diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-02-21 10:55:21 +0530 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-14 14:59:10 +0000 |
| commit | 9fa2eba749289f49c7118d5c485257f820b705f3 (patch) | |
| tree | 6915e65840e1995cdf510507e046d0c6a00fb3a8 /meta/recipes-support | |
| parent | f1dbb005c8a8decccef2e8feac8e911c468bd65d (diff) | |
| download | poky-9fa2eba749289f49c7118d5c485257f820b705f3.tar.gz | |
curl: fix CVE-2022-43552 Use-after-free triggered by an HTTP proxy deny response
Upstream-Status: Backport from https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2
(From OE-Core rev: e172a9d7dc92561e26b8ec7ff11d4c598dcaf5c8)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-43552.patch | 82 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.69.1.bb | 1 |
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch new file mode 100644 index 0000000000..d729441454 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch | |||
| @@ -0,0 +1,82 @@ | |||
| 1 | rom 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Mon, 19 Dec 2022 08:38:37 +0100 | ||
| 4 | Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() | ||
| 5 | |||
| 6 | It is managed by the generic layer. | ||
| 7 | |||
| 8 | Reported-by: Trail of Bits | ||
| 9 | |||
| 10 | Closes #10112 | ||
| 11 | |||
| 12 | CVE: CVE-2022-43552 | ||
| 13 | Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2] | ||
| 14 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 15 | --- | ||
| 16 | lib/smb.c | 14 ++------------ | ||
| 17 | lib/telnet.c | 3 --- | ||
| 18 | 2 files changed, 2 insertions(+), 15 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/lib/smb.c b/lib/smb.c | ||
| 21 | index 12f9925..8db3b27 100644 | ||
| 22 | --- a/lib/smb.c | ||
| 23 | +++ b/lib/smb.c | ||
| 24 | @@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done); | ||
| 25 | static CURLcode smb_connection_state(struct connectdata *conn, bool *done); | ||
| 26 | static CURLcode smb_do(struct connectdata *conn, bool *done); | ||
| 27 | static CURLcode smb_request_state(struct connectdata *conn, bool *done); | ||
| 28 | -static CURLcode smb_done(struct connectdata *conn, CURLcode status, | ||
| 29 | - bool premature); | ||
| 30 | static CURLcode smb_disconnect(struct connectdata *conn, bool dead); | ||
| 31 | static int smb_getsock(struct connectdata *conn, curl_socket_t *socks); | ||
| 32 | static CURLcode smb_parse_url_path(struct connectdata *conn); | ||
| 33 | @@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { | ||
| 34 | "SMB", /* scheme */ | ||
| 35 | smb_setup_connection, /* setup_connection */ | ||
| 36 | smb_do, /* do_it */ | ||
| 37 | - smb_done, /* done */ | ||
| 38 | + ZERO_NULL, /* done */ | ||
| 39 | ZERO_NULL, /* do_more */ | ||
| 40 | smb_connect, /* connect_it */ | ||
| 41 | smb_connection_state, /* connecting */ | ||
| 42 | @@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_smbs = { | ||
| 43 | "SMBS", /* scheme */ | ||
| 44 | smb_setup_connection, /* setup_connection */ | ||
| 45 | smb_do, /* do_it */ | ||
| 46 | - smb_done, /* done */ | ||
| 47 | + ZERO_NULL, /* done */ | ||
| 48 | ZERO_NULL, /* do_more */ | ||
| 49 | smb_connect, /* connect_it */ | ||
| 50 | smb_connection_state, /* connecting */ | ||
| 51 | @@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) | ||
| 52 | return CURLE_OK; | ||
| 53 | } | ||
| 54 | |||
| 55 | -static CURLcode smb_done(struct connectdata *conn, CURLcode status, | ||
| 56 | - bool premature) | ||
| 57 | -{ | ||
| 58 | - (void) premature; | ||
| 59 | - Curl_safefree(conn->data->req.protop); | ||
| 60 | - return status; | ||
| 61 | -} | ||
| 62 | - | ||
| 63 | static CURLcode smb_disconnect(struct connectdata *conn, bool dead) | ||
| 64 | { | ||
| 65 | struct smb_conn *smbc = &conn->proto.smbc; | ||
| 66 | diff --git a/lib/telnet.c b/lib/telnet.c | ||
| 67 | index 3347ad6..e3b9208 100644 | ||
| 68 | --- a/lib/telnet.c | ||
| 69 | +++ b/lib/telnet.c | ||
| 70 | @@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn, | ||
| 71 | |||
| 72 | curl_slist_free_all(tn->telnet_vars); | ||
| 73 | tn->telnet_vars = NULL; | ||
| 74 | - | ||
| 75 | - Curl_safefree(conn->data->req.protop); | ||
| 76 | - | ||
| 77 | return CURLE_OK; | ||
| 78 | } | ||
| 79 | |||
| 80 | -- | ||
| 81 | 2.25.1 | ||
| 82 | |||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 63faae6296..899daf8eac 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
| @@ -41,6 +41,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
| 41 | file://CVE-2022-35252.patch \ | 41 | file://CVE-2022-35252.patch \ |
| 42 | file://CVE-2022-32221.patch \ | 42 | file://CVE-2022-32221.patch \ |
| 43 | file://CVE-2022-35260.patch \ | 43 | file://CVE-2022-35260.patch \ |
| 44 | file://CVE-2022-43552.patch \ | ||
| 44 | " | 45 | " |
| 45 | 46 | ||
| 46 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" | 47 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" |