diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:26:20 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:26:20 +0200 |
commit | 430207c9cf87ca0a1e82fcb9915ad890a8e5720f (patch) | |
tree | f93b8269b7ccf0326c48b0b178e3d3583347aedb /meta | |
parent | 9631f6b1399b24433ef577e9f87c0320700f3460 (diff) | |
download | poky-430207c9cf87ca0a1e82fcb9915ad890a8e5720f.tar.gz |
curl: CVE-2014-3707
CVE-2014-3707, libcurl duphandle read out of bounds
libcurl's function curl_easy_duphandle() has a bug
that can lead to libcurl eventually sending off
sensitive data that was not intended for sending.
Reference
http://curl.haxx.se/docs/adv_20141105.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2014-3707.patch | 402 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.35.0.bb | 1 |
2 files changed, 403 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3707.patch b/meta/recipes-support/curl/curl/CVE-2014-3707.patch new file mode 100644 index 0000000000..9604fbd81b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3707.patch | |||
@@ -0,0 +1,402 @@ | |||
1 | curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of | ||
2 | bounds | ||
3 | |||
4 | When duplicating a handle, the data to post was duplicated using | ||
5 | strdup() when it could be binary and contain zeroes and it was not even | ||
6 | zero terminated! This caused read out of bounds crashes/segfaults. | ||
7 | |||
8 | Since the lib/strdup.c file no longer is easily shared with the curl | ||
9 | tool with this change, it now uses its own version instead. | ||
10 | |||
11 | Bug: http://curl.haxx.se/docs/adv_20141105.html | ||
12 | CVE: CVE-2014-3707 | ||
13 | |||
14 | Reported-By: Symeon Paraschoudis | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
18 | |||
19 | diff -ruN a/lib/formdata.c b/lib/formdata.c | ||
20 | --- a/lib/formdata.c 2014-01-05 23:07:54.000000000 +0100 | ||
21 | +++ b/lib/formdata.c 2015-05-18 09:13:49.767861474 +0200 | ||
22 | @@ -36,6 +36,7 @@ | ||
23 | #include "strequal.h" | ||
24 | #include "curl_memory.h" | ||
25 | #include "sendf.h" | ||
26 | +#include "strdup.h" | ||
27 | |||
28 | #define _MPRINTF_REPLACE /* use our functions only */ | ||
29 | #include <curl/mprintf.h> | ||
30 | @@ -214,46 +215,6 @@ | ||
31 | |||
32 | /*************************************************************************** | ||
33 | * | ||
34 | - * memdup() | ||
35 | - * | ||
36 | - * Copies the 'source' data to a newly allocated buffer buffer (that is | ||
37 | - * returned). Uses buffer_length if not null, else uses strlen to determine | ||
38 | - * the length of the buffer to be copied | ||
39 | - * | ||
40 | - * Returns the new pointer or NULL on failure. | ||
41 | - * | ||
42 | - ***************************************************************************/ | ||
43 | -static char *memdup(const char *src, size_t buffer_length) | ||
44 | -{ | ||
45 | - size_t length; | ||
46 | - bool add = FALSE; | ||
47 | - char *buffer; | ||
48 | - | ||
49 | - if(buffer_length) | ||
50 | - length = buffer_length; | ||
51 | - else if(src) { | ||
52 | - length = strlen(src); | ||
53 | - add = TRUE; | ||
54 | - } | ||
55 | - else | ||
56 | - /* no length and a NULL src pointer! */ | ||
57 | - return strdup(""); | ||
58 | - | ||
59 | - buffer = malloc(length+add); | ||
60 | - if(!buffer) | ||
61 | - return NULL; /* fail */ | ||
62 | - | ||
63 | - memcpy(buffer, src, length); | ||
64 | - | ||
65 | - /* if length unknown do null termination */ | ||
66 | - if(add) | ||
67 | - buffer[length] = '\0'; | ||
68 | - | ||
69 | - return buffer; | ||
70 | -} | ||
71 | - | ||
72 | -/*************************************************************************** | ||
73 | - * | ||
74 | * FormAdd() | ||
75 | * | ||
76 | * Stores a formpost parameter and builds the appropriate linked list. | ||
77 | @@ -682,9 +643,13 @@ | ||
78 | (form == first_form) ) { | ||
79 | /* Note that there's small risk that form->name is NULL here if the | ||
80 | app passed in a bad combo, so we better check for that first. */ | ||
81 | - if(form->name) | ||
82 | + if(form->name) { | ||
83 | /* copy name (without strdup; possibly contains null characters) */ | ||
84 | - form->name = memdup(form->name, form->namelength); | ||
85 | + form->name = Curl_memdup(form->name, form->namelength? | ||
86 | + form->namelength: | ||
87 | + strlen(form->name)+1); | ||
88 | + } | ||
89 | + | ||
90 | if(!form->name) { | ||
91 | return_value = CURL_FORMADD_MEMORY; | ||
92 | break; | ||
93 | @@ -695,7 +660,9 @@ | ||
94 | HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER | | ||
95 | HTTPPOST_CALLBACK)) ) { | ||
96 | /* copy value (without strdup; possibly contains null characters) */ | ||
97 | - form->value = memdup(form->value, form->contentslength); | ||
98 | + form->value = Curl_memdup(form->value, form->contentslength? | ||
99 | + form->contentslength: | ||
100 | + strlen(form->value)+1); | ||
101 | if(!form->value) { | ||
102 | return_value = CURL_FORMADD_MEMORY; | ||
103 | break; | ||
104 | diff -ruN a/lib/strdup.c b/lib/strdup.c | ||
105 | --- a/lib/strdup.c 2013-09-09 00:11:15.000000000 +0200 | ||
106 | +++ b/lib/strdup.c 2015-05-18 09:05:27.641416906 +0200 | ||
107 | @@ -5,7 +5,7 @@ | ||
108 | * | (__| |_| | _ <| |___ | ||
109 | * \___|\___/|_| \_\_____| | ||
110 | * | ||
111 | - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
112 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
113 | * | ||
114 | * This software is licensed as described in the file COPYING, which | ||
115 | * you should have received as part of this distribution. The terms | ||
116 | @@ -19,12 +19,12 @@ | ||
117 | * KIND, either express or implied. | ||
118 | * | ||
119 | ***************************************************************************/ | ||
120 | -/* | ||
121 | - * This file is 'mem-include-scan' clean. See test 1132. | ||
122 | - */ | ||
123 | #include "curl_setup.h" | ||
124 | - | ||
125 | #include "strdup.h" | ||
126 | +#include "curl_memory.h" | ||
127 | + | ||
128 | +/* The last #include file should be: */ | ||
129 | +#include "memdebug.h" | ||
130 | |||
131 | #ifndef HAVE_STRDUP | ||
132 | char *curlx_strdup(const char *str) | ||
133 | @@ -50,3 +50,25 @@ | ||
134 | |||
135 | } | ||
136 | #endif | ||
137 | + | ||
138 | +/*************************************************************************** | ||
139 | + * | ||
140 | + * Curl_memdup(source, length) | ||
141 | + * | ||
142 | + * Copies the 'source' data to a newly allocated buffer (that is | ||
143 | + * returned). Copies 'length' bytes. | ||
144 | + * | ||
145 | + * Returns the new pointer or NULL on failure. | ||
146 | + * | ||
147 | + ***************************************************************************/ | ||
148 | +char *Curl_memdup(const char *src, size_t length) | ||
149 | +{ | ||
150 | + char *buffer = malloc(length); | ||
151 | + if(!buffer) | ||
152 | + return NULL; /* fail */ | ||
153 | + | ||
154 | + memcpy(buffer, src, length); | ||
155 | + | ||
156 | + /* if length unknown do null termination */ | ||
157 | + return buffer; | ||
158 | +} | ||
159 | diff -ruN a/lib/strdup.h b/lib/strdup.h | ||
160 | --- a/lib/strdup.h 2013-09-09 00:11:15.000000000 +0200 | ||
161 | +++ b/lib/strdup.h 2015-05-18 09:05:27.645416733 +0200 | ||
162 | @@ -7,7 +7,7 @@ | ||
163 | * | (__| |_| | _ <| |___ | ||
164 | * \___|\___/|_| \_\_____| | ||
165 | * | ||
166 | - * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
167 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
168 | * | ||
169 | * This software is licensed as described in the file COPYING, which | ||
170 | * you should have received as part of this distribution. The terms | ||
171 | @@ -26,5 +26,6 @@ | ||
172 | #ifndef HAVE_STRDUP | ||
173 | extern char *curlx_strdup(const char *str); | ||
174 | #endif | ||
175 | +char *Curl_memdup(const char *src, size_t buffer_length); | ||
176 | |||
177 | #endif /* HEADER_CURL_STRDUP_H */ | ||
178 | diff -ruN a/lib/url.c b/lib/url.c | ||
179 | --- a/lib/url.c 2014-01-29 07:54:29.000000000 +0100 | ||
180 | +++ b/lib/url.c 2015-05-18 09:31:00.631682330 +0200 | ||
181 | @@ -125,6 +125,7 @@ | ||
182 | #include "multihandle.h" | ||
183 | #include "pipeline.h" | ||
184 | #include "dotdot.h" | ||
185 | +#include "strdup.h" | ||
186 | |||
187 | #define _MPRINTF_REPLACE /* use our functions only */ | ||
188 | #include <curl/mprintf.h> | ||
189 | @@ -270,8 +271,9 @@ | ||
190 | { | ||
191 | /* Free all dynamic strings stored in the data->set substructure. */ | ||
192 | enum dupstring i; | ||
193 | - for(i=(enum dupstring)0; i < STRING_LAST; i++) | ||
194 | + for(i=(enum dupstring)0; i < STRING_LAST; i++) { | ||
195 | Curl_safefree(data->set.str[i]); | ||
196 | + } | ||
197 | |||
198 | if(data->change.referer_alloc) { | ||
199 | Curl_safefree(data->change.referer); | ||
200 | @@ -340,7 +342,7 @@ | ||
201 | |||
202 | CURLcode Curl_dupset(struct SessionHandle *dst, struct SessionHandle *src) | ||
203 | { | ||
204 | - CURLcode r = CURLE_OK; | ||
205 | + CURLcode result = CURLE_OK; | ||
206 | enum dupstring i; | ||
207 | |||
208 | /* Copy src->set into dst->set first, then deal with the strings | ||
209 | @@ -351,14 +353,25 @@ | ||
210 | memset(dst->set.str, 0, STRING_LAST * sizeof(char *)); | ||
211 | |||
212 | /* duplicate all strings */ | ||
213 | - for(i=(enum dupstring)0; i< STRING_LAST; i++) { | ||
214 | - r = setstropt(&dst->set.str[i], src->set.str[i]); | ||
215 | - if(r != CURLE_OK) | ||
216 | - break; | ||
217 | + for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) { | ||
218 | + result = setstropt(&dst->set.str[i], src->set.str[i]); | ||
219 | + if(result) | ||
220 | + return result; | ||
221 | + } | ||
222 | + | ||
223 | + /* duplicate memory areas pointed to */ | ||
224 | + i = STRING_COPYPOSTFIELDS; | ||
225 | + if(src->set.postfieldsize && src->set.str[i]) { | ||
226 | + /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */ | ||
227 | + dst->set.str[i] = Curl_memdup(src->set.str[i], | ||
228 | + curlx_sotouz(src->set.postfieldsize)); | ||
229 | + if(!dst->set.str[i]) | ||
230 | + return CURLE_OUT_OF_MEMORY; | ||
231 | + /* point to the new copy */ | ||
232 | + dst->set.postfields = dst->set.str[i]; | ||
233 | } | ||
234 | |||
235 | - /* If a failure occurred, freeing has to be performed externally. */ | ||
236 | - return r; | ||
237 | + return CURLE_OK; | ||
238 | } | ||
239 | |||
240 | /* | ||
241 | diff -ruN a/lib/urldata.h b/lib/urldata.h | ||
242 | --- a/lib/urldata.h 2014-01-26 22:16:50.000000000 +0100 | ||
243 | +++ b/lib/urldata.h 2015-05-18 09:05:27.649416562 +0200 | ||
244 | @@ -1332,7 +1332,6 @@ | ||
