From 094a36886f2ac3e8e67220ffc938973879b3762a Mon Sep 17 00:00:00 2001 From: "Maxin B. John" Date: Mon, 22 Aug 2016 14:15:39 +0300 Subject: curl: security fix for CVE-2016-5419 Affected versions: libcurl 7.1 to and including 7.50.0 (From OE-Core rev: 0b56a2f6174a44495f8a58dc0864c161ffd37b80) Signed-off-by: Maxin B. John Signed-off-by: Richard Purdie --- meta/recipes-support/curl/curl/CVE-2016-5419.patch | 76 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.47.1.bb | 4 +- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/curl/curl/CVE-2016-5419.patch diff --git a/meta/recipes-support/curl/curl/CVE-2016-5419.patch b/meta/recipes-support/curl/curl/CVE-2016-5419.patch new file mode 100644 index 0000000000..2bea362c87 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-5419.patch @@ -0,0 +1,76 @@ +From 247d890da88f9ee817079e246c59f3d7d12fde5f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 1 Jul 2016 13:32:31 +0200 +Subject: [PATCH] TLS: switch off SSL session id when client cert is used + + +Bug: https://curl.haxx.se/docs/adv_20160803A.html +Reported-by: Bru Rom +Contributions-by: Eric Rescorla and Ray Satiro + +Upstream-Status: Backport +https://curl.haxx.se/CVE-2016-5419.patch + +CVE: CVE-2016-5419 +Signed-off-by: Maxin B. John +--- + lib/url.c | 1 + + lib/urldata.h | 1 + + lib/vtls/vtls.c | 10 ++++++++++ + 3 files changed, 12 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 258a286..e547e5c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -6123,6 +6123,7 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; ++ data->set.ssl.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP + data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 611c5a7..3cf7ed9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -351,6 +351,7 @@ struct ssl_config_data { + char *CAfile; /* certificate to verify peer against */ + const char *CRLfile; /* CRL to check certificate revocation */ + const char *issuercert;/* optional issuer certificate filename */ ++ char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ + char *cipher_list; /* list of ciphers to use */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index d3e41cd..33e209d 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -156,6 +156,15 @@ Curl_clone_ssl_config(struct ssl_config_data *source, + else + dest->random_file = NULL; + ++ if(source->clientcert) { ++ dest->clientcert = strdup(source->clientcert); ++ if(!dest->clientcert) ++ return FALSE; ++ dest->sessionid = FALSE; ++ } ++ else ++ dest->clientcert = NULL; ++ + return TRUE; + } + +@@ -166,6 +175,7 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->egdsocket); + Curl_safefree(sslc->random_file); ++ Curl_safefree(sslc->clientcert); + } + + +-- +2.4.0 + diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index c2173d8a06..945840b1a9 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb @@ -10,7 +10,9 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2" # curl likes to set -g0 in CFLAGS, so we stop it # from mucking around with debug options # -SRC_URI += " file://configure_ac.patch" +SRC_URI += " file://configure_ac.patch \ + file://CVE-2016-5419.patch \ + " SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" SRC_URI[sha256sum] = "ddc643ab9382e24bbe4747d43df189a0a6ce38fcb33df041b9cb0b3cd47ae98f" -- cgit v1.2.3-54-g00ecf