diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2023-27533.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-27533.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..64ba135056 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 | ||
4 | From: Daniel Stenberg <daniel@haxx.se> | ||
5 | Date: Mon, 6 Mar 2023 12:07:33 +0100 | ||
6 | Subject: [PATCH] telnet: only accept option arguments in ascii | ||
7 | |||
8 | To avoid embedded telnet negotiation commands etc. | ||
9 | |||
10 | Reported-by: Harry Sintonen | ||
11 | Closes #10728 | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] | ||
15 | CVE: CVE-2023-27533 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | lib/telnet.c | 15 +++++++++++++++ | ||
19 | 1 file changed, 15 insertions(+) | ||
20 | |||
21 | --- a/lib/telnet.c | ||
22 | +++ b/lib/telnet.c | ||
23 | @@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d | ||
24 | } | ||
25 | } | ||
26 | |||
27 | +static bool str_is_nonascii(const char *str) | ||
28 | +{ | ||
29 | + size_t len = strlen(str); | ||
30 | + while(len--) { | ||
31 | + if(*str & 0x80) | ||
32 | + return TRUE; | ||
33 | + str++; | ||
34 | + } | ||
35 | + return FALSE; | ||
36 | +} | ||
37 | + | ||
38 | static CURLcode check_telnet_options(struct connectdata *conn) | ||
39 | { | ||
40 | struct curl_slist *head; | ||
41 | @@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str | ||
42 | /* Add the user name as an environment variable if it | ||
43 | was given on the command line */ | ||
44 | if(conn->bits.user_passwd) { | ||
45 | + if(str_is_nonascii(data->conn->user)) | ||
46 | + return CURLE_BAD_FUNCTION_ARGUMENT; | ||
47 | msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); | ||
48 | beg = curl_slist_append(tn->telnet_vars, option_arg); | ||
49 | if(!beg) { | ||
50 | @@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str | ||
51 | if(sscanf(head->data, "%127[^= ]%*[ =]%255s", | ||
52 | option_keyword, option_arg) == 2) { | ||
53 | |||
54 | + if(str_is_nonascii(option_arg)) | ||
55 | + continue; | ||
56 | + | ||
57 | /* Terminal type */ | ||
58 | if(strcasecompare(option_keyword, "TTYPE")) { | ||
59 | strncpy(tn->subopt_ttype, option_arg, 31); | ||