@ CURLFORMcode FormAdd(struct curl_httppos | ||
106 | HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER | | ||
107 | HTTPPOST_CALLBACK)) ) { | ||
108 | /* copy value (without strdup; possibly contains null characters) */ | ||
109 | - form->value = memdup(form->value, form->contentslength); | ||
110 | + form->value = Curl_memdup(form->value, form->contentslength); | ||
111 | if(!form->value) { | ||
112 | return_value = CURL_FORMADD_MEMORY; | ||
113 | break; | ||
114 | Index: curl-7.37.1/lib/strdup.c | ||
115 | =================================================================== | ||
116 | --- curl-7.37.1.orig/lib/strdup.c | ||
117 | +++ curl-7.37.1/lib/strdup.c | ||
118 | @@ -5,7 +5,7 @@ | ||
119 | * | (__| |_| | _ <| |___ | ||
120 | * \___|\___/|_| \_\_____| | ||
121 | * | ||
122 | - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
123 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
124 | * | ||
125 | * This software is licensed as described in the file COPYING, which | ||
126 | * you should have received as part of this distribution. The terms | ||
127 | @@ -19,12 +19,12 @@ | ||
128 | * KIND, either express or implied. | ||
129 | * | ||
130 | ***************************************************************************/ | ||
131 | -/* | ||
132 | - * This file is 'mem-include-scan' clean. See test 1132. | ||
133 | - */ | ||
134 | #include "curl_setup.h" | ||
135 | - | ||
136 | #include "strdup.h" | ||
137 | +#include "curl_memory.h" | ||
138 | + | ||
139 | +/* The last #include file should be: */ | ||
140 | +#include "memdebug.h" | ||
141 | |||
142 | #ifndef HAVE_STRDUP | ||
143 | char *curlx_strdup(const char *str) | ||
144 | @@ -50,3 +50,25 @@ char *curlx_strdup(const char *str) | ||
145 | |||
146 | } | ||
147 | #endif | ||
148 | + | ||
149 | +/*************************************************************************** | ||
150 | + * | ||
151 | + * Curl_memdup(source, length) | ||
152 | + * | ||
153 | + * Copies the 'source' data to a newly allocated buffer (that is | ||
154 | + * returned). Copies 'length' bytes. | ||
155 | + * | ||
156 | + * Returns the new pointer or NULL on failure. | ||
157 | + * | ||
158 | + ***************************************************************************/ | ||
159 | +char *Curl_memdup(const char *src, size_t length) | ||
160 | +{ | ||
161 | + char *buffer = malloc(length); | ||
162 | + if(!buffer) | ||
163 | + return NULL; /* fail */ | ||
164 | + | ||
165 | + memcpy(buffer, src, length); | ||
166 | + | ||
167 | + /* if length unknown do null termination */ | ||
168 | + return buffer; | ||
169 | +} | ||
170 | Index: curl-7.37.1/lib/strdup.h | ||
171 | =================================================================== | ||
172 | --- curl-7.37.1.orig/lib/strdup.h | ||
173 | +++ curl-7.37.1/lib/strdup.h | ||
174 | @@ -7,7 +7,7 @@ | ||
175 | * | (__| |_| | _ <| |___ | ||
176 | * \___|\___/|_| \_\_____| | ||
177 | * | ||
178 | - * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
179 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
180 | * | ||
181 | * This software is licensed as described in the file COPYING, which | ||
182 | * you should have received as part of this distribution. The terms | ||
183 | @@ -26,5 +26,6 @@ | ||
184 | #ifndef HAVE_STRDUP | ||
185 | extern char *curlx_strdup(const char *str); | ||
186 | #endif | ||
187 | +char *Curl_memdup(const char *src, size_t buffer_length); | ||
188 | |||
189 | #endif /* HEADER_CURL_STRDUP_H */ | ||
190 | Index: curl-7.37.1/lib/url.c | ||
191 | =================================================================== | ||
192 | --- curl-7.37.1.orig/lib/url.c | ||
193 | +++ curl-7.37.1/lib/url.c | ||
194 | @@ -125,6 +125,7 @@ int curl_win32_idn_to_ascii(const char * | ||
195 | #include "multihandle.h" | ||
196 | #include "pipeline.h" | ||
197 | #include "dotdot.h" | ||
198 | +#include "strdup.h" | ||
199 | |||
200 | #define _MPRINTF_REPLACE /* use our functions only */ | ||
201 | #include <curl/mprintf.h> | ||
202 | @@ -270,8 +271,9 @@ void Curl_freeset(struct SessionHandle * | ||
203 | { | ||
204 | /* Free all dynamic strings stored in the data->set substructure. */ | ||
205 | enum dupstring i; | ||
206 | - for(i=(enum dupstring)0; i < STRING_LAST; i++) | ||
207 | + for(i=(enum dupstring)0; i < STRING_LAST; i++) { | ||
208 | Curl_safefree(data->set.str[i]); | ||
209 | + } | ||
210 | |||
211 | if(data->change.referer_alloc) { | ||
212 | Curl_safefree(data->change.referer); | ||
213 | @@ -356,14 +358,24 @@ CURLcode Curl_dupset(struct SessionHandl | ||
214 | memset(dst->set.str, 0, STRING_LAST * sizeof(char *)); | ||
215 | |||
216 | /* duplicate all strings */ | ||
217 | - for(i=(enum dupstring)0; i< STRING_LAST; i++) { | ||
218 | + for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) { | ||
219 | r = setstropt(&dst->set.str[i], src->set.str[i]); | ||
220 | if(r != CURLE_OK) | ||
221 | - break; | ||
222 | + return r; | ||
223 | } | ||
224 | |||
225 | - /* If a failure occurred, freeing has to be performed externally. */ | ||
226 | - return r; | ||
227 | + /* duplicate memory areas pointed to */ | ||
228 | + i = STRING_COPYPOSTFIELDS; | ||
229 | + if(src->set.postfieldsize && src->set.str[i]) { | ||
230 | + /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */ | ||
231 | + dst->set.str[i] = Curl_memdup(src->set.str[i], src->set.postfieldsize); | ||
232 | + if(!dst->set.str[i]) | ||
233 | + return CURLE_OUT_OF_MEMORY; | ||
234 | + /* point to the new copy */ | ||
235 | + dst->set.postfields = dst->set.str[i]; | ||
236 | + } | ||
237 | + | ||
238 | + return CURLE_OK; | ||
239 | } | ||
240 | |||
241 | /* | ||
242 | Index: curl-7.37.1/lib/urldata.h | ||
243 | =================================================================== | ||
244 | --- curl-7.37.1.orig/lib/urldata.h | ||
245 | +++ curl-7.37.1/lib/urldata.h | ||
246 | @@ -1359,7 +1359,6 @@ enum dupstring { | ||
247 | STRING_KRB_LEVEL, /* krb security level */ | ||
248 | STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find | ||
249 | $HOME/.netrc */ | ||
250 | - STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */ | ||
251 | STRING_PROXY, /* proxy to use */ | ||
252 | STRING_SET_RANGE, /* range, if used */ | ||
253 | STRING_SET_REFERER, /* custom string for the HTTP referer field */ | ||
254 | @@ -1401,7 +1400,15 @@ enum dupstring { | ||
255 | |||
256 | STRING_BEARER, /* <bearer>, if used */ | ||
257 | |||
258 | - /* -- end of strings -- */ | ||
259 | + /* -- end of zero-terminated strings -- */ | ||
260 | + | ||
261 | + STRING_LASTZEROTERMINATED, | ||
262 | + | ||
263 | + /* -- below this are pointers to binary data that cannot be strdup'ed. | ||
264 | + Each such pointer must be added manually to Curl_dupset() --- */ | ||
265 | + | ||
266 | + STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */ | ||
267 | + | ||
268 | STRING_LAST /* not used, just an end-of-list marker */ | ||
269 | }; | ||
270 | |||
271 | Index: curl-7.37.1/src/Makefile.inc | ||
272 | =================================================================== | ||
273 | --- curl-7.37.1.orig/src/Makefile.inc | ||
274 | +++ curl-7.37.1/src/Makefile.inc | ||
275 | @@ -11,7 +11,6 @@ | ||
276 | # the official API, but we re-use the code here to avoid duplication. | ||
