curl: Security fix for CVE-2016-9586

Affected versions: libcurl 7.1 to and including 7.51.0 Not affected versions: libcurl >= 7.52.0 (From OE-Core rev: 559ccc284987846c5b266cc2bc5ecd91c1c155f9) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-11-04 08:10:45 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:55 +0000
commit: 6131edc2c9de3d2fe03243a423e2441a6ec855ce (patch)
tree: a5d74dd678e35ac134e70f363f6536e17d9e94e5 /meta/recipes-support
parent: c4339c0e748ca78580ff97a4b1b64840ae6ab12c (diff)
download: poky-6131edc2c9de3d2fe03243a423e2441a6ec855ce.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
new file mode 100644
index 0000000000..1103cb05d8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
@@ -0,0 +1,66 @@
+commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Author: Daniel Stenberg <daniel@haxx.se>
+Date:   Tue Nov 8 15:32:37 2016 +0100
+    printf: fix floating point buffer overflow issues
+    ... and add a bunch of floating point printf tests
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-9586.patch
+dropped the tests as they require more changes to work.
+CVE: CVE-2016-9586
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: curl-7.50.1/lib/mprintf.c
+===================================================================
+--- curl-7.50.1.orig/lib/mprintf.c      2017-06-15 18:24:08.934720707 +0530
+++ curl-7.50.1/lib/mprintf.c   2017-06-15 18:24:09.318720721 +0530
+@@ -92,7 +92,8 @@
+ #  define mp_uintmax_t unsigned long
+ #endif
+ 
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
+                        fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+ 
+ #ifdef __AMIGA__
+@@ -910,12 +911,25 @@
+         *fptr = 0;
+ 
+         if(width >= 0) {
+          if(width >= (long)sizeof(work))
+            width = sizeof(work)-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, "%ld", width);
+           fptr += len;
+           left -= len;
+         }
+         if(prec >= 0) {
+          /* for each digit in the integer part, we can have one less
+             precision */
+          size_t maxprec = sizeof(work) - 2;
+          double val = p->data.dnum;
+          while(val >= 10.0) {
+            val /= 10;
+            maxprec--;
+          }
+
+          if(prec > (long)maxprec)
+            prec = maxprec-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, ".%ld", prec);
+           fptr += len;
+@@ -935,7 +949,9 @@
+         /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+            output characters */
+         (sprintf)(work, formatbuf, p->data.dnum);
+-
+#ifdef CURLDEBUG
+        assert(strlen(work) <= sizeof(work));
+#endif
+         for(fptr=work; *fptr; fptr++)
+           OUTCHAR(*fptr);
+       }
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index bdf5d73b31..67bbdebfe7 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \
             file://CVE-2016-8623.patch \
             file://CVE-2016-8617.patch \
             file://CVE-2016-8624.patch \
+             file://CVE-2016-9586.patch \
           "
 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-11-04 08:10:45 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:55 +0000
commit	6131edc2c9de3d2fe03243a423e2441a6ec855ce (patch)
tree	a5d74dd678e35ac134e70f363f6536e17d9e94e5 /meta/recipes-support
parent	c4339c0e748ca78580ff97a4b1b64840ae6ab12c (diff)
download	poky-6131edc2c9de3d2fe03243a423e2441a6ec855ce.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch new file mode 100644 index 0000000000..1103cb05d8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
@@ -0,0 +1,66 @@
		1	commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
		2	Author: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue Nov 8 15:32:37 2016 +0100
		4
		5	printf: fix floating point buffer overflow issues
		6
		7	... and add a bunch of floating point printf tests
		8
		9	Upstream-Status: Backport
		10	https://curl.haxx.se/CVE-2016-9586.patch
		11	dropped the tests as they require more changes to work.
		12
		13	CVE: CVE-2016-9586
		14	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		15
		16	Index: curl-7.50.1/lib/mprintf.c
		17	===================================================================
		18	--- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530
		19	+++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530
		20	@@ -92,7 +92,8 @@
		21	# define mp_uintmax_t unsigned long
		22	#endif
		23
		24	-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
		25	+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
		26	+ fit negative DBL_MAX (317 letters) */
		27	#define MAX_PARAMETERS 128 /* lame static limit */
		28
		29	#ifdef __AMIGA__
		30	@@ -910,12 +911,25 @@
		31	*fptr = 0;
		32
		33	if(width >= 0) {
		34	+ if(width >= (long)sizeof(work))
		35	+ width = sizeof(work)-1;
		36	/* RECURSIVE USAGE */
		37	len = curl_msnprintf(fptr, left, "%ld", width);
		38	fptr += len;
		39	left -= len;
		40	}
		41	if(prec >= 0) {
		42	+ /* for each digit in the integer part, we can have one less
		43	+ precision */
		44	+ size_t maxprec = sizeof(work) - 2;
		45	+ double val = p->data.dnum;
		46	+ while(val >= 10.0) {
		47	+ val /= 10;
		48	+ maxprec--;
		49	+ }
		50	+
		51	+ if(prec > (long)maxprec)
		52	+ prec = maxprec-1;
		53	/* RECURSIVE USAGE */
		54	len = curl_msnprintf(fptr, left, ".%ld", prec);
		55	fptr += len;
		56	@@ -935,7 +949,9 @@
		57	/* NOTE NOTE NOTE!! Not all sprintf implementations return number of
		58	output characters */
		59	(sprintf)(work, formatbuf, p->data.dnum);
		60	-
		61	+#ifdef CURLDEBUG
		62	+ assert(strlen(work) <= sizeof(work));
		63	+#endif
		64	for(fptr=work; *fptr; fptr++)
		65	OUTCHAR(*fptr);
		66	}


diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index bdf5d73b31..67bbdebfe7 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \
21	file://CVE-2016-8623.patch \	21	file://CVE-2016-8623.patch \
22	file://CVE-2016-8617.patch \	22	file://CVE-2016-8617.patch \
23	file://CVE-2016-8624.patch \	23	file://CVE-2016-8624.patch \
		24	file://CVE-2016-9586.patch \
24	"	25	"
25		26
26	SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"	27	SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"