curl: Security fix for CVE-2016-8624

Affected versions: curl 7.1 to and including 7.50.3 Not affected versions: curl >= 7.51.0 (From OE-Core rev: 26e464767ab53cb78e4ede10c77fe12907a7daad) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-11-04 08:08:25 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:54 +0000
commit: c4339c0e748ca78580ff97a4b1b64840ae6ab12c (patch)
tree: db20afe275323f5b8ed7c0d50e18a66e7146e52f /meta/recipes-support
parent: 5affd0af1ffca0ceca95482c6cbfcac0096b424d (diff)
download: poky-c4339c0e748ca78580ff97a4b1b64840ae6ab12c.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8624.patch b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
new file mode 100644
index 0000000000..b9e000ecb5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
@@ -0,0 +1,68 @@
+From 44ab42e55bbe329777ee05d50aea1ee059221652 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 11 Oct 2016 00:48:35 +0200
+Subject: [PATCH] urlparse: accept '#' as end of host name
+'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+for the '/' document with the rest of the URL being a fragment.
+Upstream-Status: Backport
+CVE: CVE-2016-8624
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+---
+ lib/url.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 74e9bf5..ce94281 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -4159,11 +4159,11 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     /* clear path */
+     char slashbuf[4];
+     path[0]=0;
+ 
+     rc = sscanf(data->change.url,
+-                "%15[^\n:]:%3[/]%[^\n/?]%[^\n]",
+                "%15[^\n:]:%3[/]%[^\n/?#]%[^\n]",
+                 protobuf, slashbuf, conn->host.name, path);
+     if(2 == rc) {
+       failf(data, "Bad URL");
+       return CURLE_URL_MALFORMAT;
+     }
+@@ -4171,11 +4171,11 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+       /*
+        * The URL was badly formatted, let's try the browser-style _without_
+        * protocol specified like 'http://'.
+        */
+-      rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
+      rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
+       if(1 > rc) {
+         /*
+          * We couldn't even get this format.
+          * djgpp 2.04 has a sscanf() bug where 'conn->host.name' is
+          * assigned, but the return value is EOF!
+@@ -4276,14 +4276,14 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     strcpy(path, "/");
+     rebuild_url = TRUE;
+   }
+ 
+   /* If the URL is malformatted (missing a '/' after hostname before path) we
+-   * insert a slash here. The only letter except '/' we accept to start a path
+-   * is '?'.
+   * insert a slash here. The only letters except '/' that can start a path is
+   * '?' and '#' - as controlled by the two sscanf() patterns above.
+    */
+-  if(path[0] == '?') {
+  if(path[0] != '/') {
+     /* We need this function to deal with overlapping memory areas. We know
+        that the memory area 'path' points to is 'urllen' bytes big and that
+        is bigger than the path. Use +1 to move the zero byte too. */
+     memmove(&path[1], path, strlen(path)+1);
+     path[0] = '/';
+-- 
+2.9.3
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index ad7d83dac7..bdf5d73b31 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -20,6 +20,7 @@ SRC_URI += " file://configure_ac.patch \
             file://CVE-2016-8621.patch \
             file://CVE-2016-8623.patch \
             file://CVE-2016-8617.patch \
+             file://CVE-2016-8624.patch \
           "
 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-11-04 08:08:25 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:54 +0000
commit	c4339c0e748ca78580ff97a4b1b64840ae6ab12c (patch)
tree	db20afe275323f5b8ed7c0d50e18a66e7146e52f /meta/recipes-support
parent	5affd0af1ffca0ceca95482c6cbfcac0096b424d (diff)
download	poky-c4339c0e748ca78580ff97a4b1b64840ae6ab12c.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8624.patch b/meta/recipes-support/curl/curl/CVE-2016-8624.patch new file mode 100644 index 0000000000..b9e000ecb5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
@@ -0,0 +1,68 @@
		1	From 44ab42e55bbe329777ee05d50aea1ee059221652 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 11 Oct 2016 00:48:35 +0200
		4	Subject: [PATCH] urlparse: accept '#' as end of host name
		5
		6	'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
		7	for the '/' document with the rest of the URL being a fragment.
		8
		9	Upstream-Status: Backport
		10
		11	CVE: CVE-2016-8624
		12	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		13
		14	---
		15	lib/url.c \| 10 +++++-----
		16	1 file changed, 5 insertions(+), 5 deletions(-)
		17
		18	diff --git a/lib/url.c b/lib/url.c
		19	index 74e9bf5..ce94281 100644
		20	--- a/lib/url.c
		21	+++ b/lib/url.c
		22	@@ -4159,11 +4159,11 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		23	/* clear path */
		24	char slashbuf[4];
		25	path[0]=0;
		26
		27	rc = sscanf(data->change.url,
		28	- "%15[^\n:]:%3[/]%[^\n/?]%[^\n]",
		29	+ "%15[^\n:]:%3[/]%[^\n/?#]%[^\n]",
		30	protobuf, slashbuf, conn->host.name, path);
		31	if(2 == rc) {
		32	failf(data, "Bad URL");
		33	return CURLE_URL_MALFORMAT;
		34	}
		35	@@ -4171,11 +4171,11 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		36
		37	/*
		38	* The URL was badly formatted, let's try the browser-style _without_
		39	* protocol specified like 'http://'.
		40	*/
		41	- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
		42	+ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
		43	if(1 > rc) {
		44	/*
		45	* We couldn't even get this format.
		46	* djgpp 2.04 has a sscanf() bug where 'conn->host.name' is
		47	* assigned, but the return value is EOF!
		48	@@ -4276,14 +4276,14 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		49	strcpy(path, "/");
		50	rebuild_url = TRUE;
		51	}
		52
		53	/* If the URL is malformatted (missing a '/' after hostname before path) we
		54	- * insert a slash here. The only letter except '/' we accept to start a path
		55	- * is '?'.
		56	+ * insert a slash here. The only letters except '/' that can start a path is
		57	+ * '?' and '#' - as controlled by the two sscanf() patterns above.
		58	*/
		59	- if(path[0] == '?') {
		60	+ if(path[0] != '/') {
		61	/* We need this function to deal with overlapping memory areas. We know
		62	that the memory area 'path' points to is 'urllen' bytes big and that
		63	is bigger than the path. Use +1 to move the zero byte too. */
		64	memmove(&path[1], path, strlen(path)+1);
		65	path[0] = '/';
		66	--
		67	2.9.3
		68


diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index ad7d83dac7..bdf5d73b31 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -20,6 +20,7 @@ SRC_URI += " file://configure_ac.patch \
20	file://CVE-2016-8621.patch \	20	file://CVE-2016-8621.patch \
21	file://CVE-2016-8623.patch \	21	file://CVE-2016-8623.patch \
22	file://CVE-2016-8617.patch \	22	file://CVE-2016-8617.patch \
		23	file://CVE-2016-8624.patch \
23	"	24	"
24		25
25	SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"	26	SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"