277 | CURLX_CFILES = \ | ||
278 | ../lib/strtoofft.c \ | ||
279 | - ../lib/strdup.c \ | ||
280 | ../lib/rawstr.c \ | ||
281 | ../lib/nonblock.c \ | ||
282 | ../lib/warnless.c | ||
283 | @@ -19,7 +18,6 @@ CURLX_CFILES = \ | ||
284 | CURLX_HFILES = \ | ||
285 | ../lib/curl_setup.h \ | ||
286 | ../lib/strtoofft.h \ | ||
287 | - ../lib/strdup.h \ | ||
288 | ../lib/rawstr.h \ | ||
289 | ../lib/nonblock.h \ | ||
290 | ../lib/warnless.h | ||
291 | @@ -55,6 +53,7 @@ CURL_CFILES = \ | ||
292 | tool_panykey.c \ | ||
293 | tool_paramhlp.c \ | ||
294 | tool_parsecfg.c \ | ||
295 | + tool_strdup.c \ | ||
296 | tool_setopt.c \ | ||
297 | tool_sleep.c \ | ||
298 | tool_urlglob.c \ | ||
299 | @@ -99,6 +98,7 @@ CURL_HFILES = \ | ||
300 | tool_setopt.h \ | ||
301 | tool_setup.h \ | ||
302 | tool_sleep.h \ | ||
303 | + tool_strdup.h \ | ||
304 | tool_urlglob.h \ | ||
305 | tool_util.h \ | ||
306 | tool_version.h \ | ||
307 | Index: curl-7.37.1/src/tool_setup.h | ||
308 | =================================================================== | ||
309 | --- curl-7.37.1.orig/src/tool_setup.h | ||
310 | +++ curl-7.37.1/src/tool_setup.h | ||
311 | @@ -7,7 +7,7 @@ | ||
312 | * | (__| |_| | _ <| |___ | ||
313 | * \___|\___/|_| \_\_____| | ||
314 | * | ||
315 | - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
316 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
317 | * | ||
318 | * This software is licensed as described in the file COPYING, which | ||
319 | * you should have received as part of this distribution. The terms | ||
320 | @@ -67,8 +67,7 @@ | ||
321 | #endif | ||
322 | |||
323 | #ifndef HAVE_STRDUP | ||
324 | -# include "strdup.h" | ||
325 | -# define strdup(ptr) curlx_strdup(ptr) | ||
326 | +# include "tool_strdup.h" | ||
327 | #endif | ||
328 | |||
329 | #endif /* HEADER_CURL_TOOL_SETUP_H */ | ||
330 | Index: curl-7.37.1/src/tool_strdup.c | ||
331 | =================================================================== | ||
332 | --- /dev/null | ||
333 | +++ curl-7.37.1/src/tool_strdup.c | ||
334 | @@ -0,0 +1,47 @@ | ||
335 | +/*************************************************************************** | ||
336 | + * _ _ ____ _ | ||
337 | + * Project ___| | | | _ \| | | ||
338 | + * / __| | | | |_) | | | ||
339 | + * | (__| |_| | _ <| |___ | ||
340 | + * \___|\___/|_| \_\_____| | ||
341 | + * | ||
342 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
343 | + * | ||
344 | + * This software is licensed as described in the file COPYING, which | ||
345 | + * you should have received as part of this distribution. The terms | ||
346 | + * are also available at http://curl.haxx.se/docs/copyright.html. | ||
347 | + * | ||
348 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
349 | + * copies of the Software, and permit persons to whom the Software is | ||
350 | + * furnished to do so, under the terms of the COPYING file. | ||
351 | + * | ||
352 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
353 | + * KIND, either express or implied. | ||
354 | + * | ||
355 | + ***************************************************************************/ | ||
356 | +#include "strdup.h" | ||
357 | + | ||
358 | +#ifndef HAVE_STRDUP | ||
359 | +char *strdup(const char *str) | ||
360 | +{ | ||
361 | + size_t len; | ||
362 | + char *newstr; | ||
363 | + | ||
364 | + if(!str) | ||
365 | + return (char *)NULL; | ||
366 | + | ||
367 | + len = strlen(str); | ||
368 | + | ||
369 | + if(len >= ((size_t)-1) / sizeof(char)) | ||
370 | + return (char *)NULL; | ||
371 | + | ||
372 | + newstr = malloc((len+1)*sizeof(char)); | ||
373 | + if(!newstr) | ||
