diff options
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8620.patch | 146 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch b/meta/recipes-support/curl/curl/CVE-2016-8620.patch new file mode 100644 index 0000000000..db3da6f57a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8620.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | From 52f3e1d1092c81a4f574c9fc6cb3818b88434c8d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 3 Oct 2016 17:27:16 +0200 | ||
4 | Subject: [PATCH 1/3] range: prevent negative end number in a glob range | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | CVE-2016-8620 | ||
10 | |||
11 | Bug: https://curl.haxx.se/docs/adv_20161102F.html | ||
12 | Reported-by: Luật Nguyễn | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://curl.haxx.se/CVE-2016-8620.patch | ||
16 | CVE: CVE-2016-8620 | ||
17 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
18 | |||
19 | --- | ||
20 | src/tool_urlglob.c | 7 +++++++ | ||
21 | 1 file changed, 7 insertions(+) | ||
22 | |||
23 | Index: curl-7.44.0/src/tool_urlglob.c | ||
24 | =================================================================== | ||
25 | --- curl-7.44.0.orig/src/tool_urlglob.c | ||
26 | +++ curl-7.44.0/src/tool_urlglob.c | ||
27 | @@ -186,32 +186,36 @@ static CURLcode glob_range(URLGlob *glob | ||
28 | /* character range detected */ | ||
29 | char min_c; | ||
30 | char max_c; | ||
31 | + char end_c; | ||
32 | int step=1; | ||
33 | |||
34 | pat->type = UPTCharRange; | ||
35 | |||
36 | - rc = sscanf(pattern, "%c-%c", &min_c, &max_c); | ||
37 | + rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c); | ||
38 | |||
39 | - if((rc == 2) && (pattern[3] == ':')) { | ||
40 | - char *endp; | ||
41 | - unsigned long lstep; | ||
42 | - errno = 0; | ||
43 | - lstep = strtoul(&pattern[4], &endp, 10); | ||
44 | - if(errno || (*endp != ']')) | ||
45 | - step = -1; | ||
46 | - else { | ||
47 | - pattern = endp+1; | ||
48 | - step = (int)lstep; | ||
49 | - if(step > (max_c - min_c)) | ||
50 | + if(rc == 3) { | ||
51 | + if(end_c == ':') { | ||
52 | + char *endp; | ||
53 | + unsigned long lstep; | ||
54 | + errno = 0; | ||
55 | + lstep = strtoul(&pattern[4], &endp, 10); | ||
56 | + if(errno || (*endp != ']')) | ||
57 | step = -1; | ||
58 | + else { | ||
59 | + pattern = endp+1; | ||
60 | + step = (int)lstep; | ||
61 | + if(step > (max_c - min_c)) | ||
62 | + step = -1; | ||
63 | + } | ||
64 | } | ||
65 | + else if(end_c != ']') | ||
66 | + /* then this is wrong */ | ||
67 | + rc = 0; | ||
68 | } | ||
69 | - else | ||
70 | - pattern += 4; | ||
71 | |||
72 | *posp += (pattern - *patternp); | ||
73 | |||
74 | - if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || | ||
75 | + if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || | ||
76 | (step <= 0) ) | ||
77 | /* the pattern is not well-formed */ | ||
78 | return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT); | ||
79 | @@ -255,6 +259,12 @@ static CURLcode glob_range(URLGlob *glob | ||
80 | endp = NULL; | ||
81 | else { | ||
82 | pattern = endp+1; | ||
83 | + while(*pattern && ISBLANK(*pattern)) | ||
84 | + pattern++; | ||
85 | + if(!ISDIGIT(*pattern)) { | ||
86 | + endp = NULL; | ||
87 | + goto fail; | ||
88 | + } | ||
89 | errno = 0; | ||
90 | max_n = strtoul(pattern, &endp, 10); | ||
91 | if(errno || (*endp == ':')) { | ||
92 | @@ -275,6 +285,7 @@ static CURLcode glob_range(URLGlob *glob | ||
93 | } | ||
94 | } | ||
95 | |||
96 | + fail: | ||
97 | *posp += (pattern - *patternp); | ||
98 | |||
99 | if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || | ||
100 | @@ -423,6 +434,7 @@ CURLcode glob_url(URLGlob** glob, char* | ||
101 | glob_buffer = malloc(strlen(url) + 1); | ||
102 | if(!glob_buffer) | ||
103 | return CURLE_OUT_OF_MEMORY; | ||
104 | + glob_buffer[0]=0; | ||
105 | |||
106 | glob_expand = calloc(1, sizeof(URLGlob)); | ||
107 | if(!glob_expand) { | ||
108 | @@ -540,20 +552,25 @@ CURLcode glob_next_url(char **globbed, U | ||
109 | switch(pat->type) { | ||
110 | case UPTSet: | ||
111 | if(pat->content.Set.elements) { | ||
112 | - len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]); | ||
113 | snprintf(buf, buflen, "%s", | ||
114 | pat->content.Set.elements[pat->content.Set.ptr_s]); | ||
115 | + len = strlen(buf); | ||
116 | buf += len; | ||
117 | buflen -= len; | ||
118 | } | ||
119 | break; | ||
120 | case UPTCharRange: | ||
121 | - *buf++ = pat->content.CharRange.ptr_c; | ||
122 | + if(buflen) { | ||
123 | + *buf++ = pat->content.CharRange.ptr_c; | ||
124 | + *buf = '\0'; | ||
125 | + buflen--; | ||
126 | + } | ||
127 | break; | ||
128 | case UPTNumRange: | ||
129 | - len = snprintf(buf, buflen, "%0*ld", | ||
130 | - pat->content.NumRange.padlength, | ||
131 | - pat->content.NumRange.ptr_n); | ||
132 | + snprintf(buf, buflen, "%0*ld", | ||
133 | + pat->content.NumRange.padlength, | ||
134 | + pat->content.NumRange.ptr_n); | ||
135 | + len = strlen(buf); | ||
136 | buf += len; | ||
137 | buflen -= len; | ||
138 | break; | ||
139 | @@ -562,7 +579,6 @@ CURLcode glob_next_url(char **globbed, U | ||
140 | return CURLE_FAILED_INIT; | ||
141 | } | ||
142 | } | ||
143 | - *buf = '\0'; | ||
144 | |||
145 | *globbed = strdup(glob->glob_buffer); | ||
146 | if(!*globbed) | ||
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 544110134c..aa8ebebf01 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb | |||
@@ -16,6 +16,7 @@ SRC_URI += " file://configure_ac.patch \ | |||
16 | file://CVE-2016-8615.patch \ | 16 | file://CVE-2016-8615.patch \ |
17 | file://CVE-2016-8618.patch \ | 17 | file://CVE-2016-8618.patch \ |
18 | file://CVE-2016-8619.patch \ | 18 | file://CVE-2016-8619.patch \ |
19 | file://CVE-2016-8620.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" | 22 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |