curl: Security Advisory - curl - CVE-2017-1000254

Porting patch from <https://github.com/curl/curl/commit/ 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254. (From OE-Core rev: 4e22302603c6a1fc56ef77cdc10e1b1f631a274e) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 08f8d5db06647b94f96d655100c358047682dd2f) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Zhou <li.zhou@windriver.com> 2017-10-23 15:44:53 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-12-04 17:23:55 +0000
commit: 24c97084921bde233ff4e745df0dd3bcc999faa4 (patch)
tree: fd7dcf432e2def613aadd215285019ffba36d86a /meta/recipes-support
parent: 221c4877f1ea920627196e716a6327a3e398aa27 (diff)
download: poky-24c97084921bde233ff4e745df0dd3bcc999faa4.tar.gz
2 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
new file mode 100644
index 0000000000..2b0798b929
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
@@ -0,0 +1,138 @@
+From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 23 Oct 2017 00:26:50 -0700
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+Test 1152 added to verify.
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+Upstream-Status: Backport
+CVE: CVE-2017-1000254
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ lib/ftp.c               |  7 ++++--
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test1152     | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 5edec37..493dbf9 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+         const size_t buf_size = data->set.buffer_size;
+         char *dir;
+         char *store;
+        bool entry_extracted = FALSE;
+ 
+         dir = malloc(nread + 1);
+         if(!dir)
+@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+               }
+               else {
+                 /* end of path */
+-                *store = '\0'; /* zero terminate */
+                entry_extracted = TRUE;
+                 break; /* get out of this loop */
+               }
+             }
+@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+             store++;
+             ptr++;
+           }
+-
+          *store = '\0'; /* zero terminate */
+        }
+        if(entry_extracted) {
+           /* If the path name does not look like an absolute path (i.e.: it
+              does not start with a '/'), we probably need some server-dependent
+              adjustments. For example, this is the case when connecting to
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7adbee6..5284654 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 \
+test1152 \
+\
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1152 b/tests/data/test1152
+new file mode 100644
+index 0000000..aa8c0a7
+--- /dev/null
+++ b/tests/data/test1152
+@@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+LIST
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY PWD 257 "just one
+</servercmd>
+
+# When doing LIST, we get the default list output hard-coded in the test
+# FTP server
+<data mode="text">
+total 20
+drwxr-xr-x   8 98       98           512 Oct 22 13:06 .
+drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..
+drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases
+-r--r--r--   1 0        1             35 Jul 16  1996 README
+lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin
+dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev
+drwxrwxrwx   2 98       98           512 May 29 16:04 download.html
+dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc
+drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub
+dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP with uneven quote in PWD response
+ </name>
+ <command>
+ftp://%HOSTIP:%FTPPORT/test-1152/
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD test-1152
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+</verify>
+</testcase>
+-- 
+2.11.0
diff --git a/meta/recipes-support/curl/curl_7.54.1.bb b/meta/recipes-support/curl/curl_7.54.1.bb
index cf230ed0d4..9870657ca4 100644
--- a/meta/recipes-support/curl/curl_7.54.1.bb
+++ b/meta/recipes-support/curl/curl_7.54.1.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://CVE-2017-1000099.patch \
           file://CVE-2017-1000100.patch \
           file://CVE-2017-1000101.patch \
+           file://CVE-2017-1000254.patch \
 "
 # curl likes to set -g0 in CFLAGS, so we stop it
author	Li Zhou <li.zhou@windriver.com>	2017-10-23 15:44:53 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-12-04 17:23:55 +0000
commit	24c97084921bde233ff4e745df0dd3bcc999faa4 (patch)
tree	fd7dcf432e2def613aadd215285019ffba36d86a /meta/recipes-support
parent	221c4877f1ea920627196e716a6327a3e398aa27 (diff)
download	poky-24c97084921bde233ff4e745df0dd3bcc999faa4.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch new file mode 100644 index 0000000000..2b0798b929 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
