diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-11-15 10:08:18 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:14:20 +0100 |
commit | cec5e508ec2f0862420c880dd8e63ec54e351e8c (patch) | |
tree | e05e87c60f07c9cc1611f36cca2d38d75a890f4e /meta | |
parent | ddc6a9f5cd8b8ff7c362c2cf08ddf8eb1da2dd6c (diff) | |
download | poky-cec5e508ec2f0862420c880dd8e63ec54e351e8c.tar.gz |
curl: CVE-2016-8623
Use-after-free via shared cookies
Affected versions: curl 7.10.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102I.html
(From OE-Core rev: 3bbd9634e6ae3ebaf998812a316e7a84025d0949)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8623.patch | 209 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.47.1.bb | 1 |
2 files changed, 210 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch new file mode 100644 index 0000000000..d9ddef6fa8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch | |||
@@ -0,0 +1,209 @@ | |||
1 | From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2016 23:26:13 +0200 | ||
4 | Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies | ||
5 | |||
6 | Previously it only held references to them, which was reckless as the | ||
7 | thread lock was released so the cookies could get modified by other | ||
8 | handles that share the same cookie jar over the share interface. | ||
9 | |||
10 | CVE: CVE-2016-8623 | ||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Bug: https://curl.haxx.se/docs/adv_20161102I.html | ||
14 | Reported-by: Cure53 | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | --- | ||
17 | lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++--------------------- | ||
18 | lib/cookie.h | 4 ++-- | ||
19 | lib/http.c | 2 +- | ||
20 | 3 files changed, 43 insertions(+), 24 deletions(-) | ||
21 | |||
22 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
23 | index 0f05da2..8607ce3 100644 | ||
24 | --- a/lib/cookie.c | ||
25 | +++ b/lib/cookie.c | ||
26 | @@ -1022,10 +1022,44 @@ static int cookie_sort(const void *p1, const void *p2) | ||
27 | |||
28 | /* sorry, can't be more deterministic */ | ||
29 | return 0; | ||
30 | } | ||
31 | |||
32 | +#define CLONE(field) \ | ||
33 | + do { \ | ||
34 | + if(src->field) { \ | ||
35 | + dup->field = strdup(src->field); \ | ||
36 | + if(!dup->field) \ | ||
37 | + goto fail; \ | ||
38 | + } \ | ||
39 | + } while(0) | ||
40 | + | ||
41 | +static struct Cookie *dup_cookie(struct Cookie *src) | ||
42 | +{ | ||
43 | + struct Cookie *dup = calloc(sizeof(struct Cookie), 1); | ||
44 | + if(dup) { | ||
45 | + CLONE(expirestr); | ||
46 | + CLONE(domain); | ||
47 | + CLONE(path); | ||
48 | + CLONE(spath); | ||
49 | + CLONE(name); | ||
50 | + CLONE(value); | ||
51 | + CLONE(maxage); | ||
52 | + CLONE(version); | ||
53 | + dup->expires = src->expires; | ||
54 | + dup->tailmatch = src->tailmatch; | ||
55 | + dup->secure = src->secure; | ||
56 | + dup->livecookie = src->livecookie; | ||
57 | + dup->httponly = src->httponly; | ||
58 | + } | ||
59 | + return dup; | ||
60 | + | ||
61 | + fail: | ||
62 | + freecookie(dup); | ||
63 | + return NULL; | ||
64 | +} | ||
65 | + | ||
66 | /***************************************************************************** | ||
67 | * | ||
68 | * Curl_cookie_getlist() | ||
69 | * | ||
70 | * For a given host and path, return a linked list of cookies that the | ||
71 | @@ -1077,15 +1111,12 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
72 | if(!co->spath || pathmatch(co->spath, path) ) { | ||
73 | |||
74 | /* and now, we know this is a match and we should create an | ||
75 | entry for the return-linked-list */ | ||
76 | |||
77 | - newco = malloc(sizeof(struct Cookie)); | ||
78 | + newco = dup_cookie(co); | ||
79 | if(newco) { | ||
80 | - /* first, copy the whole source cookie: */ | ||
81 | - memcpy(newco, co, sizeof(struct Cookie)); | ||
82 | - | ||
83 | /* then modify our next */ | ||
84 | newco->next = mainco; | ||
85 | |||
86 | /* point the main to us */ | ||
87 | mainco = newco; | ||
88 | @@ -1093,16 +1124,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
89 | matches++; | ||
90 | } | ||
91 | else { | ||
92 | fail: | ||
93 | /* failure, clear up the allocated chain and return NULL */ | ||
94 | - while(mainco) { | ||
95 | - co = mainco->next; | ||
96 | - free(mainco); | ||
97 | - mainco = co; | ||
98 | - } | ||
99 | - | ||
100 | + Curl_cookie_freelist(mainco); | ||
101 | return NULL; | ||
102 | } | ||
103 | } | ||
104 | } | ||
105 | } | ||
106 | @@ -1150,11 +1176,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, | ||
107 | * | ||
108 | ****************************************************************************/ | ||
