2 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 0000000000..17eaf2b7ee
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,174 @@
+From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2016 23:26:13 +0200
+Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
+Previously it only held references to them, which was reckless as the
+thread lock was released so the cookies could get modified by other
+handles that share the same cookie jar over the share interface.
+CVE-2016-8623
+Bug: https://curl.haxx.se/docs/adv_20161102I.html
+Reported-by: Cure53
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-8623.patch
+CVE: CVE-2016-8623
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+---
+ lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
+ lib/cookie.h |  4 ++--
+ lib/http.c   |  2 +-
+ 3 files changed, 43 insertions(+), 24 deletions(-)
+Index: curl-7.44.0/lib/cookie.c
+===================================================================
+--- curl-7.44.0.orig/lib/cookie.c
+++ curl-7.44.0/lib/cookie.c
+@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c
+   return 0;
+ }
+ 
+#define CLONE(field)                     \
+  do {                                   \
+    if(src->field) {                     \
+      dup->field = strdup(src->field);   \
+      if(!dup->field)                    \
+        goto fail;                       \
+    }                                    \
+  } while(0)
+
+static struct Cookie *dup_cookie(struct Cookie *src)
+{
+  struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
+  if(dup) {
+    CLONE(expirestr);
+    CLONE(domain);
+    CLONE(path);
+    CLONE(spath);
+    CLONE(name);
+    CLONE(value);
+    CLONE(maxage);
+    CLONE(version);
+    dup->expires = src->expires;
+    dup->tailmatch = src->tailmatch;
+    dup->secure = src->secure;
+    dup->livecookie = src->livecookie;
+    dup->httponly = src->httponly;
+  }
+  return dup;
+
+  fail:
+  freecookie(dup);
+  return NULL;
+}
+
+ /*****************************************************************************
+  *
+  * Curl_cookie_getlist()
+@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc
+           /* and now, we know this is a match and we should create an
+              entry for the return-linked-list */
+ 
+-          newco = malloc(sizeof(struct Cookie));
+          newco = dup_cookie(co);
+           if(newco) {
+-            /* first, copy the whole source cookie: */
+-            memcpy(newco, co, sizeof(struct Cookie));
+-
+             /* then modify our next */
+             newco->next = mainco;
+ 
+@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc
+           else {
+             fail:
+             /* failure, clear up the allocated chain and return NULL */
+-            while(mainco) {
+-              co = mainco->next;
+-              free(mainco);
+-              mainco = co;
+-            }
+-
+            Curl_cookie_freelist(mainco);
+             return NULL;
+           }
+         }
+@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc
+ void Curl_cookie_clearall(struct CookieInfo *cookies)
+ {
+   if(cookies) {
+-    Curl_cookie_freelist(cookies->cookies, TRUE);
+    Curl_cookie_freelist(cookies->cookies);
+     cookies->cookies = NULL;
+     cookies->numcookies = 0;
+   }
+@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI
+  *
+  * Free a list of cookies previously returned by Curl_cookie_getlist();
+  *
+- * The 'cookiestoo' argument tells this function whether to just free the
+- * list or actually also free all cookies within the list as well.
+- *
+  ****************************************************************************/
+ 
+-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
+void Curl_cookie_freelist(struct Cookie *co)
+ {
+   struct Cookie *next;
+   while(co) {
+     next = co->next;
+-    if(cookiestoo)
+-      freecookie(co);
+-    else
+-      free(co); /* we only free the struct since the "members" are all just
+-                   pointed out in the main cookie list! */
+    freecookie(co);
+     co = next;
+   }
+ }
+@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn
+ {
+   if(c) {
+     free(c->filename);
+-    Curl_cookie_freelist(c->cookies, TRUE);
+    Curl_cookie_freelist(c->cookies);
+     free(c); /* free the base struct as well */
+   }
+ }
+Index: curl-7.44.0/lib/cookie.h
+===================================================================
+--- curl-7.44.0.orig/lib/cookie.h
+++ curl-7.44.0/lib/cookie.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se
+ 
+ struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
+                                    const char *, bool);
+-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
+void Curl_cookie_freelist(struct Cookie *cookies);
+ void Curl_cookie_clearall(struct CookieInfo *cookies);
+ void Curl_cookie_clearsess(struct CookieInfo *cookies);
+ 
+Index: curl-7.44.0/lib/http.c
+===================================================================
+--- curl-7.44.0.orig/lib/http.c
+++ curl-7.44.0/lib/http.c
+@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c
+         }
+         co = co->next; /* next cookie please */
+       }
+-      Curl_cookie_freelist(store, FALSE); /* free the cookie list */
+      Curl_cookie_freelist(store);
+     }
+     if(addcookies && !result) {
+       if(!count)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index 548bb46f95..9a9741dfe1 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
             file://CVE-2016-8619.patch \ 
             file://CVE-2016-8620.patch \
             file://CVE-2016-8621.patch \
+             file://CVE-2016-8623.patch \
           "
 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch new file mode 100644 index 0000000000..17eaf2b7ee --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,174 @@
		1	From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 4 Oct 2016 23:26:13 +0200
		4	Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
		5
		6	Previously it only held references to them, which was reckless as the
		7	thread lock was released so the cookies could get modified by other
		8	handles that share the same cookie jar over the share interface.
