diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8622.patch | 94 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.47.1.bb | 1 |
2 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8622.patch b/meta/recipes-support/curl/curl/CVE-2016-8622.patch new file mode 100644 index 0000000000..8edad0184e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8622.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 53e71e47d6b81650d26ec33a58d0dca24c7ffb2c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2016 18:56:45 +0200 | ||
4 | Subject: [PATCH] unescape: avoid integer overflow | ||
5 | |||
6 | CVE: CVE-2016-8622 | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Bug: https://curl.haxx.se/docs/adv_20161102H.html | ||
10 | Reported-by: Cure53 | ||
11 | |||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | |||
14 | diff -ruN a/docs/libcurl/curl_easy_unescape.3 b/docs/libcurl/curl_easy_unescape.3 | ||
15 | --- a/docs/libcurl/curl_easy_unescape.3 2016-02-03 00:08:02.000000000 +0100 | ||
16 | +++ b/docs/libcurl/curl_easy_unescape.3 2016-11-07 09:25:45.999933275 +0100 | ||
17 | @@ -5,7 +5,7 @@ | ||
18 | .\" * | (__| |_| | _ <| |___ | ||
19 | .\" * \___|\___/|_| \_\_____| | ||
20 | .\" * | ||
21 | -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
22 | +.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
23 | .\" * | ||
24 | .\" * This software is licensed as described in the file COPYING, which | ||
25 | .\" * you should have received as part of this distribution. The terms | ||
26 | @@ -40,7 +40,10 @@ | ||
27 | |||
28 | If \fBoutlength\fP is non-NULL, the function will write the length of the | ||
29 | returned string in the integer it points to. This allows an escaped string | ||
30 | -containing %00 to still get used properly after unescaping. | ||
31 | +containing %00 to still get used properly after unescaping. Since this is a | ||
32 | +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no | ||
33 | +longer string can be unescaped if the string length is returned in this | ||
34 | +parameter. | ||
35 | |||
36 | You must \fIcurl_free(3)\fP the returned string when you're done with it. | ||
37 | .SH AVAILABILITY | ||
38 | diff -ruN a/lib/dict.c b/lib/dict.c | ||
39 | --- a/lib/dict.c 2016-02-03 00:02:44.000000000 +0100 | ||
40 | +++ b/lib/dict.c 2016-11-07 09:25:45.999933275 +0100 | ||
41 | @@ -5,7 +5,7 @@ | ||
42 | * | (__| |_| | _ <| |___ | ||
43 | * \___|\___/|_| \_\_____| | ||
44 | * | ||
45 | - * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
46 | + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
47 | * | ||
48 | * This software is licensed as described in the file COPYING, which | ||
49 | * you should have received as part of this distribution. The terms | ||
50 | @@ -52,7 +52,7 @@ | ||
51 | #include <curl/curl.h> | ||
52 | #include "transfer.h" | ||
53 | #include "sendf.h" | ||
54 | - | ||
55 | +#include "escape.h" | ||
56 | #include "progress.h" | ||
57 | #include "strequal.h" | ||
58 | #include "dict.h" | ||
59 | @@ -96,12 +96,12 @@ | ||
60 | char *newp; | ||
61 | char *dictp; | ||
62 | char *ptr; | ||
63 | - int len; | ||
64 | + size_t len; | ||
65 | char ch; | ||
66 | int olen=0; | ||
67 | |||
68 | - newp = curl_easy_unescape(data, inputbuff, 0, &len); | ||
69 | - if(!newp) | ||
70 | + CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); | ||
71 | + if(!newp || result) | ||
72 | return NULL; | ||
73 | |||
74 | dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ | ||
75 | diff -ruN a/lib/escape.c b/lib/escape.c | ||
76 | --- a/lib/escape.c 2016-02-05 10:02:03.000000000 +0100 | ||
77 | +++ b/lib/escape.c 2016-11-07 09:29:43.073671606 +0100 | ||
78 | @@ -217,8 +217,14 @@ | ||
79 | FALSE); | ||
80 | if(res) | ||
81 | return NULL; | ||
82 | - if(olen) | ||
83 | - *olen = curlx_uztosi(outputlen); | ||
84 | + | ||
85 | + if(olen) { | ||
86 | + if(outputlen <= (size_t) INT_MAX) | ||
87 | + *olen = curlx_uztosi(outputlen); | ||
88 | + else | ||
89 | + /* too large to return in an int, fail! */ | ||
90 | + Curl_safefree(str); | ||
91 | + } | ||
92 | return str; | ||
93 | } | ||
94 | |||
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index 67b07da8d8..4bff34e17e 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb | |||
@@ -22,6 +22,7 @@ SRC_URI += " file://configure_ac.patch \ | |||
22 | file://CVE-2016-8619.patch \ | 22 | file://CVE-2016-8619.patch \ |
23 | file://CVE-2016-8620.patch \ | 23 | file://CVE-2016-8620.patch \ |
24 | file://CVE-2016-8621.patch \ | 24 | file://CVE-2016-8621.patch \ |
25 | file://CVE-2016-8622.patch \ | ||
25 | " | 26 | " |
26 | 27 | ||
27 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" | 28 | SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" |