374 | + return (char *)NULL; | ||
375 | + | ||
376 | + memcpy(newstr,str,(len+1)*sizeof(char)); | ||
377 | + | ||
378 | + return newstr; | ||
379 | + | ||
380 | +} | ||
381 | +#endif | ||
382 | Index: curl-7.37.1/src/tool_strdup.h | ||
383 | =================================================================== | ||
384 | --- /dev/null | ||
385 | +++ curl-7.37.1/src/tool_strdup.h | ||
386 | @@ -0,0 +1,30 @@ | ||
387 | +#ifndef HEADER_TOOL_STRDUP_H | ||
388 | +#define HEADER_TOOL_STRDUP_H | ||
389 | +/*************************************************************************** | ||
390 | + * _ _ ____ _ | ||
391 | + * Project ___| | | | _ \| | | ||
392 | + * / __| | | | |_) | | | ||
393 | + * | (__| |_| | _ <| |___ | ||
394 | + * \___|\___/|_| \_\_____| | ||
395 | + * | ||
396 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
397 | + * | ||
398 | + * This software is licensed as described in the file COPYING, which | ||
399 | + * you should have received as part of this distribution. The terms | ||
400 | + * are also available at http://curl.haxx.se/docs/copyright.html. | ||
401 | + * | ||
402 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
403 | + * copies of the Software, and permit persons to whom the Software is | ||
404 | + * furnished to do so, under the terms of the COPYING file. | ||
405 | + * | ||
406 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
407 | + * KIND, either express or implied. | ||
408 | + * | ||
409 | + ***************************************************************************/ | ||
410 | +#include "tool_setup.h" | ||
411 | + | ||
412 | +#ifndef HAVE_STRDUP | ||
413 | +extern char *strdup(const char *str); | ||
414 | +#endif | ||
415 | + | ||
416 | +#endif /* HEADER_TOOL_STRDUP_H */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2014-8150.patch b/meta/recipes-support/curl/curl/CVE-2014-8150.patch new file mode 100644 index 0000000000..9a0828076c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-8150.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 25 Dec 2014 23:55:03 +0100 | ||
4 | Subject: [PATCH] url-parsing: reject CRLFs within URLs | ||
5 | |||
6 | Bug: http://curl.haxx.se/docs/adv_20150108B.html | ||
7 | Reported-by: Andrey Labunets | ||
8 | --- | ||
9 | lib/url.c | 7 +++++++ | ||
10 | 1 file changed, 7 insertions(+) | ||
11 | |||
12 | Index: curl-7.37.1/lib/url.c | ||
13 | =================================================================== | ||
14 | --- curl-7.37.1.orig/lib/url.c | ||
15 | +++ curl-7.37.1/lib/url.c | ||
16 | @@ -3756,6 +3756,13 @@ static CURLcode parseurlandfillconn(stru | ||
17 | |||
18 | *prot_missing = FALSE; | ||
19 | |||
20 | + /* We might pass the entire URL into the request so we need to make sure | ||
21 | + * there are no bad characters in there.*/ | ||
22 | + if(strpbrk(data->change.url, "\r\n")) { | ||
23 | + failf(data, "Illegal characters found in URL"); | ||
24 | + return CURLE_URL_MALFORMAT; | ||
25 | + } | ||
26 | + | ||
27 | /************************************************************* | ||
28 | * Parse the URL. | ||
29 | * | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch new file mode 100644 index 0000000000..745e9456f3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 13:26:46 +0200 | ||
4 | Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to | ||
5 | match | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | CVE-2015-3143 | ||
10 | |||
11 | Bug: http://curl.haxx.se/docs/adv_20150422A.html | ||
12 | Reported-by: Paras Sethia | ||
13 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
14 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
15 | --- | ||
16 | lib/url.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/lib/url.c b/lib/url.c | ||
20 | index 018bb88..ee3d176 100644 | ||
21 | --- a/lib/url.c | ||
22 | +++ b/lib/url.c | ||
23 | @@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data, | ||
24 | strcmp(check->localdev, needle->localdev)) | ||
25 | continue; | ||
26 | } | ||
27 | |||
28 | if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || | ||
29 | - wantNTLMhttp) { | ||
30 | + (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { | ||
31 | /* This protocol requires credentials per connection or is HTTP+NTLM, | ||
32 | so verify that we're using the same name and password as well */ | ||
33 | if(!strequal(needle->user, check->user) || | ||
34 | !strequal(needle->passwd, check->passwd)) { | ||
35 | /* one of them was different */ | ||
36 | -- | ||
37 | 2.1.4 | ||
38 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch new file mode 100644 index 0000000000..ca6d7448a1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 23:52:04 +0200 | ||
4 | Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | If a URL is given with a zero-length host name, like in "http://:80" or | ||
12 | just ":80", `fix_hostname()` will index the host name pointer with a -1 | ||
13 | offset (as it blindly assumes a non-zero length) and both read and | ||
14 | assign that address. | ||
15 | |||
16 | CVE-2015-3144 | ||
17 | |||
18 | Bug: http://curl.haxx.se/docs/adv_20150422D.html | ||
19 | Reported-by: Hanno Böck | ||
20 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
21 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
22 | --- | ||
23 | lib/url.c | 2 +- | ||
24 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/lib/url.c b/lib/url.c | ||
27 | index ee3d176..f033dbc 100644 | ||
28 | --- a/lib/url.c | ||
29 | +++ b/lib/url.c | ||
30 | @@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data, | ||
31 | |||
32 | /* set the name we use to display the host name */ | ||
33 | host->dispname = host->name; | ||
34 | |||
35 | len = strlen(host->name); | ||
36 | - if(host->name[len-1] == '.') | ||
37 | + if(len && (host->name[len-1] == '.')) | ||
38 | /* strip off a single trailing dot if present, primarily for SNI but | ||
39 | there's no use for it */ | ||
40 | host->name[len-1]=0; | ||
41 | |||
42 | if(!is_ASCII_name(host->name)) { | ||
43 | -- | ||
44 | 2.1.4 | ||
45 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch new file mode 100644 index 0000000000..15a998289e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 16:37:40 +0200 | ||
4 | Subject: [PATCH] cookie: cookie parser out of boundary memory access | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | The internal libcurl function called sanitize_cookie_path() that cleans | ||
12 | up the path element as given to it from a remote site or when read from | ||
13 | a file, did not properly validate the input. If given a path that | ||
14 | consisted of a single double-quote, libcurl would index a newly | ||
15 | allocated memory area with index -1 and assign a zero to it, thus | ||
16 | destroying heap memory it wasn't supposed to. | ||
17 | |||
18 | CVE-2015-3145 | ||
19 | |||
20 | Bug: http://curl.haxx.se/docs/adv_20150422C.html | ||
21 | Reported-by: Hanno Böck | ||
22 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
23 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
24 | --- | ||
25 | lib/cookie.c | 12 +++++++----- | ||
26 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
27 | |||
28 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
29 | index 0864f6b..0127926 100644 | ||
