diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2022-35260.patch')
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-35260.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch new file mode 100644 index 0000000000..476c996b0a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch | |||
| @@ -0,0 +1,68 @@ | |||
| 1 | From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Tue, 4 Oct 2022 14:37:24 +0200 | ||
| 4 | Subject: [PATCH] netrc: replace fgets with Curl_get_line | ||
| 5 | |||
| 6 | Upstream-Status: Backport | ||
| 7 | CVE: CVE-2022-35260 | ||
| 8 | Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c | ||
| 9 | |||
| 10 | Make the parser only accept complete lines and avoid problems with | ||
| 11 | overly long lines. | ||
| 12 | |||
| 13 | Reported-by: Hiroki Kurosawa | ||
| 14 | |||
| 15 | Closes #9789 | ||
| 16 | --- | ||
| 17 | lib/curl_get_line.c | 4 ++-- | ||
| 18 | lib/netrc.c | 5 +++-- | ||
| 19 | 2 files changed, 5 insertions(+), 4 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c | ||
| 22 | index c4194851ae09..4b9eea9e631c 100644 | ||
| 23 | --- a/lib/curl_get_line.c | ||
| 24 | +++ b/lib/curl_get_line.c | ||
| 25 | @@ -28,8 +28,8 @@ | ||
| 26 | #include "memdebug.h" | ||
| 27 | |||
| 28 | /* | ||
| 29 | - * get_line() makes sure to only return complete whole lines that fit in 'len' | ||
| 30 | - * bytes and end with a newline. | ||
| 31 | + * Curl_get_line() makes sure to only return complete whole lines that fit in | ||
| 32 | + * 'len' bytes and end with a newline. | ||
| 33 | */ | ||
| 34 | char *Curl_get_line(char *buf, int len, FILE *input) | ||
| 35 | { | ||
| 36 | diff --git a/lib/netrc.c b/lib/netrc.c | ||
| 37 | index 1c9da31993c9..93239132c9d8 100644 | ||
| 38 | --- a/lib/netrc.c | ||
| 39 | +++ b/lib/netrc.c | ||
| 40 | @@ -31,6 +31,7 @@ | ||
| 41 | #include "netrc.h" | ||
| 42 | #include "strtok.h" | ||
| 43 | #include "strcase.h" | ||
| 44 | +#include "curl_get_line.h" | ||
| 45 | |||
| 46 | /* The last 3 #include files should be in this order */ | ||
| 47 | #include "curl_printf.h" | ||
| 48 | @@ -83,7 +84,7 @@ static int parsenetrc(const char *host, | ||
| 49 | char netrcbuffer[4096]; | ||
| 50 | int netrcbuffsize = (int)sizeof(netrcbuffer); | ||
| 51 | |||
| 52 | - while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { | ||
| 53 | + while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { | ||
| 54 | tok = strtok_r(netrcbuffer, " \t\n", &tok_buf); | ||
| 55 | if(tok && *tok == '#') | ||
| 56 | /* treat an initial hash as a comment line */ | ||
| 57 | @@ -169,7 +170,7 @@ static int parsenetrc(const char *host, | ||
| 58 | |||
| 59 | tok = strtok_r(NULL, " \t\n", &tok_buf); | ||
| 60 | } /* while(tok) */ | ||
| 61 | - } /* while fgets() */ | ||
| 62 | + } /* while Curl_get_line() */ | ||
| 63 | |||
| 64 | out: | ||
| 65 | if(!retcode) { | ||
| 66 | -- | ||
| 67 | 2.34.1 | ||
| 68 | |||