diff options
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2019-5435.patch | 266 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2019-5436.patch | 30 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.64.1.bb | 2 |
3 files changed, 298 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5435.patch b/meta/recipes-support/curl/curl/CVE-2019-5435.patch new file mode 100644 index 0000000000..f72435f608 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5435.patch | |||
@@ -0,0 +1,266 @@ | |||
1 | From 756380f74d58d5a877b26dc21be7b1316b617213 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 29 Apr 2019 08:00:49 +0200 | ||
4 | Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size | ||
5 | |||
6 | This limits all accepted input strings passed to libcurl to be less than | ||
7 | CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: | ||
8 | curl_easy_setopt() and curl_url_set(). | ||
9 | |||
10 | The 8000000 number is arbitrary picked and is meant to detect mistakes | ||
11 | or abuse, not to limit actual practical use cases. By limiting the | ||
12 | acceptable string lengths we also reduce the risk of integer overflows | ||
13 | all over. | ||
14 | |||
15 | NOTE: This does not apply to `CURLOPT_POSTFIELDS`. | ||
16 | |||
17 | Test 1559 verifies. | ||
18 | |||
19 | Closes #3805 | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2019-5435 | ||
23 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
24 | |||
25 | --- | ||
26 | lib/setopt.c | 7 +++++ | ||
27 | lib/urlapi.c | 8 +++++ | ||
28 | lib/urldata.h | 4 +++ | ||
29 | tests/data/Makefile.inc | 2 +- | ||
30 | tests/data/test1559 | 44 ++++++++++++++++++++++++++ | ||
31 | tests/libtest/Makefile.inc | 6 ++-- | ||
32 | tests/libtest/lib1559.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++ | ||
33 | 7 files changed, 146 insertions(+), 3 deletions(-) | ||
34 | create mode 100644 tests/data/test1559 | ||
35 | create mode 100644 tests/libtest/lib1559.c | ||
36 | |||
37 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
38 | index b5f74a9..edf7165 100644 | ||
39 | --- a/lib/setopt.c | ||
40 | +++ b/lib/setopt.c | ||
41 | @@ -61,6 +61,13 @@ CURLcode Curl_setstropt(char **charp, const char *s) | ||
42 | if(s) { | ||
43 | char *str = strdup(s); | ||
44 | |||
45 | + if(str) { | ||
46 | + size_t len = strlen(str); | ||
47 | + if(len > CURL_MAX_INPUT_LENGTH) { | ||
48 | + free(str); | ||
49 | + return CURLE_BAD_FUNCTION_ARGUMENT; | ||
50 | + } | ||
51 | + } | ||
52 | if(!str) | ||
53 | return CURLE_OUT_OF_MEMORY; | ||
54 | |||
55 | diff --git a/lib/urlapi.c b/lib/urlapi.c | ||
56 | index a19867e..822e4b3 100644 | ||
57 | --- a/lib/urlapi.c | ||
58 | +++ b/lib/urlapi.c | ||
59 | @@ -642,6 +642,10 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) | ||
60 | ************************************************************/ | ||
61 | /* allocate scratch area */ | ||
62 | urllen = strlen(url); | ||
63 | + if(urllen > CURL_MAX_INPUT_LENGTH) | ||
64 | + /* excessive input length */ | ||
65 | + return CURLUE_MALFORMED_INPUT; | ||
66 | + | ||
67 | path = u->scratch = malloc(urllen * 2 + 2); | ||
68 | if(!path) | ||
69 | return CURLUE_OUT_OF_MEMORY; | ||
70 | @@ -1272,6 +1276,10 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, | ||
71 | const char *newp = part; | ||
72 | size_t nalloc = strlen(part); | ||
73 | |||
74 | + if(nalloc > CURL_MAX_INPUT_LENGTH) | ||
75 | + /* excessive input length */ | ||
76 | + return CURLUE_MALFORMED_INPUT; | ||
77 | + | ||
78 | if(urlencode) { | ||
79 | const char *i; | ||
80 | char *o; | ||
81 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
82 | index 24187a4..049a34d 100644 | ||
83 | --- a/lib/urldata.h | ||
84 | +++ b/lib/urldata.h | ||
85 | @@ -79,6 +79,10 @@ | ||
86 | */ | ||
87 | #define RESP_TIMEOUT (120*1000) | ||
88 | |||
89 | +/* Max string intput length is a precaution against abuse and to detect junk | ||
90 | + input easier and better. */ | ||
91 | +#define CURL_MAX_INPUT_LENGTH 8000000 | ||
92 | + | ||
93 | #include "cookie.h" | ||
94 | #include "psl.h" | ||
95 | #include "formdata.h" | ||
96 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
97 | index 2eca9c6..3dd234f 100644 | ||