30 | --- a/lib/cookie.c | ||
31 | +++ b/lib/cookie.c | ||
32 | @@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path) | ||
33 | char *new_path = strdup(cookie_path); | ||
34 | if(!new_path) | ||
35 | return NULL; | ||
36 | |||
37 | /* some stupid site sends path attribute with '"'. */ | ||
38 | + len = strlen(new_path); | ||
39 | if(new_path[0] == '\"') { | ||
40 | - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); | ||
41 | + memmove((void *)new_path, (const void *)(new_path + 1), len); | ||
42 | + len--; | ||
43 | } | ||
44 | - if(new_path[strlen(new_path) - 1] == '\"') { | ||
45 | - new_path[strlen(new_path) - 1] = 0x0; | ||
46 | + if(len && (new_path[len - 1] == '\"')) { | ||
47 | + new_path[len - 1] = 0x0; | ||
48 | + len--; | ||
49 | } | ||
50 | |||
51 | /* RFC6265 5.2.4 The Path Attribute */ | ||
52 | if(new_path[0] != '/') { | ||
53 | /* Let cookie-path be the default-path. */ | ||
54 | @@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path) | ||
55 | new_path = strdup("/"); | ||
56 | return new_path; | ||
57 | } | ||
58 | |||
59 | /* convert /hoge/ to /hoge */ | ||
60 | - len = strlen(new_path); | ||
61 | - if(1 < len && new_path[len - 1] == '/') { | ||
62 | + if(len && new_path[len - 1] == '/') { | ||
63 | new_path[len - 1] = 0x0; | ||
64 | } | ||
65 | |||
66 | return new_path; | ||
67 | } | ||
68 | -- | ||
69 | 2.1.4 | ||
70 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3153.patch b/meta/recipes-support/curl/curl/CVE-2015-3153.patch new file mode 100644 index 0000000000..089020a842 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3153.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 23 Apr 2015 15:58:21 +0200 | ||
4 | Subject: [PATCH] CURLOPT_HEADEROPT: default to separate | ||
5 | |||
6 | Make the HTTP headers separated by default for improved security and | ||
7 | reduced risk for information leakage. | ||
8 | |||
9 | Bug: http://curl.haxx.se/docs/adv_20150429.html | ||
10 | Reported-by: Yehezkel Horowitz, Oren Souroujon | ||
11 | --- | ||
12 | docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------ | ||
13 | lib/url.c | 1 + | ||
14 | tests/data/test1527 | 2 +- | ||
15 | tests/data/test287 | 2 +- | ||
16 | tests/libtest/lib1527.c | 1 + | ||
17 | 5 files changed, 10 insertions(+), 8 deletions(-) | ||
18 | |||
19 | Index: curl-7.37.1/docs/libcurl/opts/CURLOPT_HEADEROPT.3 | ||
20 | =================================================================== | ||
21 | --- curl-7.37.1.orig/docs/libcurl/opts/CURLOPT_HEADEROPT.3 | ||
22 | +++ curl-7.37.1/docs/libcurl/opts/CURLOPT_HEADEROPT.3 | ||
23 | @@ -5,7 +5,7 @@ | ||
24 | .\" * | (__| |_| | _ <| |___ | ||
25 | .\" * \___|\___/|_| \_\_____| | ||
26 | .\" * | ||
27 | -.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
28 | +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
29 | .\" * | ||
30 | .\" * This software is licensed as described in the file COPYING, which | ||
31 | .\" * you should have received as part of this distribution. The terms | ||
32 | @@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil | ||
33 | headers only do the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to | ||
34 | the server. | ||
35 | .SH DEFAULT | ||
36 | -CURLHEADER_UNIFIED | ||
37 | +CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then) | ||
38 | .SH PROTOCOLS | ||
39 | HTTP | ||
40 | .SH EXAMPLE | ||
41 | Index: curl-7.37.1/tests/data/test1527 | ||
42 | =================================================================== | ||
43 | --- curl-7.37.1.orig/tests/data/test1527 | ||
44 | +++ curl-7.37.1/tests/data/test1527 | ||
