curl: Security fixes for CVE-2020-{8169/8177}

Source: https://curl.haxx.se/ MR: 104472, 104458 Type: Security Fix Disposition: Backport from https://github.com/curl/curl/commit/{600a8cded447cd/8236aba58542c5f} ChangeID: 1300924f7a64b22375b4326daeef0b686481e30c Description: - Affected versions: curl 7.20.0 to and including 7.70.0 - Not affected versions: curl < 7.20.0 and curl >= 7.71.0 Fixes both CVE-2020-8169 and CVE-2020-8177 (From OE-Core rev: f42702baee57ab3d1b7ab7833e72c7d56ad4ee94) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2020-06-25 19:26:01 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-02 16:12:36 +0100
commit: abde5f4cab763c308ef3144055afebc6c87877d1 (patch)
tree: ae4b2022402b71cc951fad0d52526a452798e384 /meta/recipes-support
parent: 57b40bdd5431e10e46c255080e507fa02c838690 (diff)
download: poky-abde5f4cab763c308ef3144055afebc6c87877d1.tar.gz
3 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8169.patch b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
new file mode 100644
index 0000000000..7d1be24a0a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
@@ -0,0 +1,140 @@
+From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 May 2020 14:37:12 +0200
+Subject: [PATCH] url: make the updated credentials URL-encoded in the URL
+Found-by: Gregory Jefferis
+Reported-by: Jeroen Ooms
+Added test 1168 to verify. Bug spotted when doing a redirect.
+Bug: https://github.com/jeroen/curl/issues/224
+Closes #5400
+Upstream-Status: Backport
+https://github.com/curl/curl/commit/600a8cded447cd
+CVE: CVE-2020-8169
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ lib/url.c               |  6 ++--
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1168     | 78 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 83 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1168
+Index: curl-7.69.1/lib/url.c
+===================================================================
+--- curl-7.69.1.orig/lib/url.c
+++ curl-7.69.1/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu
+ 
+   /* for updated strings, we update them in the URL */
+   if(user_changed) {
+-    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
+    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
+                      CURLU_URLENCODE);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+   }
+   if(passwd_changed) {
+-    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
+    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
+                      CURLU_URLENCODE);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+   }
+Index: curl-7.69.1/tests/data/Makefile.inc
+===================================================================
+--- curl-7.69.1.orig/tests/data/Makefile.inc
+++ curl-7.69.1/tests/data/Makefile.inc
+@@ -133,6 +133,7 @@ test1136 test1137 test1138 test1139 test
+ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
+ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
+ test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \
+test1168 \
+ \
+ test1170 test1171 test1172 test1173 test1174 test1175 test1176 \
+ \
+Index: curl-7.69.1/tests/data/test1168
+===================================================================
+--- /dev/null
+++ curl-7.69.1/tests/data/test1168
+@@ -0,0 +1,78 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+</info>
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+This server reply is for testing a simple Location: following
+
+</data>
+<data2>
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</data2>
+<datacheck>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP redirect with credentials using # in user and password
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /want/1168 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+GET /data/11680002.txt HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8177.patch b/meta/recipes-support/curl/curl/CVE-2020-8177.patch
new file mode 100644
index 0000000000..4f14fa2306
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8177.patch
@@ -0,0 +1,67 @@
+From 8236aba58542c5f89f1d41ca09d84579efb05e22 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH] tool_getparam: -i is not OK if -J is used
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+Upstream-Status: Backport
+CVE:CVE-2020-8177
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/tool_cb_hdr.c   | 22 ++++------------------
+ src/tool_getparam.c |  5 +++++
+ 2 files changed, 9 insertions(+), 18 deletions(-)
+Index: curl-7.69.1/src/tool_cb_hdr.c
+===================================================================
+--- curl-7.69.1.orig/src/tool_cb_hdr.c
+++ curl-7.69.1/src/tool_cb_hdr.c
+@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t
+       filename = parse_filename(p, len);
+       if(filename) {
+         if(outs->stream) {
+-          int rc;
+-          /* already opened and possibly written to */
+-          if(outs->fopened)
+-            fclose(outs->stream);
+-          outs->stream = NULL;
+-
+-          /* rename the initial file name to the new file name */
+-          rc = rename(outs->filename, filename);
+-          if(rc != 0) {
+-            warnf(per->config->global, "Failed to rename %s -> %s: %s\n",
+-                  outs->filename, filename, strerror(errno));
+-          }
+-          if(outs->alloc_filename)
+-            Curl_safefree(outs->filename);
+-          if(rc != 0) {
+-            free(filename);
+-            return failure;
+-          }
+          /* indication of problem, get out! */
+          free(filename);
+          return failure;
+         }
+
+         outs->is_cd_filename = TRUE;
+         outs->s_isreg = TRUE;
+         outs->fopened = FALSE;
+Index: curl-7.69.1/src/tool_getparam.c
+===================================================================
+--- curl-7.69.1.orig/src/tool_getparam.c
+++ curl-7.69.1/src/tool_getparam.c
+@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char *
+       }
+       break;
+     case 'i':
+      if(config->content_disposition) {
+        warnf(global,
+              "--include and --remote-header-name cannot be combined.\n");
+        return PARAM_BAD_USE;
+      }
+       config->show_headers = toggle; /* show the headers as well in the
+                                         general output stream */
+       break;
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index e854e8d4bd..8b5170f021 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2e9fb35867314fe31c6a4977ef7dd531"
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://0001-replace-krb5-config-with-pkg-config.patch \
+           file://CVE-2020-8169.patch \
+           file://CVE-2020-8177.patch \
 "
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
author	Armin Kuster <akuster@mvista.com>	2020-06-25 19:26:01 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-02 16:12:36 +0100
commit	abde5f4cab763c308ef3144055afebc6c87877d1 (patch)
tree	ae4b2022402b71cc951fad0d52526a452798e384 /meta/recipes-support
parent	57b40bdd5431e10e46c255080e507fa02c838690 (diff)
download	poky-abde5f4cab763c308ef3144055afebc6c87877d1.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2020-8169.patch b/meta/recipes-support/curl/curl/CVE-2020-8169.patch new file mode 100644 index 0000000000..7d1be24a0a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
@@ -0,0 +1,140 @@
		1	From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 14 May 2020 14:37:12 +0200
		4	Subject: [PATCH] url: make the updated credentials URL-encoded in the URL
		5
		6	Found-by: Gregory Jefferis
		7	Reported-by: Jeroen Ooms
		8	Added test 1168 to verify. Bug spotted when doing a redirect.
		9	Bug: https://github.com/jeroen/curl/issues/224
		10	Closes #5400
		11
		12	Upstream-Status: Backport
		13	https://github.com/curl/curl/commit/600a8cded447cd
		14
		15	CVE: CVE-2020-8169
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	lib/url.c \| 6 ++--
		20	tests/data/Makefile.inc \| 1 +
		21	tests/data/test1168 \| 78 +++++++++++++++++++++++++++++++++++++++++
		22	3 files changed, 83 insertions(+), 2 deletions(-)
		23	create mode 100644 tests/data/test1168
		24
		25	Index: curl-7.69.1/lib/url.c
		26	===================================================================
		27	--- curl-7.69.1.orig/lib/url.c
		28	+++ curl-7.69.1/lib/url.c
		29	@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu
		30
		31	/* for updated strings, we update them in the URL */
		32	if(user_changed) {
		33	- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
		34	+ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
		35	+ CURLU_URLENCODE);
		36	if(uc)
		37	return Curl_uc_to_curlcode(uc);
		38	}
		39	if(passwd_changed) {
		40	- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
		41	+ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
		42	+ CURLU_URLENCODE);
		43	if(uc)
		44	return Curl_uc_to_curlcode(uc);
		45	}
		46	Index: curl-7.69.1/tests/data/Makefile.inc
		47	===================================================================
		48	--- curl-7.69.1.orig/tests/data/Makefile.inc
		49	+++ curl-7.69.1/tests/data/Makefile.inc
		50	@@ -133,6 +133,7 @@ test1136 test1137 test1138 test1139 test
		51	test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
		52	test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
		53	test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \
		54	+test1168 \
		55	\
		56	test1170 test1171 test1172 test1173 test1174 test1175 test1176 \
		57	\
		58	Index: curl-7.69.1/tests/data/test1168
		59	===================================================================
		60	--- /dev/null
		61	+++ curl-7.69.1/tests/data/test1168
		62	@@ -0,0 +1,78 @@
		63	+<testcase>
		64	+<info>
		65	+<keywords>
		66	+HTTP
		67	+HTTP GET
		68	+followlocation
		69	+</keywords>
		70	+</info>
		71	+# Server-side
		72	+<reply>
		73	+<data>