98 | --- a/tests/data/Makefile.inc | ||
99 | +++ b/tests/data/Makefile.inc | ||
100 | @@ -176,7 +176,7 @@ test1525 test1526 test1527 test1528 test1529 test1530 test1531 test1532 \ | ||
101 | test1533 test1534 test1535 test1536 test1537 test1538 \ | ||
102 | test1540 test1541 \ | ||
103 | test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ | ||
104 | -test1558 test1560 test1561 test1562 \ | ||
105 | +test1558 test1559 test1560 test1561 test1562 \ | ||
106 | \ | ||
107 | test1590 test1591 test1592 \ | ||
108 | \ | ||
109 | diff --git a/tests/data/test1559 b/tests/data/test1559 | ||
110 | new file mode 100644 | ||
111 | index 0000000..cbed6fb | ||
112 | --- /dev/null | ||
113 | +++ b/tests/data/test1559 | ||
114 | @@ -0,0 +1,44 @@ | ||
115 | +<testcase> | ||
116 | +<info> | ||
117 | +<keywords> | ||
118 | +CURLOPT_URL | ||
119 | +</keywords> | ||
120 | +</info> | ||
121 | + | ||
122 | +<reply> | ||
123 | +</reply> | ||
124 | + | ||
125 | +<client> | ||
126 | +<server> | ||
127 | +none | ||
128 | +</server> | ||
129 | + | ||
130 | +# require HTTP so that CURLOPT_POSTFIELDS works as assumed | ||
131 | +<features> | ||
132 | +http | ||
133 | +</features> | ||
134 | +<tool> | ||
135 | +lib1559 | ||
136 | +</tool> | ||
137 | + | ||
138 | +<name> | ||
139 | +Set excessive URL lengths | ||
140 | +</name> | ||
141 | +</client> | ||
142 | + | ||
143 | +# | ||
144 | +# Verify that the test runs to completion without crashing | ||
145 | +<verify> | ||
146 | +<errorcode> | ||
147 | +0 | ||
148 | +</errorcode> | ||
149 | +<stdout> | ||
150 | +CURLOPT_URL 10000000 bytes URL == 43 | ||
151 | +CURLOPT_POSTFIELDS 10000000 bytes data == 0 | ||
152 | +CURLUPART_URL 10000000 bytes URL == 3 | ||
153 | +CURLUPART_SCHEME 10000000 bytes scheme == 3 | ||
154 | +CURLUPART_USER 10000000 bytes user == 3 | ||
155 | +</stdout> | ||
156 | +</verify> | ||
157 | + | ||
158 | +</testcase> | ||
159 | diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc | ||
160 | index e38f481..52b51c5 100644 | ||
161 | --- a/tests/libtest/Makefile.inc | ||
162 | +++ b/tests/libtest/Makefile.inc | ||
163 | @@ -31,8 +31,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ | ||
164 | lib1534 lib1535 lib1536 lib1537 lib1538 \ | ||
165 | lib1540 lib1541 \ | ||
166 | lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \ | ||
167 | - lib1558 \ | ||
168 | - lib1560 \ | ||
169 | + lib1558 lib1559 lib1560 \ | ||
170 | lib1591 lib1592 \ | ||
171 | lib1900 lib1905 \ | ||
172 | lib2033 | ||
173 | @@ -529,6 +528,9 @@ lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557 | ||
174 | lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) | ||
175 | lib1558_LDADD = $(TESTUTIL_LIBS) | ||
176 | |||
177 | +lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) | ||
178 | +lib1559_LDADD = $(TESTUTIL_LIBS) | ||
179 | + | ||
180 | lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) | ||
181 | lib1560_LDADD = $(TESTUTIL_LIBS) | ||
182 | |||
183 | diff --git a/tests/libtest/lib1559.c b/tests/libtest/lib1559.c | ||
184 | new file mode 100644 | ||
185 | index 0000000..2aa3615 | ||
186 | --- /dev/null | ||
187 | +++ b/tests/libtest/lib1559.c | ||
188 | @@ -0,0 +1,78 @@ | ||
189 | +/*************************************************************************** | ||
190 | + * _ _ ____ _ | ||
191 | + * Project ___| | | | _ \| | | ||
192 | + * / __| | | | |_) | | | ||
193 | + * | (__| |_| | _ <| |___ | ||
194 | + * \___|\___/|_| \_\_____| | ||
195 | + * | ||
196 | + * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
197 | + * | ||
198 | + * This software is licensed as described in the file COPYING, which | ||
199 | + * you should have received as part of this distribution. The terms | ||
200 | + * are also available at https://curl.haxx.se/docs/copyright.html. | ||
201 | + * | ||
202 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
203 | + * copies of the Software, and permit persons to whom the Software is | ||
204 | + * furnished to do so, under the terms of the COPYING file. | ||
205 | + * | ||
206 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
207 | + * KIND, either express or implied. | ||
208 | + * | ||
