diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-11-04 08:10:45 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:43:55 +0000 |
commit | 6131edc2c9de3d2fe03243a423e2441a6ec855ce (patch) | |
tree | a5d74dd678e35ac134e70f363f6536e17d9e94e5 /meta | |
parent | c4339c0e748ca78580ff97a4b1b64840ae6ab12c (diff) | |
download | poky-6131edc2c9de3d2fe03243a423e2441a6ec855ce.tar.gz |
curl: Security fix for CVE-2016-9586
Affected versions: libcurl 7.1 to and including 7.51.0
Not affected versions: libcurl >= 7.52.0
(From OE-Core rev: 559ccc284987846c5b266cc2bc5ecd91c1c155f9)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-9586.patch | 66 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch new file mode 100644 index 0000000000..1103cb05d8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 | ||
2 | Author: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue Nov 8 15:32:37 2016 +0100 | ||
4 | |||
5 | printf: fix floating point buffer overflow issues | ||
6 | |||
7 | ... and add a bunch of floating point printf tests | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | https://curl.haxx.se/CVE-2016-9586.patch | ||
11 | dropped the tests as they require more changes to work. | ||
12 | |||
13 | CVE: CVE-2016-9586 | ||
14 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
15 | |||
16 | Index: curl-7.50.1/lib/mprintf.c | ||
17 | =================================================================== | ||
18 | --- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530 | ||
19 | +++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530 | ||
20 | @@ -92,7 +92,8 @@ | ||
21 | # define mp_uintmax_t unsigned long | ||
22 | #endif | ||
23 | |||
24 | -#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ | ||
25 | +#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should | ||
26 | + fit negative DBL_MAX (317 letters) */ | ||
27 | #define MAX_PARAMETERS 128 /* lame static limit */ | ||
28 | |||
29 | #ifdef __AMIGA__ | ||
30 | @@ -910,12 +911,25 @@ | ||
31 | *fptr = 0; | ||
32 | |||
33 | if(width >= 0) { | ||
34 | + if(width >= (long)sizeof(work)) | ||
35 | + width = sizeof(work)-1; | ||
36 | /* RECURSIVE USAGE */ | ||
37 | len = curl_msnprintf(fptr, left, "%ld", width); | ||
38 | fptr += len; | ||
39 | left -= len; | ||
40 | } | ||
41 | if(prec >= 0) { | ||
42 | + /* for each digit in the integer part, we can have one less | ||
43 | + precision */ | ||
44 | + size_t maxprec = sizeof(work) - 2; | ||
45 | + double val = p->data.dnum; | ||
46 | + while(val >= 10.0) { | ||
47 | + val /= 10; | ||
48 | + maxprec--; | ||
49 | + } | ||
50 | + | ||
51 | + if(prec > (long)maxprec) | ||
52 | + prec = maxprec-1; | ||
53 | /* RECURSIVE USAGE */ | ||
54 | len = curl_msnprintf(fptr, left, ".%ld", prec); | ||
55 | fptr += len; | ||
56 | @@ -935,7 +949,9 @@ | ||
57 | /* NOTE NOTE NOTE!! Not all sprintf implementations return number of | ||
58 | output characters */ | ||
59 | (sprintf)(work, formatbuf, p->data.dnum); | ||
60 | - | ||
61 | +#ifdef CURLDEBUG | ||
62 | + assert(strlen(work) <= sizeof(work)); | ||
63 | +#endif | ||
64 | for(fptr=work; *fptr; fptr++) | ||
65 | OUTCHAR(*fptr); | ||
66 | } | ||
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index bdf5d73b31..67bbdebfe7 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb | |||
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \ | |||
21 | file://CVE-2016-8623.patch \ | 21 | file://CVE-2016-8623.patch \ |
22 | file://CVE-2016-8617.patch \ | 22 | file://CVE-2016-8617.patch \ |
23 | file://CVE-2016-8624.patch \ | 23 | file://CVE-2016-8624.patch \ |
24 | file://CVE-2016-9586.patch \ | ||
24 | " | 25 | " |
25 | 26 | ||
26 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" | 27 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |