diff options
author | Muminul Islam <muislam@microsoft.com> | 2019-10-13 09:10:35 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-15 15:54:01 +0100 |
commit | ebf1cc65a96ba01edccb56f0a50235dedfca8478 (patch) | |
tree | ce40e0ba2b959f80e3a3b982e2baa9a8964dbb34 /meta/recipes-support | |
parent | 507434199d6ba699045692cef441931fa384b6dc (diff) | |
download | poky-ebf1cc65a96ba01edccb56f0a50235dedfca8478.tar.gz |
curl: Security fix for CVE-2019-5482
(From OE-Core rev: 57d30f26c3dbba720079e98d429dfcb53d527d54)
Signed-off-by: Muminul Islam <muislam@microsoft.com>
[Fixup for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2019-5482.patch | 68 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.61.0.bb | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch new file mode 100644 index 0000000000..91b186699d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Vegas <> | ||
3 | Date: Sat, 31 Aug 2019 17:30:51 +0200 | ||
4 | Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is | ||
5 | received | ||
6 | Reply-To: muislam@microsoft.com | ||
7 | |||
8 | Fixes potential buffer overflow from 'recvfrom()', should the server | ||
9 | return an OACK without blksize. | ||
10 | |||
11 | Bug: https://curl.haxx.se/docs/CVE-2019-5482.html | ||
12 | |||
13 | CVE: CVE-2019-5482 | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Muminul Islam <muislam@microsoft.com> | ||
18 | --- | ||
19 | lib/tftp.c | 12 +++++++++--- | ||
20 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
21 | |||
22 | diff --git a/lib/tftp.c b/lib/tftp.c | ||
23 | index 064eef318..2c148e3e1 100644 | ||
24 | --- a/lib/tftp.c | ||
25 | +++ b/lib/tftp.c | ||
26 | @@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) | ||
27 | { | ||
28 | tftp_state_data_t *state; | ||
29 | int blksize; | ||
30 | + int need_blksize; | ||
31 | |||
32 | blksize = TFTP_BLKSIZE_DEFAULT; | ||
33 | |||
34 | @@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) | ||
35 | return CURLE_TFTP_ILLEGAL; | ||
36 | } | ||
37 | |||
38 | + need_blksize = blksize; | ||
39 | + /* default size is the fallback when no OACK is received */ | ||
40 | + if(need_blksize < TFTP_BLKSIZE_DEFAULT) | ||
41 | + need_blksize = TFTP_BLKSIZE_DEFAULT; | ||
42 | + | ||
43 | if(!state->rpacket.data) { | ||
44 | - state->rpacket.data = calloc(1, blksize + 2 + 2); | ||
45 | + state->rpacket.data = calloc(1, need_blksize + 2 + 2); | ||
46 | |||
47 | if(!state->rpacket.data) | ||
48 | return CURLE_OUT_OF_MEMORY; | ||
49 | } | ||
50 | |||
51 | if(!state->spacket.data) { | ||
52 | - state->spacket.data = calloc(1, blksize + 2 + 2); | ||
53 | + state->spacket.data = calloc(1, need_blksize + 2 + 2); | ||
54 | |||
55 | if(!state->spacket.data) | ||
56 | return CURLE_OUT_OF_MEMORY; | ||
57 | @@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) | ||
58 | state->sockfd = state->conn->sock[FIRSTSOCKET]; | ||
59 | state->state = TFTP_STATE_START; | ||
60 | state->error = TFTP_ERR_NONE; | ||
61 | - state->blksize = blksize; | ||
62 | + state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ | ||
63 | state->requested_blksize = blksize; | ||
64 | |||
65 | ((struct sockaddr *)&state->local_addr)->sa_family = | ||
66 | -- | ||
67 | 2.23.0 | ||
68 | |||
diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb index c1e4342df5..cd880f9e22 100644 --- a/meta/recipes-support/curl/curl_7.61.0.bb +++ b/meta/recipes-support/curl/curl_7.61.0.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
16 | file://CVE-2018-16890.patch \ | 16 | file://CVE-2018-16890.patch \ |
17 | file://CVE-2019-3822.patch \ | 17 | file://CVE-2019-3822.patch \ |
18 | file://CVE-2019-3823.patch \ | 18 | file://CVE-2019-3823.patch \ |
19 | file://CVE-2019-5482.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a" | 22 | SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a" |