109 | void Curl_cookie_clearall(struct CookieInfo *cookies) | ||
110 | { | ||
111 | if(cookies) { | ||
112 | - Curl_cookie_freelist(cookies->cookies, TRUE); | ||
113 | + Curl_cookie_freelist(cookies->cookies); | ||
114 | cookies->cookies = NULL; | ||
115 | cookies->numcookies = 0; | ||
116 | } | ||
117 | } | ||
118 | |||
119 | @@ -1162,25 +1188,18 @@ void Curl_cookie_clearall(struct CookieInfo *cookies) | ||
120 | * | ||
121 | * Curl_cookie_freelist() | ||
122 | * | ||
123 | * Free a list of cookies previously returned by Curl_cookie_getlist(); | ||
124 | * | ||
125 | - * The 'cookiestoo' argument tells this function whether to just free the | ||
126 | - * list or actually also free all cookies within the list as well. | ||
127 | - * | ||
128 | ****************************************************************************/ | ||
129 | |||
130 | -void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo) | ||
131 | +void Curl_cookie_freelist(struct Cookie *co) | ||
132 | { | ||
133 | struct Cookie *next; | ||
134 | while(co) { | ||
135 | next = co->next; | ||
136 | - if(cookiestoo) | ||
137 | - freecookie(co); | ||
138 | - else | ||
139 | - free(co); /* we only free the struct since the "members" are all just | ||
140 | - pointed out in the main cookie list! */ | ||
141 | + freecookie(co); | ||
142 | co = next; | ||
143 | } | ||
144 | } | ||
145 | |||
146 | |||
147 | @@ -1231,11 +1250,11 @@ void Curl_cookie_clearsess(struct CookieInfo *cookies) | ||
148 | ****************************************************************************/ | ||
149 | void Curl_cookie_cleanup(struct CookieInfo *c) | ||
150 | { | ||
151 | if(c) { | ||
152 | free(c->filename); | ||
153 | - Curl_cookie_freelist(c->cookies, TRUE); | ||
154 | + Curl_cookie_freelist(c->cookies); | ||
155 | free(c); /* free the base struct as well */ | ||
156 | } | ||
157 | } | ||
158 | |||
159 | /* get_netscape_format() | ||
160 | diff --git a/lib/cookie.h b/lib/cookie.h | ||
161 | index cd7c54a..a9a4578 100644 | ||
162 | --- a/lib/cookie.h | ||
163 | +++ b/lib/cookie.h | ||
164 | @@ -5,11 +5,11 @@ | ||
165 | * Project ___| | | | _ \| | | ||
166 | * / __| | | | |_) | | | ||
167 | * | (__| |_| | _ <| |___ | ||
168 | * \___|\___/|_| \_\_____| | ||
169 | * | ||
170 | - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
171 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
172 | * | ||
173 | * This software is licensed as described in the file COPYING, which | ||
174 | * you should have received as part of this distribution. The terms | ||
175 | * are also available at https://curl.haxx.se/docs/copyright.html. | ||
176 | * | ||
177 | @@ -80,11 +80,11 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, | ||
178 | struct CookieInfo *, bool header, char *lineptr, | ||
179 | const char *domain, const char *path); | ||
180 | |||
181 | struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, | ||
182 | const char *, bool); | ||
183 | -void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo); | ||
184 | +void Curl_cookie_freelist(struct Cookie *cookies); | ||
185 | void Curl_cookie_clearall(struct CookieInfo *cookies); | ||
186 | void Curl_cookie_clearsess(struct CookieInfo *cookies); | ||
187 | |||
188 | #if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_COOKIES) | ||
189 | #define Curl_cookie_list(x) NULL | ||
190 | diff --git a/lib/http.c b/lib/http.c | ||
191 | index 65c145a..e6e7d37 100644 | ||
192 | --- a/lib/http.c | ||
193 | +++ b/lib/http.c | ||
194 | @@ -2382,11 +2382,11 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) | ||
195 | break; | ||
196 | count++; | ||
197 | } | ||
198 | co = co->next; /* next cookie please */ | ||
199 | } | ||
200 | - Curl_cookie_freelist(store, FALSE); /* free the cookie list */ | ||
201 | + Curl_cookie_freelist(store); | ||
202 | } | ||
203 | if(addcookies && !result) { | ||
204 | if(!count) | ||
205 | result = Curl_add_bufferf(req_buffer, "Cookie: "); | ||
206 | if(!result) { | ||
207 | -- | ||
208 | 2.9.3 | ||
209 | |||
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index 4bff34e17e..0f8fa3ab6f 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb | |||
@@ -23,6 +23,7 @@ SRC_URI += " file://configure_ac.patch \ | |||
23 | file://CVE-2016-8620.patch \ | 23 | file://CVE-2016-8620.patch \ |
24 | file://CVE-2016-8621.patch \ | 24 | file://CVE-2016-8621.patch \ |
25 | file://CVE-2016-8622.patch \ | 25 | file://CVE-2016-8622.patch \ |
26 | file://CVE-2016-8623.patch \ | ||
26 | " | 27 | " |
27 | 28 | ||
28 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" | 29 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" |