diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2015-3145.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2015-3145.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch new file mode 100644 index 0000000000..15a998289e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 16 Apr 2015 16:37:40 +0200 | ||
4 | Subject: [PATCH] cookie: cookie parser out of boundary memory access | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | The internal libcurl function called sanitize_cookie_path() that cleans | ||
12 | up the path element as given to it from a remote site or when read from | ||
13 | a file, did not properly validate the input. If given a path that | ||
14 | consisted of a single double-quote, libcurl would index a newly | ||
15 | allocated memory area with index -1 and assign a zero to it, thus | ||
16 | destroying heap memory it wasn't supposed to. | ||
17 | |||
18 | CVE-2015-3145 | ||
19 | |||
20 | Bug: http://curl.haxx.se/docs/adv_20150422C.html | ||
21 | Reported-by: Hanno Böck | ||
22 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
23 | Signed-off-by: Maxin B. John <maxin.john@enea.com> | ||
24 | --- | ||
25 | lib/cookie.c | 12 +++++++----- | ||
26 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
27 | |||
28 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
29 | index 0864f6b..0127926 100644 | ||
30 | --- a/lib/cookie.c | ||
31 | +++ b/lib/cookie.c | ||
32 | @@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path) | ||
33 | char *new_path = strdup(cookie_path); | ||
34 | if(!new_path) | ||
35 | return NULL; | ||
36 | |||
37 | /* some stupid site sends path attribute with '"'. */ | ||
38 | + len = strlen(new_path); | ||
39 | if(new_path[0] == '\"') { | ||
40 | - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); | ||
41 | + memmove((void *)new_path, (const void *)(new_path + 1), len); | ||
42 | + len--; | ||
43 | } | ||
44 | - if(new_path[strlen(new_path) - 1] == '\"') { | ||
45 | - new_path[strlen(new_path) - 1] = 0x0; | ||
46 | + if(len && (new_path[len - 1] == '\"')) { | ||
47 | + new_path[len - 1] = 0x0; | ||
48 | + len--; | ||
49 | } | ||
50 | |||
51 | /* RFC6265 5.2.4 The Path Attribute */ | ||
52 | if(new_path[0] != '/') { | ||
53 | /* Let cookie-path be the default-path. */ | ||
54 | @@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path) | ||
55 | new_path = strdup("/"); | ||
56 | return new_path; | ||
57 | } | ||
58 | |||
59 | /* convert /hoge/ to /hoge */ | ||
60 | - len = strlen(new_path); | ||
61 | - if(1 < len && new_path[len - 1] == '/') { | ||
62 | + if(len && new_path[len - 1] == '/') { | ||
63 | new_path[len - 1] = 0x0; | ||
64 | } | ||
65 | |||
66 | return new_path; | ||
67 | } | ||
68 | -- | ||
69 | 2.1.4 | ||
70 | |||