1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
new file mode 100644
index 0000000000..13b55f76be
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,43 @@
+Subject: [PATCH] telnet: fix option parser to not send uninitialized
+ contents CVE-2021-22925
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+CVE: CVE-2021-22925
+Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 4bf4c652c..3347ad6d1 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
+          int rv;
+          char sep[2] = "";
+          varval[0] = 0;
+          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
+          if(rv == 1)
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+                             "%c%s", CURL_NEW_ENV_VAR, varname);
+          else if(rv >= 2)
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
+-- 
+2.30.2

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..13b55f76be --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,43 @@
	1	Subject: [PATCH] telnet: fix option parser to not send uninitialized
	2	contents CVE-2021-22925
	3
	4	Reported-by: Red Hat Product Security
	5	Bug: https://curl.se/docs/CVE-2021-22925.html
	6	CVE: CVE-2021-22925
	7	Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
	8	Signed-off-by: Mike Crowe <mac@mcrowe.com>
	9	---
	10	lib/telnet.c \| 17 +++++++++++------
	11	1 file changed, 11 insertions(+), 6 deletions(-)
	12
	13	diff --git a/lib/telnet.c b/lib/telnet.c
	14	index 4bf4c652c..3347ad6d1 100644
	15	--- a/lib/telnet.c
	16	+++ b/lib/telnet.c
	17	@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
	18	size_t tmplen = (strlen(v->data) + 1);
	19	/* Add the variable only if it fits */
	20	if(len + tmplen < (int)sizeof(temp)-6) {
	21	- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
	22	- msnprintf((char *)&temp[len], sizeof(temp) - len,
	23	- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
	24	- CURL_NEW_ENV_VALUE, varval);
	25	- len += tmplen;
	26	- }
	27	+ int rv;
	28	+ char sep[2] = "";
	29	+ varval[0] = 0;
	30	+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
	31	+ if(rv == 1)
	32	+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
	33	+ "%c%s", CURL_NEW_ENV_VAR, varname);
	34	+ else if(rv >= 2)
	35	+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
	36	+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
	37	+ CURL_NEW_ENV_VALUE, varval);
	38	}
	39	}
	40	msnprintf((char *)&temp[len], sizeof(temp) - len,
	41	--
	42	2.30.2
	43