Curl: Security fix for CVE-2019-5482

Source: curl.org MR: 99905 Type: Security Fix Disposition: Backport from https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d ChangeID: e0c807da8937f687a4b2e28eaa6b4b5a51845bc5 Description: Fixes CVE-2019-5482 - Affected versions: libcurl >= 7.19.4 to and including 7.65.3 - Not affected versions: libcurl < 7.19.4 (From OE-Core rev: d2e5558133f970a8a196c545dd00af9315c1a06a) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-09-13 16:14:16 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-09-30 16:44:42 +0100
commit: 1b9559de4b3d034e11debe57bfe595328e8ceff3 (patch)
tree: 4959ea9afd730e92e97e69b605ae906b30400bfc /meta/recipes-support
parent: c6720451a8d0cb672d8fe36a34b5283787edac55 (diff)
download: poky-1b9559de4b3d034e11debe57bfe595328e8ceff3.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
new file mode 100644
index 0000000000..30122d1ae9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,65 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+Upstream-Status: Backport
+CVE: CVE-2019-5482
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+Index: curl-7.64.1/lib/tftp.c
+===================================================================
+--- curl-7.64.1.orig/lib/tftp.c
+++ curl-7.64.1/lib/tftp.c
+@@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct conn
+ {
+   tftp_state_data_t *state;
+   int blksize;
+  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct conn
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
+  need_blksize = blksize;
+  /* default size is the fallback when no OACK is received */
+  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
+    need_blksize = TFTP_BLKSIZE_DEFAULT;
+
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
+    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
+    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1009,7 +1015,7 @@ static CURLcode tftp_connect(struct conn
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
+  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
diff --git a/meta/recipes-support/curl/curl_7.64.1.bb b/meta/recipes-support/curl/curl_7.64.1.bb
index 00c8c5a826..151d74a236 100644
--- a/meta/recipes-support/curl/curl_7.64.1.bb
+++ b/meta/recipes-support/curl/curl_7.64.1.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://0001-replace-krb5-config-with-pkg-config.patch \
           file://CVE-2019-5435.patch \
           file://CVE-2019-5436.patch \
+           file://CVE-2019-5482.patch \
 "
 SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2"
author	Armin Kuster <akuster@mvista.com>	2019-09-13 16:14:16 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-30 16:44:42 +0100
commit	1b9559de4b3d034e11debe57bfe595328e8ceff3 (patch)
tree	4959ea9afd730e92e97e69b605ae906b30400bfc /meta/recipes-support
parent	c6720451a8d0cb672d8fe36a34b5283787edac55 (diff)
download	poky-1b9559de4b3d034e11debe57bfe595328e8ceff3.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch new file mode 100644 index 0000000000..30122d1ae9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,65 @@
		1	From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
		2	From: Thomas Vegas <>
		3	Date: Sat, 31 Aug 2019 17:30:51 +0200
		4	Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
		5	received
		6
		7	Fixes potential buffer overflow from 'recvfrom()', should the server
		8	return an OACK without blksize.
		9
		10	Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
		11	CVE-2019-5482
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2019-5482
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	lib/tftp.c \| 12 +++++++++---
		20	1 file changed, 9 insertions(+), 3 deletions(-)
		21
		22	Index: curl-7.64.1/lib/tftp.c
		23	===================================================================
		24	--- curl-7.64.1.orig/lib/tftp.c
		25	+++ curl-7.64.1/lib/tftp.c
		26	@@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct conn
		27	{
		28	tftp_state_data_t *state;
		29	int blksize;
		30	+ int need_blksize;
		31
		32	blksize = TFTP_BLKSIZE_DEFAULT;
		33
		34	@@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct conn
		35	return CURLE_TFTP_ILLEGAL;
		36	}
		37
		38	+ need_blksize = blksize;
		39	+ /* default size is the fallback when no OACK is received */
		40	+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
		41	+ need_blksize = TFTP_BLKSIZE_DEFAULT;
		42	+
		43	if(!state->rpacket.data) {
		44	- state->rpacket.data = calloc(1, blksize + 2 + 2);
		45	+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
		46
		47	if(!state->rpacket.data)
		48	return CURLE_OUT_OF_MEMORY;
		49	}
		50
		51	if(!state->spacket.data) {
		52	- state->spacket.data = calloc(1, blksize + 2 + 2);
		53	+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
		54
		55	if(!state->spacket.data)
		56	return CURLE_OUT_OF_MEMORY;
		57	@@ -1009,7 +1015,7 @@ static CURLcode tftp_connect(struct conn
		58	state->sockfd = state->conn->sock[FIRSTSOCKET];
		59	state->state = TFTP_STATE_START;
		60	state->error = TFTP_ERR_NONE;
		61	- state->blksize = blksize;
		62	+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
		63	state->requested_blksize = blksize;
		64
		65	((struct sockaddr *)&state->local_addr)->sa_family =


diff --git a/meta/recipes-support/curl/curl_7.64.1.bb b/meta/recipes-support/curl/curl_7.64.1.bb index 00c8c5a826..151d74a236 100644 --- a/meta/recipes-support/curl/curl_7.64.1.bb +++ b/meta/recipes-support/curl/curl_7.64.1.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
9	file://0001-replace-krb5-config-with-pkg-config.patch \	9	file://0001-replace-krb5-config-with-pkg-config.patch \
10	file://CVE-2019-5435.patch \	10	file://CVE-2019-5435.patch \
11	file://CVE-2019-5436.patch \	11	file://CVE-2019-5436.patch \
		12	file://CVE-2019-5482.patch \
12	"	13	"
13		14
14	SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2"	15	SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2"