		74	+HTTP/1.1 301 This is a weirdo text message swsclose
		75	+Date: Thu, 09 Nov 2010 14:49:00 GMT
		76	+Server: test-server/fake
		77	+Location: /data/11680002.txt
		78	+Connection: close
		79	+
		80	+This server reply is for testing a simple Location: following
		81	+
		82	+</data>
		83	+<data2>
		84	+HTTP/1.1 200 Followed here fine swsclose
		85	+Date: Thu, 09 Nov 2010 14:49:00 GMT
		86	+Server: test-server/fake
		87	+Content-Length: 52
		88	+
		89	+If this is received, the location following worked
		90	+
		91	+</data2>
		92	+<datacheck>
		93	+HTTP/1.1 301 This is a weirdo text message swsclose
		94	+Date: Thu, 09 Nov 2010 14:49:00 GMT
		95	+Server: test-server/fake
		96	+Location: /data/11680002.txt
		97	+Connection: close
		98	+
		99	+HTTP/1.1 200 Followed here fine swsclose
		100	+Date: Thu, 09 Nov 2010 14:49:00 GMT
		101	+Server: test-server/fake
		102	+Content-Length: 52
		103	+
		104	+If this is received, the location following worked
		105	+
		106	+</datacheck>
		107	+</reply>
		108	+
		109	+# Client-side
		110	+<client>
		111	+<server>
		112	+http
		113	+</server>
		114	+ <name>
		115	+HTTP redirect with credentials using # in user and password
		116	+ </name>
		117	+ <command>
		118	+http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
		119	+</command>
		120	+</client>
		121	+
		122	+# Verify data after the test has been "shot"
		123	+<verify>
		124	+<strip>
		125	+^User-Agent:.*
		126	+</strip>
		127	+<protocol>
		128	+GET /want/1168 HTTP/1.1
		129	+Host: %HOSTIP:%HTTPPORT
		130	+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
		131	+Accept: /
		132	+
		133	+GET /data/11680002.txt HTTP/1.1
		134	+Host: %HOSTIP:%HTTPPORT
		135	+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
		136	+Accept: /
		137	+
		138	+</protocol>
		139	+</verify>
		140	+</testcase>


diff --git a/meta/recipes-support/curl/curl/CVE-2020-8177.patch b/meta/recipes-support/curl/curl/CVE-2020-8177.patch new file mode 100644 index 0000000000..4f14fa2306 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8177.patch
@@ -0,0 +1,67 @@
		1	From 8236aba58542c5f89f1d41ca09d84579efb05e22 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Sun, 31 May 2020 23:09:59 +0200
		4	Subject: [PATCH] tool_getparam: -i is not OK if -J is used
		5
		6	Reported-by: sn on hackerone
		7	Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
		8
		9	Upstream-Status: Backport
		10	CVE:CVE-2020-8177
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	---
		14	src/tool_cb_hdr.c \| 22 ++++------------------
		15	src/tool_getparam.c \| 5 +++++
		16	2 files changed, 9 insertions(+), 18 deletions(-)
		17
		18	Index: curl-7.69.1/src/tool_cb_hdr.c
		19	===================================================================
		20	--- curl-7.69.1.orig/src/tool_cb_hdr.c
		21	+++ curl-7.69.1/src/tool_cb_hdr.c
		22	@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t
		23	filename = parse_filename(p, len);
		24	if(filename) {
		25	if(outs->stream) {
		26	- int rc;
		27	- /* already opened and possibly written to */
		28	- if(outs->fopened)
		29	- fclose(outs->stream);
		30	- outs->stream = NULL;
		31	-
		32	- /* rename the initial file name to the new file name */
		33	- rc = rename(outs->filename, filename);
		34	- if(rc != 0) {
		35	- warnf(per->config->global, "Failed to rename %s -> %s: %s\n",
		36	- outs->filename, filename, strerror(errno));
		37	- }
		38	- if(outs->alloc_filename)
		39	- Curl_safefree(outs->filename);
		40	- if(rc != 0) {
		41	- free(filename);
		42	- return failure;
		43	- }
		44	+ /* indication of problem, get out! */
		45	+ free(filename);
		46	+ return failure;
		47	}
		48	+
		49	outs->is_cd_filename = TRUE;
		50	outs->s_isreg = TRUE;
		51	outs->fopened = FALSE;
		52	Index: curl-7.69.1/src/tool_getparam.c
		53	===================================================================
		54	--- curl-7.69.1.orig/src/tool_getparam.c
		55	+++ curl-7.69.1/src/tool_getparam.c
		56	@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char *
		57	}
		58	break;
		59	case 'i':
		60	+ if(config->content_disposition) {
		61	+ warnf(global,
		62	+ "--include and --remote-header-name cannot be combined.\n");
		63	+ return PARAM_BAD_USE;
		64	+ }
		65	config->show_headers = toggle; /* show the headers as well in the
		66	general output stream */
		67	break;


diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index e854e8d4bd..8b5170f021 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2e9fb35867314fe31c6a4977ef7dd531"
7		7
8	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \	8	SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
9	file://0001-replace-krb5-config-with-pkg-config.patch \	9	file://0001-replace-krb5-config-with-pkg-config.patch \
		10	file://CVE-2020-8169.patch \
		11	file://CVE-2020-8177.patch \
10	"	12	"
11		13
12	SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"	14	SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"