diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-11-04 07:44:32 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:43:54 +0000 |
commit | b29b1bc1d7f0fa599bf164ae8e2c2ca10751203f (patch) | |
tree | 008908aa538177655104ebfe2169524a5cbb5cd6 /meta/recipes-support | |
parent | c8ebaaaf8d869bf5839368ec20e2f8ad6669bfdd (diff) | |
download | poky-b29b1bc1d7f0fa599bf164ae8e2c2ca10751203f.tar.gz |
curl: Security fix for CVE-2016-8618
Affected versions: curl 7.1 to and including 7.50.3
Not affected versions: curl >= 7.51.0
(From OE-Core rev: 1fc1c9a11eee2f5ba727b18300a92949b166b035)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8618.patch | 49 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch b/meta/recipes-support/curl/curl/CVE-2016-8618.patch new file mode 100644 index 0000000000..73be6754e1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 28 Sep 2016 10:15:34 +0200 | ||
4 | Subject: [PATCH] aprintf: detect wrap-around when growing allocation | ||
5 | |||
6 | On 32bit systems we could otherwise wrap around after 2GB and allocate 0 | ||
7 | bytes and crash. | ||
8 | |||
9 | CVE-2016-8618 | ||
10 | |||
11 | Bug: https://curl.haxx.se/docs/adv_20161102D.html | ||
12 | Reported-by: Cure53 | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://curl.haxx.se/CVE-2016-8618.patch | ||
16 | CVE: CVE-2016-8618 | ||
17 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
18 | |||
19 | --- | ||
20 | lib/mprintf.c | 9 ++++++--- | ||
21 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
22 | |||
23 | Index: curl-7.44.0/lib/mprintf.c | ||
24 | =================================================================== | ||
25 | --- curl-7.44.0.orig/lib/mprintf.c | ||
26 | +++ curl-7.44.0/lib/mprintf.c | ||
27 | @@ -1011,16 +1011,19 @@ static int alloc_addbyter(int output, FI | ||
28 | infop->len =0; | ||
29 | } | ||
30 | else if(infop->len+1 >= infop->alloc) { | ||
31 | - char *newptr; | ||
32 | + char *newptr = NULL; | ||
33 | + size_t newsize = infop->alloc*2; | ||
34 | |||
35 | - newptr = realloc(infop->buffer, infop->alloc*2); | ||
36 | + /* detect wrap-around or other overflow problems */ | ||
37 | + if(newsize > infop->alloc) | ||
38 | + newptr = realloc(infop->buffer, newsize); | ||
39 | |||
40 | if(!newptr) { | ||
41 | infop->fail = 1; | ||
42 | return -1; /* fail */ | ||
43 | } | ||
44 | infop->buffer = newptr; | ||
45 | - infop->alloc *= 2; | ||
46 | + infop->alloc = newsize; | ||
47 | } | ||
48 | |||
49 | infop->buffer[ infop->len ] = outc; | ||
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index c11eb0c246..5c63996df1 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb | |||
@@ -14,6 +14,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
14 | # | 14 | # |
15 | SRC_URI += " file://configure_ac.patch \ | 15 | SRC_URI += " file://configure_ac.patch \ |
16 | file://CVE-2016-8615.patch \ | 16 | file://CVE-2016-8615.patch \ |
17 | file://CVE-2016-8618.patch \ | ||
17 | " | 18 | " |
18 | 19 | ||
19 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" | 20 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |