curl: Security fix for CVE-2016-8620

Affected versions: curl 7.34.0 to and including 7.50.3
Not affected versions: curl < 7.34.0 and curl >= 7.51.0

(From OE-Core rev: daeb0f5369f7c9ff470c9db3ba6ae42ac5abea2c)

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 147 insertions, 0 deletions

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
new file mode 100644
index 0000000000..db3da6f57a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
@@ -0,0 +1,146 @@
+From 52f3e1d1092c81a4f574c9fc6cb3818b88434c8d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 3 Oct 2016 17:27:16 +0200
+Subject: [PATCH 1/3] range: prevent negative end number in a glob range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-8620
+
+Bug: https://curl.haxx.se/docs/adv_20161102F.html
+Reported-by: Luật Nguyễn
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-8620.patch
+CVE: CVE-2016-8620
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+---
+ src/tool_urlglob.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+Index: curl-7.44.0/src/tool_urlglob.c
+===================================================================
+--- curl-7.44.0.orig/src/tool_urlglob.c
++++ curl-7.44.0/src/tool_urlglob.c
+@@ -186,32 +186,36 @@ static CURLcode glob_range(URLGlob *glob
+     /* character range detected */
+     char min_c;
+     char max_c;
++    char end_c;
+     int step=1;
+ 
+     pat->type = UPTCharRange;
+ 
+-    rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
++    rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
+ 
+-    if((rc == 2) && (pattern[3] == ':')) {
+-      char *endp;
+-      unsigned long lstep;
+-      errno = 0;
+-      lstep = strtoul(&pattern[4], &endp, 10);
+-      if(errno || (*endp != ']'))
+-        step = -1;
+-      else {
+-        pattern = endp+1;
+-        step = (int)lstep;
+-        if(step > (max_c - min_c))
++    if(rc == 3) {
++      if(end_c == ':') {
++        char *endp;
++        unsigned long lstep;
++        errno = 0;
++        lstep = strtoul(&pattern[4], &endp, 10);
++        if(errno || (*endp != ']'))
+           step = -1;
++        else {
++          pattern = endp+1;
++          step = (int)lstep;
++          if(step > (max_c - min_c))
++            step = -1;
++        }
+       }
++      else if(end_c != ']')
++        /* then this is wrong */
++        rc = 0;
+     }
+-    else
+-      pattern += 4;
+ 
+     *posp += (pattern - *patternp);
+ 
+-    if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
++    if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+        (step <= 0) )
+       /* the pattern is not well-formed */
+       return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
+@@ -255,6 +259,12 @@ static CURLcode glob_range(URLGlob *glob
+         endp = NULL;
+       else {
+         pattern = endp+1;
++        while(*pattern && ISBLANK(*pattern))
++          pattern++;
++        if(!ISDIGIT(*pattern)) {
++          endp = NULL;
++          goto fail;
++        }
+         errno = 0;
+         max_n = strtoul(pattern, &endp, 10);
+         if(errno || (*endp == ':')) {
+@@ -275,6 +285,7 @@ static CURLcode glob_range(URLGlob *glob
+       }
+     }
+ 
++    fail:
+     *posp += (pattern - *patternp);
+ 
+     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) ||
+@@ -423,6 +434,7 @@ CURLcode glob_url(URLGlob** glob, char*
+   glob_buffer = malloc(strlen(url) + 1);
+   if(!glob_buffer)
+     return CURLE_OUT_OF_MEMORY;
++  glob_buffer[0]=0;
+ 
+   glob_expand = calloc(1, sizeof(URLGlob));
+   if(!glob_expand) {
+@@ -540,20 +552,25 @@ CURLcode glob_next_url(char **globbed, U
+     switch(pat->type) {
+     case UPTSet:
+       if(pat->content.Set.elements) {
+-        len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]);
+         snprintf(buf, buflen, "%s",
+                  pat->content.Set.elements[pat->content.Set.ptr_s]);
++        len = strlen(buf);
+         buf += len;
+         buflen -= len;
+       }
+       break;
+     case UPTCharRange:
+-      *buf++ = pat->content.CharRange.ptr_c;
++      if(buflen) {
++        *buf++ = pat->content.CharRange.ptr_c;
++        *buf = '\0';
++        buflen--;
++      }
+       break;
+     case UPTNumRange:
+-      len = snprintf(buf, buflen, "%0*ld",
+-                     pat->content.NumRange.padlength,
+-                     pat->content.NumRange.ptr_n);
++      snprintf(buf, buflen, "%0*ld",
++               pat->content.NumRange.padlength,
++               pat->content.NumRange.ptr_n);
++      len = strlen(buf);
+       buf += len;
+       buflen -= len;
+       break;
+@@ -562,7 +579,6 @@ CURLcode glob_next_url(char **globbed, U
+       return CURLE_FAILED_INIT;
+     }
+   }
+-  *buf = '\0';
+ 
+   *globbed = strdup(glob->glob_buffer);
+   if(!*globbed)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index 544110134c..aa8ebebf01 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -16,6 +16,7 @@ SRC_URI += " file://configure_ac.patch \
              file://CVE-2016-8615.patch \
              file://CVE-2016-8618.patch \
              file://CVE-2016-8619.patch \ 
+             file://CVE-2016-8620.patch \
            "
 
 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"