diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-04-01 12:58:01 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 06:34:42 -0700 |
commit | dbb4e8a5ccaa1d2f7c64f656fcce516da78d545c (patch) | |
tree | 6d39875803e5c2d813dfbc27cb0ef2018ac0b9bf /meta | |
parent | ea68e06fa2182e61768c90b7a72e7f2a2e8ea593 (diff) | |
download | poky-dbb4e8a5ccaa1d2f7c64f656fcce516da78d545c.tar.gz |
curl: backport Debian patch for CVE-2024-2398
import patch from ubuntu to fix
CVE-2024-2398
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
(From OE-Core rev: ce65f86c55ecf2c0e52564488e0237ba24429c45)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2024-2398.patch | 88 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.69.1.bb | 1 |
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..a3840336f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefan Eissing <stefan@eissing.org> | ||
5 | Date: Wed, 6 Mar 2024 09:36:08 +0100 | ||
6 | Subject: [PATCH] http2: push headers better cleanup | ||
7 | |||
8 | - provide common cleanup method for push headers | ||
9 | |||
10 | Closes #13054 | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security | ||
13 | Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] | ||
14 | CVE: CVE-2024-2398 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | lib/http2.c | 34 +++++++++++++++------------------- | ||
18 | 1 file changed, 15 insertions(+), 19 deletions(-) | ||
19 | |||
20 | --- a/lib/http2.c | ||
21 | +++ b/lib/http2.c | ||
22 | @@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc | ||
23 | } | ||
24 | |||
25 | |||
26 | +static void free_push_headers(struct HTTP *stream) | ||
27 | +{ | ||
28 | + size_t i; | ||
29 | + for(i = 0; i<stream->push_headers_used; i++) | ||
30 | + free(stream->push_headers[i]); | ||
31 | + Curl_safefree(stream->push_headers); | ||
32 | + stream->push_headers_used = 0; | ||
33 | +} | ||
34 | + | ||
35 | static int push_promise(struct Curl_easy *data, | ||
36 | struct connectdata *conn, | ||
37 | const nghttp2_push_promise *frame) | ||
38 | @@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy | ||
39 | struct curl_pushheaders heads; | ||
40 | CURLMcode rc; | ||
41 | struct http_conn *httpc; | ||
42 | - size_t i; | ||
43 | /* clone the parent */ | ||
44 | struct Curl_easy *newhandle = duphandle(data); | ||
45 | if(!newhandle) { | ||
46 | @@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy | ||
47 | Curl_set_in_callback(data, false); | ||
48 | |||
49 | /* free the headers again */ | ||
50 | - for(i = 0; i<stream->push_headers_used; i++) | ||
51 | - free(stream->push_headers[i]); | ||
52 | - free(stream->push_headers); | ||
53 | - stream->push_headers = NULL; | ||
54 | - stream->push_headers_used = 0; | ||
55 | + free_push_headers(stream); | ||
56 | |||
57 | if(rv) { | ||
58 | /* denied, kill off the new handle again */ | ||
59 | @@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se | ||
60 | stream->push_headers_alloc) { | ||
61 | char **headp; | ||
62 | stream->push_headers_alloc *= 2; | ||
63 | - headp = Curl_saferealloc(stream->push_headers, | ||
64 | - stream->push_headers_alloc * sizeof(char *)); | ||
65 | + headp = realloc(stream->push_headers, | ||
66 | + stream->push_headers_alloc * sizeof(char *)); | ||
67 | if(!headp) { | ||
68 | - stream->push_headers = NULL; | ||
69 | + free_push_headers(stream); | ||
70 | return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; | ||
71 | } | ||
72 | stream->push_headers = headp; | ||
73 | @@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d | ||
74 | if(http->header_recvbuf) { | ||
75 | Curl_add_buffer_free(&http->header_recvbuf); | ||
76 | Curl_add_buffer_free(&http->trailer_recvbuf); | ||
77 | - if(http->push_headers) { | ||
78 | - /* if they weren't used and then freed before */ | ||
79 | - for(; http->push_headers_used > 0; --http->push_headers_used) { | ||
80 | - free(http->push_headers[http->push_headers_used - 1]); | ||
81 | - } | ||
82 | - free(http->push_headers); | ||
83 | - http->push_headers = NULL; | ||
84 | - } | ||
85 | + free_push_headers(http); | ||
86 | } | ||
87 | |||
88 | if(!httpc->h2) /* not HTTP/2 ? */ | ||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 980b4224a8..2f351d585a 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
@@ -58,6 +58,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
58 | file://CVE-2023-28321.patch \ | 58 | file://CVE-2023-28321.patch \ |
59 | file://CVE-2023-28322.patch \ | 59 | file://CVE-2023-28322.patch \ |
60 | file://CVE-2023-46218.patch \ | 60 | file://CVE-2023-46218.patch \ |
61 | file://CVE-2024-2398.patch \ | ||
61 | " | 62 | " |
62 | 63 | ||
63 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" | 64 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" |