summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8623.patch174
-rw-r--r--meta/recipes-support/curl/curl_7.50.1.bb1
2 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 0000000000..17eaf2b7ee
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,174 @@
1From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 4 Oct 2016 23:26:13 +0200
4Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
5
6Previously it only held references to them, which was reckless as the
7thread lock was released so the cookies could get modified by other
8handles that share the same cookie jar over the share interface.
9
10CVE-2016-8623
11
12Bug: https://curl.haxx.se/docs/adv_20161102I.html
13Reported-by: Cure53
14
15Upstream-Status: Backport
16https://curl.haxx.se/CVE-2016-8623.patch
17CVE: CVE-2016-8623
18Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
19
20---
21 lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
22 lib/cookie.h | 4 ++--
23 lib/http.c | 2 +-
24 3 files changed, 43 insertions(+), 24 deletions(-)
25
26Index: curl-7.44.0/lib/cookie.c
27===================================================================
28--- curl-7.44.0.orig/lib/cookie.c
29+++ curl-7.44.0/lib/cookie.c
30@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c
31 return 0;
32 }
33
34+#define CLONE(field) \
35+ do { \
36+ if(src->field) { \
37+ dup->field = strdup(src->field); \
38+ if(!dup->field) \
39+ goto fail; \
40+ } \
41+ } while(0)
42+
43+static struct Cookie *dup_cookie(struct Cookie *src)
44+{
45+ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
46+ if(dup) {
47+ CLONE(expirestr);
48+ CLONE(domain);
49+ CLONE(path);
50+ CLONE(spath);
51+ CLONE(name);
52+ CLONE(value);
53+ CLONE(maxage);
54+ CLONE(version);
55+ dup->expires = src->expires;
56+ dup->tailmatch = src->tailmatch;
57+ dup->secure = src->secure;
58+ dup->livecookie = src->livecookie;
59+ dup->httponly = src->httponly;
60+ }
61+ return dup;
62+
63+ fail:
64+ freecookie(dup);
65+ return NULL;
66+}
67+
68 /*****************************************************************************
69 *
70 * Curl_cookie_getlist()
71@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc
72 /* and now, we know this is a match and we should create an
73 entry for the return-linked-list */
74
75- newco = malloc(sizeof(struct Cookie));
76+ newco = dup_cookie(co);
77 if(newco) {
78- /* first, copy the whole source cookie: */
79- memcpy(newco, co, sizeof(struct Cookie));
80-
81 /* then modify our next */
82 newco->next = mainco;
83
84@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc
85 else {
86 fail:
87 /* failure, clear up the allocated chain and return NULL */
88- while(mainco) {
89- co = mainco->next;
90- free(mainco);
91- mainco = co;
92- }
93-
94+ Curl_cookie_freelist(mainco);
95 return NULL;
96 }
97 }
98@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc
99 void Curl_cookie_clearall(struct CookieInfo *cookies)
100 {
101 if(cookies) {
102- Curl_cookie_freelist(cookies->cookies, TRUE);
103+ Curl_cookie_freelist(cookies->cookies);
104 cookies->cookies = NULL;
105 cookies->numcookies = 0;
106 }
107@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI
108 *
109 * Free a list of cookies previously returned by Curl_cookie_getlist();
110 *
111- * The 'cookiestoo' argument tells this function whether to just free the
112- * list or actually also free all cookies within the list as well.
113- *
114 ****************************************************************************/
115
116-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
117+void Curl_cookie_freelist(struct Cookie *co)
118 {
119 struct Cookie *next;
120 while(co) {
121 next = co->next;
122- if(cookiestoo)
123- freecookie(co);
124- else
125- free(co); /* we only free the struct since the "members" are all just
126- pointed out in the main cookie list! */
127+ freecookie(co);
128 co = next;
129 }
130 }
131@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn
132 {
133 if(c) {
134 free(c->filename);
135- Curl_cookie_freelist(c->cookies, TRUE);
136+ Curl_cookie_freelist(c->cookies);
137 free(c); /* free the base struct as well */
138 }
139 }
140Index: curl-7.44.0/lib/cookie.h
141===================================================================
142--- curl-7.44.0.orig/lib/cookie.h
143+++ curl-7.44.0/lib/cookie.h
144@@ -7,7 +7,7 @@
145 * | (__| |_| | _ <| |___
146 * \___|\___/|_| \_\_____|
147 *
148- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
149+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
150 *
151 * This software is licensed as described in the file COPYING, which
152 * you should have received as part of this distribution. The terms
153@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se
154
155 struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
156 const char *, bool);
157-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
158+void Curl_cookie_freelist(struct Cookie *cookies);
159 void Curl_cookie_clearall(struct CookieInfo *cookies);
160 void Curl_cookie_clearsess(struct CookieInfo *cookies);
161
162Index: curl-7.44.0/lib/http.c
163===================================================================
164--- curl-7.44.0.orig/lib/http.c
165+++ curl-7.44.0/lib/http.c
166@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c
167 }
168 co = co->next; /* next cookie please */
169 }
170- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
171+ Curl_cookie_freelist(store);
172 }
173 if(addcookies && !result) {
174 if(!count)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index 548bb46f95..9a9741dfe1 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
18 file://CVE-2016-8619.patch \ 18 file://CVE-2016-8619.patch \
19 file://CVE-2016-8620.patch \ 19 file://CVE-2016-8620.patch \
20 file://CVE-2016-8621.patch \ 20 file://CVE-2016-8621.patch \
21 file://CVE-2016-8623.patch \
21 " 22 "
22 23
23SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" 24SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"