curl: Fix CVE-2021-22898

CVE: CVE-2021-22898 (From OE-Core rev: 4d703dd86c6b27790e1e34d3127652657243d20d) Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> 2021-07-08 11:29:00 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-07-20 19:05:45 +0100
commit: 10e9be1d82befd62c4d6b0fbc421c250df6deda2 (patch)
tree: 15030b988afcc3ed4d6faf0d205252954bd86f99 /meta
parent: 94e947fcd2dc7cab7996140548c7a89ec3885b1e (diff)
download: poky-10e9be1d82befd62c4d6b0fbc421c250df6deda2.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
new file mode 100644
index 0000000000..1a9cd7289e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
@@ -0,0 +1,32 @@
+From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Fri, 7 May 2021 13:09:57 +0200
+Subject: [PATCH] telnet: check sscanf() for correct number of matches
+CVE-2021-22898
+Bug: https://curl.se/docs/CVE-2021-22898.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde]
+CVE: CVE-2021-22898
+Signed-off-by: Harry Sintonen <sintonen@iki.fi>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ lib/telnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 26e0658ba9cc..fdd137fb0c04 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
+          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+             msnprintf((char *)&temp[len], sizeof(temp) - len,
+                       "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+                       CURL_NEW_ENV_VALUE, varval);
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index f7a8202bc9..433037f564 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \
           file://vtls-fix-addsessionid.patch \
           file://vtls-fix-warning.patch \
+           file://CVE-2021-22898.patch \
 "
 SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
author	Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>	2021-07-08 11:29:00 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-07-20 19:05:45 +0100
commit	10e9be1d82befd62c4d6b0fbc421c250df6deda2 (patch)
tree	15030b988afcc3ed4d6faf0d205252954bd86f99 /meta
parent	94e947fcd2dc7cab7996140548c7a89ec3885b1e (diff)
download	poky-10e9be1d82befd62c4d6b0fbc421c250df6deda2.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/meta/recipes-support/curl/curl/CVE-2021-22898.patch new file mode 100644 index 0000000000..1a9cd7289e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
@@ -0,0 +1,32 @@
		1	From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001
		2	From: Harry Sintonen <sintonen@iki.fi>
		3	Date: Fri, 7 May 2021 13:09:57 +0200
		4	Subject: [PATCH] telnet: check sscanf() for correct number of matches
		5
		6	CVE-2021-22898
		7
		8	Bug: https://curl.se/docs/CVE-2021-22898.html
		9
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde]
		11
		12	CVE: CVE-2021-22898
		13
		14	Signed-off-by: Harry Sintonen <sintonen@iki.fi>
		15	Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
		16	---
		17	lib/telnet.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/lib/telnet.c b/lib/telnet.c
		21	index 26e0658ba9cc..fdd137fb0c04 100644
		22	--- a/lib/telnet.c
		23	+++ b/lib/telnet.c
		24	@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data)
		25	size_t tmplen = (strlen(v->data) + 1);
		26	/* Add the variable only if it fits */
		27	if(len + tmplen < (int)sizeof(temp)-6) {
		28	- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
		29	+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
		30	msnprintf((char *)&temp[len], sizeof(temp) - len,
		31	"%c%s%c%s", CURL_NEW_ENV_VAR, varname,
		32	CURL_NEW_ENV_VALUE, varval);


diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index f7a8202bc9..433037f564 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
15	file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \	15	file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \
16	file://vtls-fix-addsessionid.patch \	16	file://vtls-fix-addsessionid.patch \
17	file://vtls-fix-warning.patch \	17	file://vtls-fix-warning.patch \
		18	file://CVE-2021-22898.patch \
18	"	19	"
19		20
20	SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"	21	SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"