		9
		10	CVE-2016-8623
		11
		12	Bug: https://curl.haxx.se/docs/adv_20161102I.html
		13	Reported-by: Cure53
		14
		15	Upstream-Status: Backport
		16	https://curl.haxx.se/CVE-2016-8623.patch
		17	CVE: CVE-2016-8623
		18	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		19
		20	---
		21	lib/cookie.c \| 61 +++++++++++++++++++++++++++++++++++++++---------------------
		22	lib/cookie.h \| 4 ++--
		23	lib/http.c \| 2 +-
		24	3 files changed, 43 insertions(+), 24 deletions(-)
		25
		26	Index: curl-7.44.0/lib/cookie.c
		27	===================================================================
		28	--- curl-7.44.0.orig/lib/cookie.c
		29	+++ curl-7.44.0/lib/cookie.c
		30	@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c
		31	return 0;
		32	}
		33
		34	+#define CLONE(field) \
		35	+ do { \
		36	+ if(src->field) { \
		37	+ dup->field = strdup(src->field); \
		38	+ if(!dup->field) \
		39	+ goto fail; \
		40	+ } \
		41	+ } while(0)
		42	+
		43	+static struct Cookie dup_cookie(struct Cookie src)
		44	+{
		45	+ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
		46	+ if(dup) {
		47	+ CLONE(expirestr);
		48	+ CLONE(domain);
		49	+ CLONE(path);
		50	+ CLONE(spath);
		51	+ CLONE(name);
		52	+ CLONE(value);
		53	+ CLONE(maxage);
		54	+ CLONE(version);
		55	+ dup->expires = src->expires;
		56	+ dup->tailmatch = src->tailmatch;
		57	+ dup->secure = src->secure;
		58	+ dup->livecookie = src->livecookie;
		59	+ dup->httponly = src->httponly;
		60	+ }
		61	+ return dup;
		62	+
		63	+ fail:
		64	+ freecookie(dup);
		65	+ return NULL;
		66	+}
		67	+
		68	/*****************************************************************************
		69	*
		70	* Curl_cookie_getlist()
		71	@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc
		72	/* and now, we know this is a match and we should create an
		73	entry for the return-linked-list */
		74
		75	- newco = malloc(sizeof(struct Cookie));
		76	+ newco = dup_cookie(co);
		77	if(newco) {
		78	- /* first, copy the whole source cookie: */
		79	- memcpy(newco, co, sizeof(struct Cookie));
		80	-
		81	/* then modify our next */
		82	newco->next = mainco;
		83
		84	@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc
		85	else {
		86	fail:
		87	/* failure, clear up the allocated chain and return NULL */
		88	- while(mainco) {
		89	- co = mainco->next;
		90	- free(mainco);
		91	- mainco = co;
		92	- }
		93	-
		94	+ Curl_cookie_freelist(mainco);
		95	return NULL;
		96	}
		97	}
		98	@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc
		99	void Curl_cookie_clearall(struct CookieInfo *cookies)
		100	{
		101	if(cookies) {
		102	- Curl_cookie_freelist(cookies->cookies, TRUE);
		103	+ Curl_cookie_freelist(cookies->cookies);
		104	cookies->cookies = NULL;
		105	cookies->numcookies = 0;
		106	}
		107	@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI
		108	*
		109	* Free a list of cookies previously returned by Curl_cookie_getlist();
		110	*
		111	- * The 'cookiestoo' argument tells this function whether to just free the
		112	- * list or actually also free all cookies within the list as well.
		113	- *
		114	****************************************************************************/
		115
		116	-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
		117	+void Curl_cookie_freelist(struct Cookie *co)
		118	{
		119	struct Cookie *next;
		120	while(co) {
		121	next = co->next;
		122	- if(cookiestoo)
		123	- freecookie(co);
		124	- else
		125	- free(co); /* we only free the struct since the "members" are all just
		126	- pointed out in the main cookie list! */
		127	+ freecookie(co);
		128	co = next;
		129	}
		130	}
		131	@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn
		132	{
		133	if(c) {
		134	free(c->filename);
		135	- Curl_cookie_freelist(c->cookies, TRUE);
		136	+ Curl_cookie_freelist(c->cookies);
		137	free(c); /* free the base struct as well */
		138	}
		139	}
		140	Index: curl-7.44.0/lib/cookie.h
		141	===================================================================
		142	--- curl-7.44.0.orig/lib/cookie.h
		143	+++ curl-7.44.0/lib/cookie.h
		144	@@ -7,7 +7,7 @@
		145	* \| (__\| \|_\| \| _ <\| \|___
		146	* \___\|\___/\|_\| \_\_____\|
		147	*
		148	- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
		149	+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
		150	*
		151	* This software is licensed as described in the file COPYING, which
		152	* you should have received as part of this distribution. The terms
		153	@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se
		154
		155	struct Cookie Curl_cookie_getlist(struct CookieInfo , const char *,
		156	const char *, bool);
		157	-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
		158	+void Curl_cookie_freelist(struct Cookie *cookies);
		159	void Curl_cookie_clearall(struct CookieInfo *cookies);
		160	void Curl_cookie_clearsess(struct CookieInfo *cookies);
		161
		162	Index: curl-7.44.0/lib/http.c
		163	===================================================================
		164	--- curl-7.44.0.orig/lib/http.c
		165	+++ curl-7.44.0/lib/http.c
		166	@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c
		167	}
		168	co = co->next; /* next cookie please */
		169	}
		170	- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
		171	+ Curl_cookie_freelist(store);
		172	}
		173	if(addcookies && !result) {
		174	if(!count)


diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 548bb46f95..9a9741dfe1 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
18	file://CVE-2016-8619.patch \	18	file://CVE-2016-8619.patch \
19	file://CVE-2016-8620.patch \	19	file://CVE-2016-8620.patch \
20	file://CVE-2016-8621.patch \	20	file://CVE-2016-8621.patch \
		21	file://CVE-2016-8623.patch \
21	"	22	"
22		23
23	SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"	24	SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"