1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644
index 0000000000..46c57afb73
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
+From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
+From: Eric Vigeant <evigeant@gmail.com>
+Date: Wed, 2 Nov 2022 11:47:09 -0400
+Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
+When using SFTP and a path relative to the user home, do not add a
+trailing '/' to the user home dir if it already ends with one.
+Closes #9844
+CVE: CVE-2023-27534
+Note:
+- The upstream patch for CVE-2023-27534 does three things:
+1) creates new path with dynbuf(dynamic buffer)
+2) solves the tilde error which causes CVE-2023-27534
+3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
+- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
+- This patch completes the 3rd task of the patch which was implemented without using dynbuf
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..40b92ee 100644
+--- a/lib/curl_path.c
+++ b/lib/curl_path.c
+@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+       /* It is referenced to the home directory, so strip the
+          leading '/' */
+       memcpy(real_path, homedir, homelen);
+-      real_path[homelen] = '/';
+-      real_path[homelen + 1] = '\0';
+      /* Only add a trailing '/' if homedir does not end with one */
+      if(homelen == 0 || real_path[homelen - 1] != '/') {
+        real_path[homelen] = '/';
+        homelen++;
+        real_path[homelen] = '\0';
+      }
+       if(working_path_len > 3) {
+-        memcpy(real_path + homelen + 1, working_path + 3,
+        memcpy(real_path + homelen, working_path + 3,
+                1 + working_path_len -3);
+       }
+     }
+-- 
+2.24.4

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
	1	From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
	2	From: Eric Vigeant <evigeant@gmail.com>
	3	Date: Wed, 2 Nov 2022 11:47:09 -0400
	4	Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
	5
	6	When using SFTP and a path relative to the user home, do not add a
	7	trailing '/' to the user home dir if it already ends with one.
	8
	9	Closes #9844
	10
	11	CVE: CVE-2023-27534
	12	Note:
	13	- The upstream patch for CVE-2023-27534 does three things:
	14	1) creates new path with dynbuf(dynamic buffer)
	15	2) solves the tilde error which causes CVE-2023-27534
	16	3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
	17	- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
	18	- This patch completes the 3rd task of the patch which was implemented without using dynbuf
	19	Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
	20
	21	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	22	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	23	---
	24	lib/curl_path.c \| 10 +++++++---
	25	1 file changed, 7 insertions(+), 3 deletions(-)
	26
	27	diff --git a/lib/curl_path.c b/lib/curl_path.c
	28	index f429634..40b92ee 100644
	29	--- a/lib/curl_path.c
	30	+++ b/lib/curl_path.c
	31	@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
	32	/* It is referenced to the home directory, so strip the
	33	leading '/' */
	34	memcpy(real_path, homedir, homelen);
	35	- real_path[homelen] = '/';
	36	- real_path[homelen + 1] = '\0';
	37	+ /* Only add a trailing '/' if homedir does not end with one */
	38	+ if(homelen == 0 \|\| real_path[homelen - 1] != '/') {
	39	+ real_path[homelen] = '/';
	40	+ homelen++;
	41	+ real_path[homelen] = '\0';
	42	+ }
	43	if(working_path_len > 3) {
	44	- memcpy(real_path + homelen + 1, working_path + 3,
	45	+ memcpy(real_path + homelen, working_path + 3,
	46	1 + working_path_len -3);
	47	}
	48	}
	49	--
	50	2.24.4
	51