45 | @@ -45,7 +45,7 @@ http-proxy | ||
46 | lib1527 | ||
47 | </tool> | ||
48 | <name> | ||
49 | -Check same headers are generated without CURLOPT_PROXYHEADER | ||
50 | +Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED | ||
51 | </name> | ||
52 | <command> | ||
53 | http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT | ||
54 | Index: curl-7.37.1/tests/data/test287 | ||
55 | =================================================================== | ||
56 | --- curl-7.37.1.orig/tests/data/test287 | ||
57 | +++ curl-7.37.1/tests/data/test287 | ||
58 | @@ -28,7 +28,7 @@ http | ||
59 | HTTP proxy CONNECT with custom User-Agent header | ||
60 | </name> | ||
61 | <command> | ||
62 | -http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel | ||
63 | +http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007" | ||
64 | </command> | ||
65 | </client> | ||
66 | |||
67 | Index: curl-7.37.1/tests/libtest/lib1527.c | ||
68 | =================================================================== | ||
69 | --- curl-7.37.1.orig/tests/libtest/lib1527.c | ||
70 | +++ curl-7.37.1/tests/libtest/lib1527.c | ||
71 | @@ -83,6 +83,7 @@ int test(char *URL) | ||
72 | test_setopt(curl, CURLOPT_READFUNCTION, read_callback); | ||
73 | test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L); | ||
74 | test_setopt(curl, CURLOPT_INFILESIZE, strlen(data)); | ||
75 | + test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED); | ||
76 | |||
77 | res = curl_easy_perform(curl); | ||
78 | |||
79 | Index: curl-7.37.1/lib/url.c | ||
80 | =================================================================== | ||
81 | --- curl-7.37.1.orig/lib/url.c | ||
82 | +++ curl-7.37.1/lib/url.c | ||
83 | @@ -584,6 +584,7 @@ CURLcode Curl_init_userdefined(struct Us | ||
84 | set->ssl_enable_alpn = TRUE; | ||
85 | |||
86 | set->expect_100_timeout = 1000L; /* Wait for a second by default. */ | ||
87 | + set->sep_headers = TRUE; /* separated header lists by default */ | ||
88 | return res; | ||
89 | } | ||
90 | |||
diff --git a/meta/recipes-support/curl/curl/configure_ac.patch b/meta/recipes-support/curl/curl/configure_ac.patch new file mode 100644 index 0000000000..b8bd304d71 --- /dev/null +++ b/meta/recipes-support/curl/curl/configure_ac.patch | |||
@@ -0,0 +1,13 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | --- a/configure.ac | ||
4 | +++ b/configure.ac | ||
5 | @@ -281,7 +281,7 @@ dnl ************************************ | ||
6 | |||
7 | CURL_CHECK_COMPILER | ||
8 | CURL_SET_COMPILER_BASIC_OPTS | ||
9 | -CURL_SET_COMPILER_DEBUG_OPTS | ||
10 | +dnl CURL_SET_COMPILER_DEBUG_OPTS | ||
11 | CURL_SET_COMPILER_OPTIMIZE_OPTS | ||
12 | CURL_SET_COMPILER_WARNING_OPTS | ||
13 | |||
diff --git a/meta/recipes-support/curl/curl/pkgconfig_fix.patch b/meta/recipes-support/curl/curl/pkgconfig_fix.patch new file mode 100644 index 0000000000..5d8769d522 --- /dev/null +++ b/meta/recipes-support/curl/curl/pkgconfig_fix.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Upstream-Status: Inappropriate [packaging] | ||
2 | |||
3 | diff -Nurd curl-7.29.0/configure.ac curl-7.29.0/configure.ac | ||
4 | --- curl-7.29.0/configure.ac 2013-02-06 11:47:19.000000000 +0200 | ||
5 | +++ curl-7.29.0/configure.ac 2013-02-16 12:32:22.132327764 +0200 | ||
6 | @@ -1883,6 +1883,7 @@ | ||
7 | AC_SUBST(USE_GNUTLS, [1]) | ||
8 | GNUTLS_ENABLED=1 | ||
9 | USE_GNUTLS="yes" | ||
10 | + GNUTLS_REQUIRED="gnutls" | ||
11 | curl_ssl_msg="enabled (GnuTLS)" | ||
12 | ], | ||
13 | [ | ||
14 | @@ -1953,6 +1954,8 @@ | ||
15 | ]) | ||
16 | fi | ||
17 | |||
18 | +AC_SUBST(GNUTLS_REQUIRED) | ||
19 | + | ||
