diff options
author | Armin Kuster <akuster@mvista.com> | 2019-06-05 20:41:51 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | a43499cf8e91188e11616cff8f3c70ed033bfa86 (patch) | |
tree | 241958f63f1d512c6b42753b63a65415f00e1204 /meta | |
parent | 21188466bc0d40bcca0ac74363177e2e3632d457 (diff) | |
download | poky-a43499cf8e91188e11616cff8f3c70ed033bfa86.tar.gz |
Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436
Source: CUrl.org
MR: 98455
Type: Security Fix
Disposition: Backport from https://curl.haxx.se/
ChangeID: 86b094a440ea473b114764e8d64df8142d561609
Description:
Fixes CVE-2019-5435 CVE-2019-5436
(From OE-Core rev: 9d5a7dd654a17b67f5cd8a73145e5f5299bfebcc)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2019-5435.patch | 200 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2019-5436.patch | 32 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.61.0.bb | 2 |
3 files changed, 234 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5435.patch b/meta/recipes-support/curl/curl/CVE-2019-5435.patch new file mode 100644 index 0000000000..8ac5554550 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5435.patch | |||
@@ -0,0 +1,200 @@ | |||
1 | From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 29 Apr 2019 08:00:49 +0200 | ||
4 | Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size | ||
5 | |||
6 | This limits all accepted input strings passed to libcurl to be less than | ||
7 | CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: | ||
8 | curl_easy_setopt() and curl_url_set(). | ||
9 | |||
10 | The 8000000 number is arbitrary picked and is meant to detect mistakes | ||
11 | or abuse, not to limit actual practical use cases. By limiting the | ||
12 | acceptable string lengths we also reduce the risk of integer overflows | ||
13 | all over. | ||
14 | |||
15 | NOTE: This does not apply to `CURLOPT_POSTFIELDS`. | ||
16 | |||
17 | Test 1559 verifies. | ||
18 | |||
19 | Closes #3805 | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | Dropped a few changes to apply against this version | ||
23 | https://github.com/curl/curl/commit/5fc28510a4664f4 | ||
24 | |||
25 | CVE: CVE-2019-5435 | ||
26 | affects: libcurl 7.19.4 to and including 7.64.1 | ||
27 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
28 | |||
29 | --- | ||
30 | lib/setopt.c | 7 +++++ | ||
31 | lib/urldata.h | 4 +++ | ||
32 | 7 files changed, 146 insertions(+), 3 deletions(-) | ||
33 | create mode 100644 tests/data/test1559 | ||
34 | create mode 100644 tests/libtest/lib1559.c | ||
35 | |||
36 | Index: curl-7.61.0/lib/setopt.c | ||
37 | =================================================================== | ||
38 | --- curl-7.61.0.orig/lib/setopt.c | ||
39 | +++ curl-7.61.0/lib/setopt.c | ||
40 | @@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, co | ||
41 | if(s) { | ||
42 | char *str = strdup(s); | ||
43 | |||
44 | + if(str) { | ||
45 | + size_t len = strlen(str); | ||
46 | + if(len > CURL_MAX_INPUT_LENGTH) { | ||
47 | + free(str); | ||
48 | + return CURLE_BAD_FUNCTION_ARGUMENT; | ||
49 | + } | ||
50 | + } | ||
51 | if(!str) | ||
52 | return CURLE_OUT_OF_MEMORY; | ||
53 | |||
54 | Index: curl-7.61.0/lib/urldata.h | ||
55 | =================================================================== | ||
56 | --- curl-7.61.0.orig/lib/urldata.h | ||
57 | +++ curl-7.61.0/lib/urldata.h | ||
58 | @@ -79,6 +79,10 @@ | ||
59 | */ | ||
60 | #define RESP_TIMEOUT (1800*1000) | ||
61 | |||
62 | +/* Max string intput length is a precaution against abuse and to detect junk | ||
63 | + input easier and better. */ | ||
64 | +#define CURL_MAX_INPUT_LENGTH 8000000 | ||
65 | + | ||
66 | #include "cookie.h" | ||
67 | #include "psl.h" | ||
68 | #include "formdata.h" | ||
69 | Index: curl-7.61.0/tests/data/test1559 | ||
70 | =================================================================== | ||
71 | --- /dev/null | ||
72 | +++ curl-7.61.0/tests/data/test1559 | ||
73 | @@ -0,0 +1,44 @@ | ||
74 | +<testcase> | ||
75 | +<info> | ||
76 | +<keywords> | ||
77 | +CURLOPT_URL | ||
78 | +</keywords> | ||
79 | +</info> | ||
80 | + | ||
81 | +<reply> | ||
82 | +</reply> | ||
83 | + | ||
84 | +<client> | ||
85 | +<server> | ||
86 | +none | ||
87 | +</server> | ||
88 | + | ||
89 | +# require HTTP so that CURLOPT_POSTFIELDS works as assumed | ||
90 | +<features> | ||
91 | +http | ||
92 | +</features> | ||
93 | +<tool> | ||
94 | +lib1559 | ||
95 | +</tool> | ||
96 | + | ||
97 | +<name> | ||
98 | +Set excessive URL lengths | ||
99 | +</name> | ||
100 | +</client> | ||
101 | + | ||
102 | +# | ||
103 | +# Verify that the test runs to completion without crashing | ||
104 | +<verify> | ||
105 | +<errorcode> | ||
106 | +0 | ||
107 | +</errorcode> | ||
108 | +<stdout> | ||
109 | +CURLOPT_URL 10000000 bytes URL == 43 | ||
110 | +CURLOPT_POSTFIELDS 10000000 bytes data == 0 | ||
111 | +CURLUPART_URL 10000000 bytes URL == 3 | ||
112 | +CURLUPART_SCHEME 10000000 bytes scheme == 3 | ||
113 | +CURLUPART_USER 10000000 bytes user == 3 | ||
114 | +</stdout> | ||
115 | +</verify> | ||
116 | + | ||
117 | +</testcase> | ||
118 | Index: curl-7.61.0/tests/libtest/lib1559.c | ||
119 | =================================================================== | ||
120 | --- /dev/null | ||
121 | +++ curl-7.61.0/tests/libtest/lib1559.c | ||
122 | @@ -0,0 +1,78 @@ | ||
123 | +/*************************************************************************** | ||
124 | + * _ _ ____ _ | ||
125 | + * Project ___| | | | _ \| | | ||
126 | + * / __| | | | |_) | | | ||
127 | + * | (__| |_| | _ <| |___ | ||
128 | + * \___|\___/|_| \_\_____| | ||
129 | + * | ||
130 | + * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
131 | + * | ||
132 | + * This software is licensed as described in the file COPYING, which | ||
133 | + * you should have received as part of this distribution. The terms | ||
134 | + * are also available at https://curl.haxx.se/docs/copyright.html. | ||
135 | + * | ||
136 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
137 | + * copies of the Software, and permit persons to whom the Software is | ||
138 | + * furnished to do so, under the terms of the COPYING file. | ||
139 | + * | ||
140 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
141 | + * KIND, either express or implied. | ||
142 | + * | ||
143 | + ***************************************************************************/ | ||
144 | +#include "test.h" | ||
145 | + | ||
146 | +#include "testutil.h" | ||
147 | +#include "warnless.h" | ||
148 | +#include "memdebug.h" | ||
149 | + | ||
150 | +#define EXCESSIVE 10*1000*1000 | ||
151 | +int test(char *URL) | ||
152 | +{ | ||
153 | + CURLcode res = 0; | ||
154 | + CURL *curl = NULL; | ||
155 | + char *longurl = malloc(EXCESSIVE); | ||
156 | + CURLU *u; | ||
157 | + (void)URL; | ||
158 | + | ||
159 | + memset(longurl, 'a', EXCESSIVE); | ||
160 | + longurl[EXCESSIVE-1] = 0; | ||
161 | + | ||
162 | + global_init(CURL_GLOBAL_ALL); | ||
163 | + easy_init(curl); | ||
164 | + | ||
165 | + res = curl_easy_setopt(curl, CURLOPT_URL, longurl); | ||
166 | + printf("CURLOPT_URL %d bytes URL == %d\n", | ||
167 | + EXCESSIVE, (int)res); | ||
168 | + | ||
169 | + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl); | ||
170 | + printf("CURLOPT_POSTFIELDS %d bytes data == %d\n", | ||
171 | + EXCESSIVE, (int)res); | ||
172 | + | ||
173 | + u = curl_url(); | ||
174 | + if(u) { | ||
175 | + CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0); | ||
176 | + printf("CURLUPART_URL %d bytes URL == %d\n", | ||
177 | + EXCESSIVE, (int)uc); | ||
178 | + uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME); | ||
179 | + printf("CURLUPART_SCHEME %d bytes scheme == %d\n", | ||
180 | + EXCESSIVE, (int)uc); | ||
181 | + uc = curl_url_set(u, CURLUPART_USER, longurl, 0); | ||
182 | + printf("CURLUPART_USER %d bytes user == %d\n", | ||
183 | + EXCESSIVE, (int)uc); | ||
184 | + curl_url_cleanup(u); | ||
185 | + } | ||
186 | + | ||
187 | + free(longurl); | ||
188 | + | ||
189 | + curl_easy_cleanup(curl); | ||
190 | + curl_global_cleanup(); | ||
191 | + | ||
192 | + return 0; | ||
193 | + | ||
194 | +test_cleanup: | ||
195 | + | ||
196 | + curl_easy_cleanup(curl); | ||
197 | + curl_global_cleanup(); | ||
198 | + | ||
199 | + return res; /* return the final return code */ | ||
200 | +} | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5436.patch b/meta/recipes-support/curl/curl/CVE-2019-5436.patch new file mode 100644 index 0000000000..05fd8e9bcc --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5436.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 2576003415625d7b5f0e390902f8097830b82275 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 3 May 2019 22:20:37 +0200 | ||
4 | Subject: [PATCH] tftp: use the current blksize for recvfrom() | ||
5 | |||
6 | bug: https://curl.haxx.se/docs/CVE-2019-5436.html | ||
7 | Reported-by: l00p3r on hackerone | ||
8 | CVE-2019-5436 | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 | ||
12 | CVE: CVE-2019-5436 | ||
13 | affects: libcurl 7.19.4 to and including 7.64.1 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | lib/tftp.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | Index: curl-7.61.0/lib/tftp.c | ||
21 | =================================================================== | ||
22 | --- curl-7.61.0.orig/lib/tftp.c | ||
23 | +++ curl-7.61.0/lib/tftp.c | ||
24 | @@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct conn | ||
25 | state->sockfd = state->conn->sock[FIRSTSOCKET]; | ||
26 | state->state = TFTP_STATE_START; | ||
27 | state->error = TFTP_ERR_NONE; | ||
28 | - state->blksize = TFTP_BLKSIZE_DEFAULT; | ||
29 | + state->blksize = blksize; | ||
30 | state->requested_blksize = blksize; | ||
31 | |||
32 | ((struct sockaddr *)&state->local_addr)->sa_family = | ||
diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb index 56327a632b..1027f75e9e 100644 --- a/meta/recipes-support/curl/curl_7.61.0.bb +++ b/meta/recipes-support/curl/curl_7.61.0.bb | |||
@@ -11,6 +11,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
11 | file://CVE-2018-16839.patch \ | 11 | file://CVE-2018-16839.patch \ |
12 | file://CVE-2018-16840.patch \ | 12 | file://CVE-2018-16840.patch \ |
13 | file://CVE-2018-16842.patch \ | 13 | file://CVE-2018-16842.patch \ |
14 | file://CVE-2019-5435.patch \ | ||
15 | file://CVE-2019-5436.patch \ | ||
14 | " | 16 | " |
15 | 17 | ||
16 | SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a" | 18 | SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a" |