209 | + ***************************************************************************/ | ||
210 | +#include "test.h" | ||
211 | + | ||
212 | +#include "testutil.h" | ||
213 | +#include "warnless.h" | ||
214 | +#include "memdebug.h" | ||
215 | + | ||
216 | +#define EXCESSIVE 10*1000*1000 | ||
217 | +int test(char *URL) | ||
218 | +{ | ||
219 | + CURLcode res = 0; | ||
220 | + CURL *curl = NULL; | ||
221 | + char *longurl = malloc(EXCESSIVE); | ||
222 | + CURLU *u; | ||
223 | + (void)URL; | ||
224 | + | ||
225 | + memset(longurl, 'a', EXCESSIVE); | ||
226 | + longurl[EXCESSIVE-1] = 0; | ||
227 | + | ||
228 | + global_init(CURL_GLOBAL_ALL); | ||
229 | + easy_init(curl); | ||
230 | + | ||
231 | + res = curl_easy_setopt(curl, CURLOPT_URL, longurl); | ||
232 | + printf("CURLOPT_URL %d bytes URL == %d\n", | ||
233 | + EXCESSIVE, (int)res); | ||
234 | + | ||
235 | + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl); | ||
236 | + printf("CURLOPT_POSTFIELDS %d bytes data == %d\n", | ||
237 | + EXCESSIVE, (int)res); | ||
238 | + | ||
239 | + u = curl_url(); | ||
240 | + if(u) { | ||
241 | + CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0); | ||
242 | + printf("CURLUPART_URL %d bytes URL == %d\n", | ||
243 | + EXCESSIVE, (int)uc); | ||
244 | + uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME); | ||
245 | + printf("CURLUPART_SCHEME %d bytes scheme == %d\n", | ||
246 | + EXCESSIVE, (int)uc); | ||
247 | + uc = curl_url_set(u, CURLUPART_USER, longurl, 0); | ||
248 | + printf("CURLUPART_USER %d bytes user == %d\n", | ||
249 | + EXCESSIVE, (int)uc); | ||
250 | + curl_url_cleanup(u); | ||
251 | + } | ||
252 | + | ||
253 | + free(longurl); | ||
254 | + | ||
255 | + curl_easy_cleanup(curl); | ||
256 | + curl_global_cleanup(); | ||
257 | + | ||
258 | + return 0; | ||
259 | + | ||
260 | +test_cleanup: | ||
261 | + | ||
262 | + curl_easy_cleanup(curl); | ||
263 | + curl_global_cleanup(); | ||
264 | + | ||
265 | + return res; /* return the final return code */ | ||
266 | +} | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5436.patch b/meta/recipes-support/curl/curl/CVE-2019-5436.patch new file mode 100644 index 0000000000..eee26ce273 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5436.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 2da531b3068e22cf714f001b493a704b2e9b923f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 3 May 2019 22:20:37 +0200 | ||
4 | Subject: [PATCH] tftp: use the current blksize for recvfrom() | ||
5 | |||
6 | bug: https://curl.haxx.se/docs/CVE-2019-5436.html | ||
7 | Reported-by: l00p3r on hackerone | ||
8 | CVE-2019-5436 | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2019-5436 | ||
12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
13 | |||
14 | --- | ||
15 | lib/tftp.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/tftp.c b/lib/tftp.c | ||
19 | index 8b92b7b..289cda2 100644 | ||
20 | --- a/lib/tftp.c | ||
21 | +++ b/lib/tftp.c | ||
22 | @@ -1009,7 +1009,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) | ||
23 | state->sockfd = state->conn->sock[FIRSTSOCKET]; | ||
24 | state->state = TFTP_STATE_START; | ||
25 | state->error = TFTP_ERR_NONE; | ||
26 | - state->blksize = TFTP_BLKSIZE_DEFAULT; | ||
27 | + state->blksize = blksize; | ||
28 | state->requested_blksize = blksize; | ||
29 | |||
30 | ((struct sockaddr *)&state->local_addr)->sa_family = | ||
diff --git a/meta/recipes-support/curl/curl_7.64.1.bb b/meta/recipes-support/curl/curl_7.64.1.bb index 47c28beff6..00c8c5a826 100644 --- a/meta/recipes-support/curl/curl_7.64.1.bb +++ b/meta/recipes-support/curl/curl_7.64.1.bb | |||
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=be5d9e1419c4363f4b32037a2d3b7ffa" | |||
7 | 7 | ||
8 | SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | 8 | SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ |
9 | file://0001-replace-krb5-config-with-pkg-config.patch \ | 9 | file://0001-replace-krb5-config-with-pkg-config.patch \ |
10 | file://CVE-2019-5435.patch \ | ||
11 | file://CVE-2019-5436.patch \ | ||
10 | " | 12 | " |
11 | 13 | ||
12 | SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2" | 14 | SRC_URI[md5sum] = "790c101927845208a9d7e8c429ddd1b2" |