20 | dnl ---------------------------------------------------- | ||
21 | dnl check for PolarSSL | ||
22 | dnl ---------------------------------------------------- | ||
23 | diff -Nurd curl-7.29.0/libcurl.pc.in curl-7.29.0/libcurl.pc.in | ||
24 | --- curl-7.29.0/libcurl.pc.in 2012-12-12 00:32:22.000000000 +0200 | ||
25 | +++ curl-7.29.0/libcurl.pc.in 2013-02-16 12:33:27.063844337 +0200 | ||
26 | @@ -35,5 +35,5 @@ | ||
27 | Description: Library to transfer files with ftp, http, etc. | ||
28 | Version: @CURLVERSION@ | ||
29 | Libs: -L${libdir} -lcurl | ||
30 | -Libs.private: @LIBCURL_LIBS@ | ||
31 | +Libs.private: -ldl -lz | ||
32 | Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@ | ||
diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb new file mode 100644 index 0000000000..2f4da9706c --- /dev/null +++ b/meta/recipes-support/curl/curl_7.37.1.bb | |||
@@ -0,0 +1,66 @@ | |||
1 | SUMMARY = "Command line tool and library for client-side URL transfers" | ||
2 | HOMEPAGE = "http://curl.haxx.se/" | ||
3 | BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" | ||
4 | SECTION = "console/network" | ||
5 | LICENSE = "MIT" | ||
6 | LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e664ac" | ||
7 | |||
8 | SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | ||
9 | file://pkgconfig_fix.patch \ | ||
10 | file://CVE-2014-3613.patch \ | ||
11 | file://CVE-2014-3620.patch \ | ||
12 | file://CVE-2015-3143.patch \ | ||
13 | file://CVE-2015-3144.patch \ | ||
14 | file://CVE-2015-3145.patch \ | ||
15 | file://CVE-2014-3707.patch \ | ||
16 | file://CVE-2014-8150.patch \ | ||
17 | file://CVE-2015-3153.patch \ | ||
18 | " | ||
19 | |||
20 | # curl likes to set -g0 in CFLAGS, so we stop it | ||
21 | # from mucking around with debug options | ||
22 | # | ||
23 | SRC_URI += " file://configure_ac.patch" | ||
24 | |||
25 | SRC_URI[md5sum] = "95c627abcf6494f5abe55effe7cd6a57" | ||
26 | SRC_URI[sha256sum] = "c3ef3cd148f3778ddbefb344117d7829db60656efe1031f9e3065fc0faa25136" | ||
27 | |||
28 | inherit autotools pkgconfig binconfig multilib_header | ||
29 | |||
30 | PACKAGECONFIG ??= "${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)} gnutls zlib" | ||
31 | PACKAGECONFIG_class-native = "ipv6 ssl zlib" | ||
32 | PACKAGECONFIG_class-nativesdk = "ipv6 ssl zlib" | ||
33 | |||
34 | PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," | ||
35 | PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl" | ||
36 | PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" | ||
37 | PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" | ||
38 | PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" | ||
39 | PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" | ||
40 | |||
41 | EXTRA_OECONF = "--without-libidn \ | ||
42 | --enable-crypto-auth \ | ||
43 | --disable-ldap \ | ||
44 | --disable-ldaps \ | ||
45 | --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ | ||
46 | " | ||
47 | |||
48 | do_install_append() { | ||
49 | oe_multilib_header curl/curlbuild.h | ||
50 | } | ||
51 | |||
52 | PACKAGES =+ "lib${BPN} lib${BPN}-dev lib${BPN}-staticdev lib${BPN}-doc" | ||
53 | |||
54 | FILES_lib${BPN} = "${libdir}/lib*.so.*" | ||
55 | RRECOMMENDS_lib${BPN} += "ca-certificates" | ||
56 | FILES_lib${BPN}-dev = "${includedir} \ | ||
57 | ${libdir}/lib*.so \ | ||
58 | ${libdir}/lib*.la \ | ||
59 | ${libdir}/pkgconfig \ | ||
60 | ${datadir}/aclocal \ | ||
61 | ${bindir}/*-config" | ||
62 | FILES_lib${BPN}-staticdev = "${libdir}/lib*.a" | ||
63 | FILES_lib${BPN}-doc = "${mandir}/man3 \ | ||
64 | ${mandir}/man1/curl-config.1" | ||
65 | |||
66 | BBCLASSEXTEND = "native nativesdk" | ||