diff options
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-32221.patch | 27 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-35260.patch | 73 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-42915.patch | 53 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-42916.patch | 134 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.85.0.bb | 4 |
5 files changed, 291 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..03a7ac513b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From dd31455d46dcf9e3a1b8bd37e671af1a6af52807 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 15 Sep 2022 09:22:45 +0200 | ||
4 | Subject: [PATCH] setopt: when POST is set, reset the 'upload' field | ||
5 | |||
6 | Reported-by: RobBotic1 on github | ||
7 | Fixes #9507 | ||
8 | Closes #9511 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6] | ||
11 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
12 | --- | ||
13 | lib/setopt.c | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
17 | index d5e3b50..b8793b4 100644 | ||
18 | --- a/lib/setopt.c | ||
19 | +++ b/lib/setopt.c | ||
20 | @@ -696,6 +696,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
21 | } | ||
22 | else | ||
23 | data->set.method = HTTPREQ_GET; | ||
24 | + data->set.upload = FALSE; | ||
25 | break; | ||
26 | |||
27 | case CURLOPT_HTTPPOST: | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch new file mode 100644 index 0000000000..a4aae69fd0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 9169e54444bdca7b5e7b44034c463fe5fc801e88 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2022 14:37:24 +0200 | ||
4 | Subject: [PATCH] netrc: replace fgets with Curl_get_line | ||
5 | |||
6 | Make the parser only accept complete lines and avoid problems with | ||
7 | overly long lines. | ||
8 | |||
9 | Reported-by: Hiroki Kurosawa | ||
10 | |||
11 | Closes #9789 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86] | ||
14 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
15 | --- | ||
16 | lib/curl_get_line.c | 6 +++--- | ||
17 | lib/netrc.c | 5 +++-- | ||
18 | 2 files changed, 6 insertions(+), 5 deletions(-) | ||
19 | |||
20 | diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c | ||
21 | index 6a26bb2..22e3705 100644 | ||
22 | --- a/lib/curl_get_line.c | ||
23 | +++ b/lib/curl_get_line.c | ||
24 | @@ -25,7 +25,7 @@ | ||
25 | #include "curl_setup.h" | ||
26 | |||
27 | #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ | ||
28 | - !defined(CURL_DISABLE_HSTS) | ||
29 | + !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) | ||
30 | |||
31 | #include "curl_get_line.h" | ||
32 | #include "curl_memory.h" | ||
33 | @@ -33,8 +33,8 @@ | ||
34 | #include "memdebug.h" | ||
35 | |||
36 | /* | ||
37 | - * get_line() makes sure to only return complete whole lines that fit in 'len' | ||
38 | - * bytes and end with a newline. | ||
39 | + * Curl_get_line() makes sure to only return complete whole lines that fit in | ||
40 | + * 'len' bytes and end with a newline. | ||
41 | */ | ||
42 | char *Curl_get_line(char *buf, int len, FILE *input) | ||
43 | { | ||
44 | diff --git a/lib/netrc.c b/lib/netrc.c | ||
45 | index 62a6a10..5d17482 100644 | ||
46 | --- a/lib/netrc.c | ||
47 | +++ b/lib/netrc.c | ||
48 | @@ -33,6 +33,7 @@ | ||
49 | #include "netrc.h" | ||
50 | #include "strtok.h" | ||
51 | #include "strcase.h" | ||
52 | +#include "curl_get_line.h" | ||
53 | |||
54 | /* The last 3 #include files should be in this order */ | ||
55 | #include "curl_printf.h" | ||
56 | @@ -84,7 +85,7 @@ static int parsenetrc(const char *host, | ||
57 | char netrcbuffer[4096]; | ||
58 | int netrcbuffsize = (int)sizeof(netrcbuffer); | ||
59 | |||
60 | - while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { | ||
61 | + while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { | ||
62 | char *tok; | ||
63 | char *tok_end; | ||
64 | bool quoted; | ||
65 | @@ -243,7 +244,7 @@ static int parsenetrc(const char *host, | ||
66 | } /* switch (state) */ | ||
67 | tok = ++tok_end; | ||
68 | } | ||
69 | - } /* while fgets() */ | ||
70 | + } /* while Curl_get_line() */ | ||
71 | |||
72 | out: | ||
73 | if(!retcode) { | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42915.patch b/meta/recipes-support/curl/curl/CVE-2022-42915.patch new file mode 100644 index 0000000000..43de6e62eb --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-42915.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 3ede0e72aaad6447d2a5ab07dac43e1b9d7e617b Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 6 Oct 2022 14:13:36 +0200 | ||
4 | Subject: [PATCH] http_proxy: restore the protocol pointer on error | ||
5 | |||
6 | Reported-by: Trail of Bits | ||
7 | |||
8 | Closes #9790 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315ce] | ||
11 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
12 | --- | ||
13 | lib/http_proxy.c | 6 ++---- | ||
14 | lib/url.c | 9 --------- | ||
15 | 2 files changed, 2 insertions(+), 13 deletions(-) | ||
16 | |||
17 | diff --git a/lib/http_proxy.c b/lib/http_proxy.c | ||
18 | index 1f87f6c..cc20b3a 100644 | ||
19 | --- a/lib/http_proxy.c | ||
20 | +++ b/lib/http_proxy.c | ||
21 | @@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data) | ||
22 | Curl_dyn_free(&s->rcvbuf); | ||
23 | Curl_dyn_free(&s->req); | ||
24 | |||
25 | - /* restore the protocol pointer, if not already done */ | ||
26 | - if(s->prot_save) | ||
27 | - data->req.p.http = s->prot_save; | ||
28 | - s->prot_save = NULL; | ||
29 | + /* restore the protocol pointer */ | ||
30 | + data->req.p.http = s->prot_save; | ||
31 | data->info.httpcode = 0; /* clear it as it might've been used for the | ||
32 | proxy */ | ||
33 | data->req.ignorebody = FALSE; | ||
34 | diff --git a/lib/url.c b/lib/url.c | ||
35 | index bfc784f..61c99d2 100644 | ||
36 | --- a/lib/url.c | ||
37 | +++ b/lib/url.c | ||
38 | @@ -746,15 +746,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) | ||
39 | DEBUGASSERT(data); | ||
40 | infof(data, "Closing connection %ld", conn->connection_id); | ||
41 | |||
42 | -#ifndef USE_HYPER | ||
43 | - if(conn->connect_state && conn->connect_state->prot_save) { | ||
44 | - /* If this was closed with a CONNECT in progress, cleanup this temporary | ||
45 | - struct arrangement */ | ||
46 | - data->req.p.http = NULL; | ||
47 | - Curl_safefree(conn->connect_state->prot_save); | ||
48 | - } | ||
49 | -#endif | ||
50 | - | ||
51 | /* possible left-overs from the async name resolvers */ | ||
52 | Curl_resolver_cancel(data); | ||
53 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/meta/recipes-support/curl/curl/CVE-2022-42916.patch new file mode 100644 index 0000000000..000af69885 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-42916.patch | |||
@@ -0,0 +1,134 @@ | |||
1 | From 401455229a5006bed0346fedc99791ccb53e146c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 12 Oct 2022 10:47:59 +0200 | ||
4 | Subject: [PATCH] url: use IDN decoded names for HSTS checks | ||
5 | |||
6 | Reported-by: Hiroki Kurosawa | ||
7 | |||
8 | Closes #9791 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6] | ||
11 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
12 | --- | ||
13 | lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- | ||
14 | 1 file changed, 47 insertions(+), 44 deletions(-) | ||
15 | |||
16 | diff --git a/lib/url.c b/lib/url.c | ||
17 | index 61c99d2..6426fa7 100644 | ||
18 | --- a/lib/url.c | ||
19 | +++ b/lib/url.c | ||
20 | @@ -2024,10 +2024,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, | ||
21 | failf(data, "Too long host name (maximum is %d)", MAX_URL_LEN); | ||
22 | return CURLE_URL_MALFORMAT; | ||
23 | } | ||
24 | + hostname = data->state.up.hostname; | ||
25 | + | ||
26 | + if(hostname && hostname[0] == '[') { | ||
27 | + /* This looks like an IPv6 address literal. See if there is an address | ||
28 | + scope. */ | ||
29 | + size_t hlen; | ||
30 | + conn->bits.ipv6_ip = TRUE; | ||
31 | + /* cut off the brackets! */ | ||
32 | + hostname++; | ||
33 | + hlen = strlen(hostname); | ||
34 | + hostname[hlen - 1] = 0; | ||
35 | + | ||
36 | + zonefrom_url(uh, data, conn); | ||
37 | + } | ||
38 | + | ||
39 | + /* make sure the connect struct gets its own copy of the host name */ | ||
40 | + conn->host.rawalloc = strdup(hostname ? hostname : ""); | ||
41 | + if(!conn->host.rawalloc) | ||
42 | + return CURLE_OUT_OF_MEMORY; | ||
43 | + conn->host.name = conn->host.rawalloc; | ||
44 | + | ||
45 | + /************************************************************* | ||
46 | + * IDN-convert the hostnames | ||
