diff options
author | Maxin B. John <maxin.john@enea.com> | 2015-04-23 15:11:00 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-07-20 20:54:31 +0100 |
commit | 0c1c0877e83cd893ffe37d9fdeb5317343da631a (patch) | |
tree | a4cd1c3071afcea5f980b67d4375b146a73d1f94 /meta | |
parent | c930052636b1a5f70434ca19b02554fd0f54747b (diff) | |
download | poky-0c1c0877e83cd893ffe37d9fdeb5317343da631a.tar.gz |
curl: several security fixes
Fixes below listed bugs:
1. CVE-2015-3143
2. CVE-2015-3144
3. CVE-2015-3145
Dropped: 4. CVE-2015-3148
SPNEGO was introduced in 7.39 so this version not affected
(From OE-Core rev: e525ef63ed2b4f3a250caf0748637b7f16b34d90)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3143.patch | 38 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3144.patch | 45 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3145.patch | 70 |
3 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch new file mode 100644 index 0000000000..745e9456f3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 13:26:46 +0200 | ||
4 | Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to | ||
5 | match | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | CVE-2015-3143 | ||
10 | |||
11 | Bug: http://curl.haxx.se/docs/adv_20150422A.html | ||
12 | Reported-by: Paras Sethia | ||
13 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
14 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
15 | --- | ||
16 | lib/url.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/lib/url.c b/lib/url.c | ||
20 | index 018bb88..ee3d176 100644 | ||
21 | --- a/lib/url.c | ||
22 | +++ b/lib/url.c | ||
23 | @@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data, | ||
24 | strcmp(check->localdev, needle->localdev)) | ||
25 | continue; | ||
26 | } | ||
27 | |||
28 | if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || | ||
29 | - wantNTLMhttp) { | ||
30 | + (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { | ||
31 | /* This protocol requires credentials per connection or is HTTP+NTLM, | ||
32 | so verify that we're using the same name and password as well */ | ||
33 | if(!strequal(needle->user, check->user) || | ||
34 | !strequal(needle->passwd, check->passwd)) { | ||
35 | /* one of them was different */ | ||
36 | -- | ||
37 | 2.1.4 | ||
38 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch new file mode 100644 index 0000000000..ca6d7448a1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 23:52:04 +0200 | ||
4 | Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | If a URL is given with a zero-length host name, like in "http://:80" or | ||
12 | just ":80", `fix_hostname()` will index the host name pointer with a -1 | ||
13 | offset (as it blindly assumes a non-zero length) and both read and | ||
14 | assign that address. | ||
15 | |||
16 | CVE-2015-3144 | ||
17 | |||
18 | Bug: http://curl.haxx.se/docs/adv_20150422D.html | ||
19 | Reported-by: Hanno Böck | ||
20 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
21 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
22 | --- | ||
23 | lib/url.c | 2 +- | ||
24 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/lib/url.c b/lib/url.c | ||
27 | index ee3d176..f033dbc 100644 | ||
28 | --- a/lib/url.c | ||
29 | +++ b/lib/url.c | ||
30 | @@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data, | ||
31 | |||
32 | /* set the name we use to display the host name */ | ||
33 | host->dispname = host->name; | ||
34 | |||
35 | len = strlen(host->name); | ||
36 | - if(host->name[len-1] == '.') | ||
37 | + if(len && (host->name[len-1] == '.')) | ||
38 | /* strip off a single trailing dot if present, primarily for SNI but | ||
39 | there's no use for it */ | ||
40 | host->name[len-1]=0; | ||
41 | |||
42 | if(!is_ASCII_name(host->name)) { | ||
43 | -- | ||
44 | 2.1.4 | ||
45 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch new file mode 100644 index 0000000000..15a998289e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 16:37:40 +0200 | ||
4 | Subject: [PATCH] cookie: cookie parser out of boundary memory access | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | The internal libcurl function called sanitize_cookie_path() that cleans | ||
12 | up the path element as given to it from a remote site or when read from | ||
13 | a file, did not properly validate the input. If given a path that | ||
14 | consisted of a single double-quote, libcurl would index a newly | ||
15 | allocated memory area with index -1 and assign a zero to it, thus | ||
16 | destroying heap memory it wasn't supposed to. | ||
17 | |||
18 | CVE-2015-3145 | ||
19 | |||
20 | Bug: http://curl.haxx.se/docs/adv_20150422C.html | ||
21 | Reported-by: Hanno Böck | ||
22 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
23 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
24 | --- | ||
25 | lib/cookie.c | 12 +++++++----- | ||
26 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
27 | |||
28 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
29 | index 0864f6b..0127926 100644 | ||
30 | --- a/lib/cookie.c | ||
31 | +++ b/lib/cookie.c | ||
32 | @@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path) | ||
33 | char *new_path = strdup(cookie_path); | ||
34 | if(!new_path) | ||
35 | return NULL; | ||
36 | |||
37 | /* some stupid site sends path attribute with '"'. */ | ||
38 | + len = strlen(new_path); | ||
39 | if(new_path[0] == '\"') { | ||
40 | - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); | ||
41 | + memmove((void *)new_path, (const void *)(new_path + 1), len); | ||
42 | + len--; | ||
43 | } | ||
44 | - if(new_path[strlen(new_path) - 1] == '\"') { | ||
45 | - new_path[strlen(new_path) - 1] = 0x0; | ||
46 | + if(len && (new_path[len - 1] == '\"')) { | ||
47 | + new_path[len - 1] = 0x0; | ||
48 | + len--; | ||
49 | } | ||
50 | |||
51 | /* RFC6265 5.2.4 The Path Attribute */ | ||
52 | if(new_path[0] != '/') { | ||
53 | /* Let cookie-path be the default-path. */ | ||
54 | @@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path) | ||
55 | new_path = strdup("/"); | ||
56 | return new_path; | ||
57 | } | ||
58 | |||
59 | /* convert /hoge/ to /hoge */ | ||
60 | - len = strlen(new_path); | ||
61 | - if(1 < len && new_path[len - 1] == '/') { | ||
62 | + if(len && new_path[len - 1] == '/') { | ||
63 | new_path[len - 1] = 0x0; | ||
64 | } | ||
65 | |||
66 | return new_path; | ||
67 | } | ||
68 | -- | ||
69 | 2.1.4 | ||
70 | |||