@@ -0,0 +1,138 @@
		1	From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
		2	From: Li Zhou <li.zhou@windriver.com>
		3	Date: Mon, 23 Oct 2017 00:26:50 -0700
		4	Subject: [PATCH] FTP: zero terminate the entry path even on bad input
		5
		6	... a single double quote could leave the entry path buffer without a zero
		7	terminating byte. CVE-2017-1000254
		8
		9	Test 1152 added to verify.
		10
		11	Reported-by: Max Dymond
		12	Bug: https://curl.haxx.se/docs/adv_20171004.html
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2017-1000254
		16	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		17	---
		18	lib/ftp.c \| 7 ++++--
		19	tests/data/Makefile.inc \| 2 ++
		20	tests/data/test1152 \| 61 +++++++++++++++++++++++++++++++++++++++++++++++++
		21	3 files changed, 68 insertions(+), 2 deletions(-)
		22	create mode 100644 tests/data/test1152
		23
		24	diff --git a/lib/ftp.c b/lib/ftp.c
		25	index 5edec37..493dbf9 100644
		26	--- a/lib/ftp.c
		27	+++ b/lib/ftp.c
		28	@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
		29	const size_t buf_size = data->set.buffer_size;
		30	char *dir;
		31	char *store;
		32	+ bool entry_extracted = FALSE;
		33
		34	dir = malloc(nread + 1);
		35	if(!dir)
		36	@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
		37	}
		38	else {
		39	/* end of path */
		40	- store = '\0'; / zero terminate */
		41	+ entry_extracted = TRUE;
		42	break; /* get out of this loop */
		43	}
		44	}
		45	@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
		46	store++;
		47	ptr++;
		48	}
		49	-
		50	+ store = '\0'; / zero terminate */
		51	+ }
		52	+ if(entry_extracted) {
		53	/* If the path name does not look like an absolute path (i.e.: it
		54	does not start with a '/'), we probably need some server-dependent
		55	adjustments. For example, this is the case when connecting to
		56	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		57	index 7adbee6..5284654 100644
		58	--- a/tests/data/Makefile.inc
		59	+++ b/tests/data/Makefile.inc
		60	@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
		61	test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
		62	test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
		63	test1144 test1145 test1146 \
		64	+test1152 \
		65	+\
		66	test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
		67	test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
		68	test1216 test1217 test1218 test1219 \
		69	diff --git a/tests/data/test1152 b/tests/data/test1152
		70	new file mode 100644
		71	index 0000000..aa8c0a7
		72	--- /dev/null
		73	+++ b/tests/data/test1152
		74	@@ -0,0 +1,61 @@
		75	+<testcase>
		76	+<info>
		77	+<keywords>
		78	+FTP
		79	+PASV
		80	+LIST
		81	+</keywords>
		82	+</info>
		83	+#
		84	+# Server-side
		85	+<reply>
		86	+<servercmd>
		87	+REPLY PWD 257 "just one
		88	+</servercmd>
		89	+
		90	+# When doing LIST, we get the default list output hard-coded in the test
		91	+# FTP server
		92	+<data mode="text">
		93	+total 20
		94	+drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
		95	+drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
		96	+drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
		97	+-r--r--r-- 1 0 1 35 Jul 16 1996 README
		98	+lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
		99	+dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
		100	+drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
		101	+dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
		102	+drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
		103	+dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
		104	+</data>
		105	+</reply>
		106	+
		107	+#
		108	+# Client-side
		109	+<client>
		110	+<server>
		111	+ftp
		112	+</server>
		113	+ <name>
		114	+FTP with uneven quote in PWD response
		115	+ </name>
		116	+ <command>
		117	+ftp://%HOSTIP:%FTPPORT/test-1152/
		118	+</command>
		119	+</client>
		120	+
		121	+#
		122	+# Verify data after the test has been "shot"
		123	+<verify>
		124	+<protocol>
		125	+USER anonymous
		126	+PASS ftp@example.com
		127	+PWD
		128	+CWD test-1152
		129	+EPSV
		130	+TYPE A
		131	+LIST
		132	+QUIT
		133	+</protocol>
		134	+</verify>
		135	+</testcase>
		136	--
		137	2.11.0
		138


diff --git a/meta/recipes-support/curl/curl_7.54.1.bb b/meta/recipes-support/curl/curl_7.54.1.bb index cf230ed0d4..9870657ca4 100644 --- a/meta/recipes-support/curl/curl_7.54.1.bb +++ b/meta/recipes-support/curl/curl_7.54.1.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
10	file://CVE-2017-1000099.patch \	10	file://CVE-2017-1000099.patch \
11	file://CVE-2017-1000100.patch \	11	file://CVE-2017-1000100.patch \
12	file://CVE-2017-1000101.patch \	12	file://CVE-2017-1000101.patch \
		13	file://CVE-2017-1000254.patch \
13	"	14	"
14		15
15	# curl likes to set -g0 in CFLAGS, so we stop it	16	# curl likes to set -g0 in CFLAGS, so we stop it