summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8619.patch52
-rw-r--r--meta/recipes-support/curl/curl_7.47.1.bb1
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8619.patch b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
new file mode 100644
index 0000000000..fb21cf6b89
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
@@ -0,0 +1,52 @@
1From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Wed, 28 Sep 2016 12:56:02 +0200
4Subject: [PATCH] krb5: avoid realloc(0)
5
6If the requested size is zero, bail out with error instead of doing a
7realloc() that would cause a double-free: realloc(0) acts as a free()
8and then there's a second free in the cleanup path.
9
10CVE: CVE-2016-8619
11Upstream-Status: Backport
12
13Bug: https://curl.haxx.se/docs/adv_20161102E.html
14Reported-by: Cure53
15Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
16---
17 lib/security.c | 9 ++++++---
18 1 file changed, 6 insertions(+), 3 deletions(-)
19
20diff --git a/lib/security.c b/lib/security.c
21index a268d4a..4cef8f8 100644
22--- a/lib/security.c
23+++ b/lib/security.c
24@@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, const void *to,
25 static CURLcode read_data(struct connectdata *conn,
26 curl_socket_t fd,
27 struct krb5buffer *buf)
28 {
29 int len;
30- void* tmp;
31+ void *tmp = NULL;
32 CURLcode result;
33
34 result = socket_read(fd, &len, sizeof(len));
35 if(result)
36 return result;
37
38- len = ntohl(len);
39- tmp = realloc(buf->data, len);
40+ if(len) {
41+ /* only realloc if there was a length */
42+ len = ntohl(len);
43+ tmp = realloc(buf->data, len);
44+ }
45 if(tmp == NULL)
46 return CURLE_OUT_OF_MEMORY;
47
48 buf->data = tmp;
49 result = socket_read(fd, buf->data, len);
50--
512.9.3
52
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb
index 27a999ee97..9ef571834e 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -19,6 +19,7 @@ SRC_URI += " file://configure_ac.patch \
19 file://CVE-2016-8616.patch \ 19 file://CVE-2016-8616.patch \
20 file://CVE-2016-8617.patch \ 20 file://CVE-2016-8617.patch \
21 file://CVE-2016-8618.patch \ 21 file://CVE-2016-8618.patch \
22 file://CVE-2016-8619.patch \
22 " 23 "
23 24
24SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" 25SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"