47 | + *************************************************************/ | ||
48 | + result = Curl_idnconvert_hostname(data, &conn->host); | ||
49 | + if(result) | ||
50 | + return result; | ||
51 | + if(conn->bits.conn_to_host) { | ||
52 | + result = Curl_idnconvert_hostname(data, &conn->conn_to_host); | ||
53 | + if(result) | ||
54 | + return result; | ||
55 | + } | ||
56 | +#ifndef CURL_DISABLE_PROXY | ||
57 | + if(conn->bits.httpproxy) { | ||
58 | + result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); | ||
59 | + if(result) | ||
60 | + return result; | ||
61 | + } | ||
62 | + if(conn->bits.socksproxy) { | ||
63 | + result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); | ||
64 | + if(result) | ||
65 | + return result; | ||
66 | + } | ||
67 | +#endif | ||
68 | |||
69 | #ifndef CURL_DISABLE_HSTS | ||
70 | + /* HSTS upgrade */ | ||
71 | if(data->hsts && strcasecompare("http", data->state.up.scheme)) { | ||
72 | - if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { | ||
73 | + /* This MUST use the IDN decoded name */ | ||
74 | + if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { | ||
75 | char *url; | ||
76 | Curl_safefree(data->state.up.scheme); | ||
77 | uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); | ||
78 | @@ -2133,26 +2179,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, | ||
79 | |||
80 | (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); | ||
81 | |||
82 | - hostname = data->state.up.hostname; | ||
83 | - if(hostname && hostname[0] == '[') { | ||
84 | - /* This looks like an IPv6 address literal. See if there is an address | ||
85 | - scope. */ | ||
86 | - size_t hlen; | ||
87 | - conn->bits.ipv6_ip = TRUE; | ||
88 | - /* cut off the brackets! */ | ||
89 | - hostname++; | ||
90 | - hlen = strlen(hostname); | ||
91 | - hostname[hlen - 1] = 0; | ||
92 | - | ||
93 | - zonefrom_url(uh, data, conn); | ||
94 | - } | ||
95 | - | ||
96 | - /* make sure the connect struct gets its own copy of the host name */ | ||
97 | - conn->host.rawalloc = strdup(hostname ? hostname : ""); | ||
98 | - if(!conn->host.rawalloc) | ||
99 | - return CURLE_OUT_OF_MEMORY; | ||
100 | - conn->host.name = conn->host.rawalloc; | ||
101 | - | ||
102 | #ifdef ENABLE_IPV6 | ||
103 | if(data->set.scope_id) | ||
104 | /* Override any scope that was set above. */ | ||
105 | @@ -3781,29 +3807,6 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
106 | if(result) | ||
107 | goto out; | ||
108 | |||
109 | - /************************************************************* | ||
110 | - * IDN-convert the hostnames | ||
111 | - *************************************************************/ | ||
112 | - result = Curl_idnconvert_hostname(data, &conn->host); | ||
113 | - if(result) | ||
114 | - goto out; | ||
115 | - if(conn->bits.conn_to_host) { | ||
116 | - result = Curl_idnconvert_hostname(data, &conn->conn_to_host); | ||
117 | - if(result) | ||
118 | - goto out; | ||
119 | - } | ||
120 | -#ifndef CURL_DISABLE_PROXY | ||
121 | - if(conn->bits.httpproxy) { | ||
122 | - result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); | ||
123 | - if(result) | ||
124 | - goto out; | ||
125 | - } | ||
126 | - if(conn->bits.socksproxy) { | ||
127 | - result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); | ||
128 | - if(result) | ||
129 | - goto out; | ||
130 | - } | ||
131 | -#endif | ||
132 | |||
133 | /************************************************************* | ||
134 | * Check whether the host and the "connect to host" are equal. | ||
diff --git a/meta/recipes-support/curl/curl_7.85.0.bb b/meta/recipes-support/curl/curl_7.85.0.bb index ad6a5175bc..0386052bf4 100644 --- a/meta/recipes-support/curl/curl_7.85.0.bb +++ b/meta/recipes-support/curl/curl_7.85.0.bb | |||
@@ -13,6 +13,10 @@ SRC_URI = " \ | |||
13 | https://curl.se/download/${BP}.tar.xz \ | 13 | https://curl.se/download/${BP}.tar.xz \ |
14 | file://run-ptest \ | 14 | file://run-ptest \ |
15 | file://disable-tests \ | 15 | file://disable-tests \ |
16 | file://CVE-2022-32221.patch \ | ||
17 | file://CVE-2022-35260.patch \ | ||
18 | file://CVE-2022-42915.patch \ | ||
19 | file://CVE-2022-42916.patch \ | ||
16 | " | 20 | " |
17 | SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6" | 21 | SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6" |
18 | 22 | ||