summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2017-10-23 15:44:53 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-05 22:33:22 +0000
commit1ffaaa2c482badb593ed12dcd9f9e43e19487c49 (patch)
tree1a470d35aa26a0aa03d6c275de97e9291158010f /meta
parent533d1541b08f640ac5b35cb16445c4c9acefbb64 (diff)
downloadpoky-1ffaaa2c482badb593ed12dcd9f9e43e19487c49.tar.gz
curl: Security Advisory - curl - CVE-2017-1000254
Porting patch from <https://github.com/curl/curl/commit/ 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254. (From OE-Core rev: 08f8d5db06647b94f96d655100c358047682dd2f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/curl/curl/CVE-2017-1000254.patch138
-rw-r--r--meta/recipes-support/curl/curl_7.54.1.bb1
2 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
new file mode 100644
index 0000000000..2b0798b929
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
@@ -0,0 +1,138 @@
1From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
2From: Li Zhou <li.zhou@windriver.com>
3Date: Mon, 23 Oct 2017 00:26:50 -0700
4Subject: [PATCH] FTP: zero terminate the entry path even on bad input
5
6... a single double quote could leave the entry path buffer without a zero
7terminating byte. CVE-2017-1000254
8
9Test 1152 added to verify.
10
11Reported-by: Max Dymond
12Bug: https://curl.haxx.se/docs/adv_20171004.html
13
14Upstream-Status: Backport
15CVE: CVE-2017-1000254
16Signed-off-by: Li Zhou <li.zhou@windriver.com>
17---
18 lib/ftp.c | 7 ++++--
19 tests/data/Makefile.inc | 2 ++
20 tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
21 3 files changed, 68 insertions(+), 2 deletions(-)
22 create mode 100644 tests/data/test1152
23
24diff --git a/lib/ftp.c b/lib/ftp.c
25index 5edec37..493dbf9 100644
26--- a/lib/ftp.c
27+++ b/lib/ftp.c
28@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
29 const size_t buf_size = data->set.buffer_size;
30 char *dir;
31 char *store;
32+ bool entry_extracted = FALSE;
33
34 dir = malloc(nread + 1);
35 if(!dir)
36@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
37 }
38 else {
39 /* end of path */
40- *store = '\0'; /* zero terminate */
41+ entry_extracted = TRUE;
42 break; /* get out of this loop */
43 }
44 }
45@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
46 store++;
47 ptr++;
48 }
49-
50+ *store = '\0'; /* zero terminate */
51+ }
52+ if(entry_extracted) {
53 /* If the path name does not look like an absolute path (i.e.: it
54 does not start with a '/'), we probably need some server-dependent
55 adjustments. For example, this is the case when connecting to
56diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
57index 7adbee6..5284654 100644
58--- a/tests/data/Makefile.inc
59+++ b/tests/data/Makefile.inc
60@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
61 test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
62 test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
63 test1144 test1145 test1146 \
64+test1152 \
65+\
66 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
67 test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
68 test1216 test1217 test1218 test1219 \
69diff --git a/tests/data/test1152 b/tests/data/test1152
70new file mode 100644
71index 0000000..aa8c0a7
72--- /dev/null
73+++ b/tests/data/test1152
74@@ -0,0 +1,61 @@
75+<testcase>
76+<info>
77+<keywords>
78+FTP
79+PASV
80+LIST
81+</keywords>
82+</info>
83+#
84+# Server-side
85+<reply>
86+<servercmd>
87+REPLY PWD 257 "just one
88+</servercmd>
89+
90+# When doing LIST, we get the default list output hard-coded in the test
91+# FTP server
92+<data mode="text">
93+total 20
94+drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
95+drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
96+drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
97+-r--r--r-- 1 0 1 35 Jul 16 1996 README
98+lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
99+dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
100+drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
101+dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
102+drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
103+dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
104+</data>
105+</reply>
106+
107+#
108+# Client-side
109+<client>
110+<server>
111+ftp
112+</server>
113+ <name>
114+FTP with uneven quote in PWD response
115+ </name>
116+ <command>
117+ftp://%HOSTIP:%FTPPORT/test-1152/
118+</command>
119+</client>
120+
121+#
122+# Verify data after the test has been "shot"
123+<verify>
124+<protocol>
125+USER anonymous
126+PASS ftp@example.com
127+PWD
128+CWD test-1152
129+EPSV
130+TYPE A
131+LIST
132+QUIT
133+</protocol>
134+</verify>
135+</testcase>
136--
1372.11.0
138
diff --git a/meta/recipes-support/curl/curl_7.54.1.bb b/meta/recipes-support/curl/curl_7.54.1.bb
index cf230ed0d4..9870657ca4 100644
--- a/meta/recipes-support/curl/curl_7.54.1.bb
+++ b/meta/recipes-support/curl/curl_7.54.1.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
10 file://CVE-2017-1000099.patch \ 10 file://CVE-2017-1000099.patch \
11 file://CVE-2017-1000100.patch \ 11 file://CVE-2017-1000100.patch \
12 file://CVE-2017-1000101.patch \ 12 file://CVE-2017-1000101.patch \
13 file://CVE-2017-1000254.patch \
13" 14"
14 15
15# curl likes to set -g0 in CFLAGS, so we stop it 16# curl likes to set -g0 in CFLAGS, so we stop it