diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-04-12 11:02:45 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-04-19 04:44:59 -1000 |
commit | 762c35a04953fcfcae7795b23a016b3d71a6c643 (patch) | |
tree | cde673659c890f634bd62f231c1c5119de423ff5 /meta | |
parent | 7fdc49e7aee9620204eee7008661cd041b345f7e (diff) | |
download | poky-762c35a04953fcfcae7795b23a016b3d71a6c643.tar.gz |
curl: CVE-2023-27534 SFTP path resolving discrepancy
Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
(From OE-Core rev: 7919a5a5eaa2689db9f0e8110b923bbfe0a610ab)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-27534.patch | 122 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 1 |
2 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..9109faaf88 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 9 Mar 2023 16:22:11 +0100 | ||
4 | Subject: [PATCH] curl_path: create the new path with dynbuf | ||
5 | |||
6 | CVE: CVE-2023-27534 | ||
7 | Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] | ||
8 | |||
9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
10 | --- | ||
11 | lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- | ||
12 | 1 file changed, 35 insertions(+), 36 deletions(-) | ||
13 | |||
14 | diff --git a/lib/curl_path.c b/lib/curl_path.c | ||
15 | index a1669d1..b9c470f 100644 | ||
16 | --- a/lib/curl_path.c | ||
17 | +++ b/lib/curl_path.c | ||
18 | @@ -30,66 +30,65 @@ | ||
19 | #include "escape.h" | ||
20 | #include "memdebug.h" | ||
21 | |||
22 | +#define MAX_SSHPATH_LEN 100000 /* arbitrary */ | ||
23 | + | ||
24 | /* figure out the path to work with in this particular request */ | ||
25 | CURLcode Curl_getworkingpath(struct Curl_easy *data, | ||
26 | char *homedir, /* when SFTP is used */ | ||
27 | char **path) /* returns the allocated | ||
28 | real path to work with */ | ||
29 | { | ||
30 | - char *real_path = NULL; | ||
31 | char *working_path; | ||
32 | size_t working_path_len; | ||
33 | + struct dynbuf npath; | ||
34 | CURLcode result = | ||
35 | Curl_urldecode(data->state.up.path, 0, &working_path, | ||
36 | &working_path_len, REJECT_ZERO); | ||
37 | if(result) | ||
38 | return result; | ||
39 | |||
40 | + /* new path to switch to in case we need to */ | ||
41 | + Curl_dyn_init(&npath, MAX_SSHPATH_LEN); | ||
42 | + | ||
43 | /* Check for /~/, indicating relative to the user's home directory */ | ||
44 | - if(data->conn->handler->protocol & CURLPROTO_SCP) { | ||
45 | - real_path = malloc(working_path_len + 1); | ||
46 | - if(!real_path) { | ||
47 | + if((data->conn->handler->protocol & CURLPROTO_SCP) && | ||
48 | + (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { | ||
49 | + /* It is referenced to the home directory, so strip the leading '/~/' */ | ||
50 | + if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { | ||
51 | free(working_path); | ||
52 | return CURLE_OUT_OF_MEMORY; | ||
53 | } | ||
54 | - if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) | ||
55 | - /* It is referenced to the home directory, so strip the leading '/~/' */ | ||
56 | - memcpy(real_path, working_path + 3, working_path_len - 2); | ||
57 | - else | ||
58 | - memcpy(real_path, working_path, 1 + working_path_len); | ||
59 | } | ||
60 | - else if(data->conn->handler->protocol & CURLPROTO_SFTP) { | ||
61 | - if((working_path_len > 1) && (working_path[1] == '~')) { | ||
62 | - size_t homelen = strlen(homedir); | ||
63 | - real_path = malloc(homelen + working_path_len + 1); | ||
64 | - if(!real_path) { | ||
65 | - free(working_path); | ||
66 | - return CURLE_OUT_OF_MEMORY; | ||
67 | - } | ||
68 | - /* It is referenced to the home directory, so strip the | ||
69 | - leading '/' */ | ||
70 | - memcpy(real_path, homedir, homelen); | ||
71 | - real_path[homelen] = '/'; | ||
72 | - real_path[homelen + 1] = '\0'; | ||
73 | - if(working_path_len > 3) { | ||
74 | - memcpy(real_path + homelen + 1, working_path + 3, | ||
75 | - 1 + working_path_len -3); | ||
76 | - } | ||
77 | + else if((data->conn->handler->protocol & CURLPROTO_SFTP) && | ||
78 | + (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { | ||
79 | + size_t len; | ||
80 | + const char *p; | ||
81 | + int copyfrom = 3; | ||
82 | + if(Curl_dyn_add(&npath, homedir)) { | ||
83 | + free(working_path); | ||
84 | + return CURLE_OUT_OF_MEMORY; | ||
85 | } | ||
86 | - else { | ||
87 | - real_path = malloc(working_path_len + 1); | ||
88 | - if(!real_path) { | ||
89 | - free(working_path); | ||
90 | - return CURLE_OUT_OF_MEMORY; | ||
91 | - } | ||
92 | - memcpy(real_path, working_path, 1 + working_path_len); | ||
93 | + /* Copy a separating '/' if homedir does not end with one */ | ||
94 | + len = Curl_dyn_len(&npath); | ||
95 | + p = Curl_dyn_ptr(&npath); | ||
96 | + if(len && (p[len-1] != '/')) | ||
97 | + copyfrom = 2; | ||
98 | + | ||
99 | + if(Curl_dyn_addn(&npath, | ||
100 | + &working_path[copyfrom], working_path_len - copyfrom)) { | ||
101 | + free(working_path); | ||
102 | + return CURLE_OUT_OF_MEMORY; | ||
103 | } | ||
104 | } | ||
105 | |||
106 | - free(working_path); | ||
107 | + if(Curl_dyn_len(&npath)) { | ||
108 | + free(working_path); | ||
109 | |||
110 | - /* store the pointer for the caller to receive */ | ||
111 | - *path = real_path; | ||
112 | + /* store the pointer for the caller to receive */ | ||
113 | + *path = Curl_dyn_ptr(&npath); | ||
114 | + } | ||
115 | + else | ||
116 | + *path = working_path; | ||
117 | |||
118 | return CURLE_OK; | ||
119 | } | ||
120 | -- | ||
121 | 2.25.1 | ||
122 | |||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 7efec07e61..4c18afe293 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
@@ -41,6 +41,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
41 | file://CVE-2023-23914_5-5.patch \ | 41 | file://CVE-2023-23914_5-5.patch \ |
42 | file://CVE-2023-23916.patch \ | 42 | file://CVE-2023-23916.patch \ |
43 | file://CVE-2023-27533.patch \ | 43 | file://CVE-2023-27533.patch \ |
44 | file://CVE-2023-27534.patch \ | ||
44 | " | 45 | " |
45 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 46 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
46 | 47 | ||