245 | STRING_KRB_LEVEL, /* krb security level */ | ||
246 | STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find | ||
247 | $HOME/.netrc */ | ||
248 | - STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */ | ||
249 | STRING_PROXY, /* proxy to use */ | ||
250 | STRING_SET_RANGE, /* range, if used */ | ||
251 | STRING_SET_REFERER, /* custom string for the HTTP referer field */ | ||
252 | @@ -1374,7 +1373,15 @@ | ||
253 | |||
254 | STRING_BEARER, /* <bearer>, if used */ | ||
255 | |||
256 | - /* -- end of strings -- */ | ||
257 | + /* -- end of zero-terminated strings -- */ | ||
258 | + | ||
259 | + STRING_LASTZEROTERMINATED, | ||
260 | + | ||
261 | + /* -- below this are pointers to binary data that cannot be strdup'ed. | ||
262 | + Each such pointer must be added manually to Curl_dupset() --- */ | ||
263 | + | ||
264 | + STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */ | ||
265 | + | ||
266 | STRING_LAST /* not used, just an end-of-list marker */ | ||
267 | }; | ||
268 | |||
269 | diff -ruN a/src/Makefile.inc b/src/Makefile.inc | ||
270 | --- a/src/Makefile.inc 2013-09-09 00:11:15.000000000 +0200 | ||
271 | +++ b/src/Makefile.inc 2015-05-18 09:38:28.124528175 +0200 | ||
272 | @@ -11,7 +11,6 @@ | ||
273 | # the official API, but we re-use the code here to avoid duplication. | ||
274 | CURLX_ONES = \ | ||
275 | ../lib/strtoofft.c \ | ||
276 | - ../lib/strdup.c \ | ||
277 | ../lib/rawstr.c \ | ||
278 | ../lib/nonblock.c | ||
279 | |||
280 | @@ -46,6 +45,7 @@ | ||
281 | tool_panykey.c \ | ||
282 | tool_paramhlp.c \ | ||
283 | tool_parsecfg.c \ | ||
284 | + tool_strdup.c \ | ||
285 | tool_setopt.c \ | ||
286 | tool_sleep.c \ | ||
287 | tool_urlglob.c \ | ||
288 | @@ -90,6 +90,7 @@ | ||
289 | tool_setopt.h \ | ||
290 | tool_setup.h \ | ||
291 | tool_sleep.h \ | ||
292 | + tool_strdup.h \ | ||
293 | tool_urlglob.h \ | ||
294 | tool_util.h \ | ||
295 | tool_version.h \ | ||
296 | diff -ruN a/src/tool_setup.h b/src/tool_setup.h | ||
297 | --- a/src/tool_setup.h 2013-09-09 00:11:15.000000000 +0200 | ||
298 | +++ b/src/tool_setup.h 2015-05-18 09:05:27.649416562 +0200 | ||
299 | @@ -7,7 +7,7 @@ | ||
300 | * | (__| |_| | _ <| |___ | ||
301 | * \___|\___/|_| \_\_____| | ||
302 | * | ||
303 | - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
304 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
305 | * | ||
306 | * This software is licensed as described in the file COPYING, which | ||
307 | * you should have received as part of this distribution. The terms | ||
308 | @@ -67,8 +67,7 @@ | ||
309 | #endif | ||
310 | |||
311 | #ifndef HAVE_STRDUP | ||
312 | -# include "strdup.h" | ||
313 | -# define strdup(ptr) curlx_strdup(ptr) | ||
314 | +# include "tool_strdup.h" | ||
315 | #endif | ||
316 | |||
317 | #endif /* HEADER_CURL_TOOL_SETUP_H */ | ||
318 | diff -ruN a/src/tool_strdup.c b/src/tool_strdup.c | ||
319 | --- a/src/tool_strdup.c 1970-01-01 01:00:00.000000000 +0100 | ||
320 | +++ b/src/tool_strdup.c 2015-05-18 09:05:27.649416562 +0200 | ||
321 | @@ -0,0 +1,47 @@ | ||
322 | +/*************************************************************************** | ||
323 | + * _ _ ____ _ | ||
324 | + * Project ___| | | | _ \| | | ||
325 | + * / __| | | | |_) | | | ||
326 | + * | (__| |_| | _ <| |___ | ||
327 | + * \___|\___/|_| \_\_____| | ||
328 | + * | ||
329 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
330 | + * | ||
331 | + * This software is licensed as described in the file COPYING, which | ||
332 | + * you should have received as part of this distribution. The terms | ||
