1 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
new file mode 100644
index 0000000000..2939314d09
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,72 @@
+From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/krb5.c     |  5 +----
+ lib/security.c | 13 ++++++++++---
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+diff --git a/lib/krb5.c b/lib/krb5.c
+index f50287a..5b77e35 100644
+--- a/lib/krb5.c
+++ b/lib/krb5.c
+@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
+  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+diff --git a/lib/security.c b/lib/security.c
+index fbfa707..3542210 100644
+--- a/lib/security.c
+++ b/lib/security.c
+@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
+  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
+    if(len > CURL_MAX_INPUT_LENGTH)
+      len = 0;
+    else
+      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
+  nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+                                         conn->data_prot, conn);
+  if(nread < 0)
+    return CURLE_RECV_ERROR;
+  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch new file mode 100644 index 0000000000..2939314d09 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,72 @@
	1	From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Thu, 9 Jun 2022 09:27:24 +0200
	4	Subject: [PATCH] krb5: return error properly on decode errors
	5
	6	Bug: https://curl.se/docs/CVE-2022-32208.html
	7	CVE-2022-32208
	8	Reported-by: Harry Sintonen
	9	Closes #9051
	10
	11	Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
	12	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	13	---
	14	lib/krb5.c \| 5 +----
	15	lib/security.c \| 13 ++++++++++---
	16	2 files changed, 11 insertions(+), 7 deletions(-)
	17
	18	diff --git a/lib/krb5.c b/lib/krb5.c
	19	index f50287a..5b77e35 100644
	20	--- a/lib/krb5.c
	21	+++ b/lib/krb5.c
	22	@@ -86,11 +86,8 @@ krb5_decode(void app_data, void buf, int len,
	23	enc.value = buf;
	24	enc.length = len;
	25	maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
	26	- if(maj != GSS_S_COMPLETE) {
	27	- if(len >= 4)
	28	- strcpy(buf, "599 ");
	29	+ if(maj != GSS_S_COMPLETE)
	30	return -1;
	31	- }
	32
	33	memcpy(buf, dec.value, dec.length);
	34	len = curlx_uztosi(dec.length);
	35	diff --git a/lib/security.c b/lib/security.c
	36	index fbfa707..3542210 100644
	37	--- a/lib/security.c
	38	+++ b/lib/security.c
	39	@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
	40	{
	41	int len;
	42	CURLcode result;
	43	+ int nread;
	44
	45	result = socket_read(fd, &len, sizeof(len));
	46	if(result)
	47	@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
	48	if(len) {
	49	/* only realloc if there was a length */
	50	len = ntohl(len);
	51	- buf->data = Curl_saferealloc(buf->data, len);
	52	+ if(len > CURL_MAX_INPUT_LENGTH)
	53	+ len = 0;
	54	+ else
	55	+ buf->data = Curl_saferealloc(buf->data, len);
	56	}
	57	if(!len \|\| !buf->data)
	58	return CURLE_OUT_OF_MEMORY;
	59	@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
	60	result = socket_read(fd, buf->data, len);
	61	if(result)
	62	return result;
	63	- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
	64	- conn->data_prot, conn);
	65	+ nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
	66	+ conn->data_prot, conn);
	67	+ if(nread < 0)
	68	+ return CURLE_RECV_ERROR;
	69	+ buf->size = (size_t)nread;
	70	buf->index = 0;
	71	return CURLE_OK;
	72	}