333 | + * are also available at http://curl.haxx.se/docs/copyright.html. | ||
334 | + * | ||
335 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
336 | + * copies of the Software, and permit persons to whom the Software is | ||
337 | + * furnished to do so, under the terms of the COPYING file. | ||
338 | + * | ||
339 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
340 | + * KIND, either express or implied. | ||
341 | + * | ||
342 | + ***************************************************************************/ | ||
343 | +#include "strdup.h" | ||
344 | + | ||
345 | +#ifndef HAVE_STRDUP | ||
346 | +char *strdup(const char *str) | ||
347 | +{ | ||
348 | + size_t len; | ||
349 | + char *newstr; | ||
350 | + | ||
351 | + if(!str) | ||
352 | + return (char *)NULL; | ||
353 | + | ||
354 | + len = strlen(str); | ||
355 | + | ||
356 | + if(len >= ((size_t)-1) / sizeof(char)) | ||
357 | + return (char *)NULL; | ||
358 | + | ||
359 | + newstr = malloc((len+1)*sizeof(char)); | ||
360 | + if(!newstr) | ||
361 | + return (char *)NULL; | ||
362 | + | ||
363 | + memcpy(newstr,str,(len+1)*sizeof(char)); | ||
364 | + | ||
365 | + return newstr; | ||
366 | + | ||
367 | +} | ||
368 | +#endif | ||
369 | diff -ruN a/src/tool_strdup.h b/src/tool_strdup.h | ||
370 | --- a/src/tool_strdup.h 1970-01-01 01:00:00.000000000 +0100 | ||
371 | +++ b/src/tool_strdup.h 2015-05-18 09:05:27.653416391 +0200 | ||
372 | @@ -0,0 +1,30 @@ | ||
373 | +#ifndef HEADER_TOOL_STRDUP_H | ||
374 | +#define HEADER_TOOL_STRDUP_H | ||
375 | +/*************************************************************************** | ||
376 | + * _ _ ____ _ | ||
377 | + * Project ___| | | | _ \| | | ||
378 | + * / __| | | | |_) | | | ||
379 | + * | (__| |_| | _ <| |___ | ||
380 | + * \___|\___/|_| \_\_____| | ||
381 | + * | ||
382 | + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
383 | + * | ||
384 | + * This software is licensed as described in the file COPYING, which | ||
385 | + * you should have received as part of this distribution. The terms | ||
386 | + * are also available at http://curl.haxx.se/docs/copyright.html. | ||
387 | + * | ||
388 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
389 | + * copies of the Software, and permit persons to whom the Software is | ||
390 | + * furnished to do so, under the terms of the COPYING file. | ||
391 | + * | ||
392 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
393 | + * KIND, either express or implied. | ||
394 | + * | ||
395 | + ***************************************************************************/ | ||
396 | +#include "tool_setup.h" | ||
397 | + | ||
398 | +#ifndef HAVE_STRDUP | ||
399 | +extern char *strdup(const char *str); | ||
400 | +#endif | ||
401 | + | ||
402 | +#endif /* HEADER_TOOL_STRDUP_H */ | ||
diff --git a/meta/recipes-support/curl/curl_7.35.0.bb b/meta/recipes-support/curl/curl_7.35.0.bb index 3021dec11f..5fa7277449 100644 --- a/meta/recipes-support/curl/curl_7.35.0.bb +++ b/meta/recipes-support/curl/curl_7.35.0.bb | |||
@@ -13,6 +13,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
13 | file://pkgconfig_fix.patch \ | 13 | file://pkgconfig_fix.patch \ |
14 | file://CVE-2014-3613.patch \ | 14 | file://CVE-2014-3613.patch \ |
15 | file://CVE-2014-3620.patch \ | 15 | file://CVE-2014-3620.patch \ |
16 | file://CVE-2014-3707.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | # curl likes to set -g0 in CFLAGS, so we stop it | 19 | # curl likes to set -g0 in CFLAGS, so we stop it |