From e4f3cf8950106bd420e09f463f11c4e607462126 Mon Sep 17 00:00:00 2001
From: "Maxin B. John" <maxin.john@enea.com>
Date: Mon, 27 Apr 2015 15:24:46 +0100
Subject: curl: several security fixes

Fixes below listed bugs:
1. CVE-2015-3143
2. CVE-2015-3144
3. CVE-2015-3145
4. CVE-2015-3148

(From OE-Core rev: cd3da9c95f48899e134a5b7ed1754fd18985df4f)

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/curl/curl/CVE-2015-3143.patch | 38 ++++++++++++
 meta/recipes-support/curl/curl/CVE-2015-3144.patch | 45 ++++++++++++++
 meta/recipes-support/curl/curl/CVE-2015-3145.patch | 70 ++++++++++++++++++++++
 meta/recipes-support/curl/curl/CVE-2015-3148.patch | 50 ++++++++++++++++
 meta/recipes-support/curl/curl_7.40.0.bb           |  4 ++
 5 files changed, 207 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3143.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3144.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3145.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3148.patch

(limited to 'meta/recipes-support/curl')

diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
new file mode 100644
index 0000000000..745e9456f3
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
@@ -0,0 +1,38 @@
+From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 13:26:46 +0200
+Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
+ match
+
+Upstream-Status: Backport
+
+CVE-2015-3143
+
+Bug: http://curl.haxx.se/docs/adv_20150422A.html
+Reported-by: Paras Sethia
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 018bb88..ee3d176 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data,
+            strcmp(check->localdev, needle->localdev))
+           continue;
+       }
+ 
+       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+-         wantNTLMhttp) {
++         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+           /* one of them was different */
+-- 
+2.1.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
new file mode 100644
index 0000000000..ca6d7448a1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
@@ -0,0 +1,45 @@
+From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 23:52:04 +0200
+Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+
+If a URL is given with a zero-length host name, like in "http://:80" or
+just ":80", `fix_hostname()` will index the host name pointer with a -1
+offset (as it blindly assumes a non-zero length) and both read and
+assign that address.
+
+CVE-2015-3144
+
+Bug: http://curl.haxx.se/docs/adv_20150422D.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index ee3d176..f033dbc 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
+ 
+   /* set the name we use to display the host name */
+   host->dispname = host->name;
+ 
+   len = strlen(host->name);
+-  if(host->name[len-1] == '.')
++  if(len && (host->name[len-1] == '.'))
+     /* strip off a single trailing dot if present, primarily for SNI but
+        there's no use for it */
+     host->name[len-1]=0;
+ 
+   if(!is_ASCII_name(host->name)) {
+-- 
+2.1.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
new file mode 100644
index 0000000000..15a998289e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
@@ -0,0 +1,70 @@
+From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 16:37:40 +0200
+Subject: [PATCH] cookie: cookie parser out of boundary memory access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+
+The internal libcurl function called sanitize_cookie_path() that cleans
+up the path element as given to it from a remote site or when read from
+a file, did not properly validate the input. If given a path that
+consisted of a single double-quote, libcurl would index a newly
+allocated memory area with index -1 and assign a zero to it, thus
+destroying heap memory it wasn't supposed to.
+
+CVE-2015-3145
+
+Bug: http://curl.haxx.se/docs/adv_20150422C.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/cookie.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0864f6b..0127926 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path)
+   char *new_path = strdup(cookie_path);
+   if(!new_path)
+     return NULL;
+ 
+   /* some stupid site sends path attribute with '"'. */
++  len = strlen(new_path);
+   if(new_path[0] == '\"') {
+-    memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
++    memmove((void *)new_path, (const void *)(new_path + 1), len);
++    len--;
+   }
+-  if(new_path[strlen(new_path) - 1] == '\"') {
+-    new_path[strlen(new_path) - 1] = 0x0;
++  if(len && (new_path[len - 1] == '\"')) {
++    new_path[len - 1] = 0x0;
++    len--;
+   }
+ 
+   /* RFC6265 5.2.4 The Path Attribute */
+   if(new_path[0] != '/') {
+     /* Let cookie-path be the default-path. */
+@@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path)
+     new_path = strdup("/");
+     return new_path;
+   }
+ 
+   /* convert /hoge/ to /hoge */
+-  len = strlen(new_path);
+-  if(1 < len && new_path[len - 1] == '/') {
++  if(len && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
+ 
+   return new_path;
+ }
+-- 
+2.1.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3148.patch b/meta/recipes-support/curl/curl/CVE-2015-3148.patch
new file mode 100644
index 0000000000..13df14e5c4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3148.patch
@@ -0,0 +1,50 @@
+From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 18 Apr 2015 23:50:16 +0200
+Subject: [PATCH] http_done: close Negotiate connections when done
+
+Upstream-Status: Backport
+
+When doing HTTP requests Negotiate authenticated, the entire connnection
+may become authenticated and not just the specific HTTP request which is
+otherwise how HTTP works, as Negotiate can basically use NTLM under the
+hood. curl was not adhering to this fact but would assume that such
+requests would also be authenticated per request.
+
+CVE-2015-3148
+
+Bug: http://curl.haxx.se/docs/adv_20150422B.html
+Reported-by: Isaac Boukris
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/http.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 4c1cfc5..2a226fb 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1433,12 +1433,18 @@ CURLcode Curl_http_done(struct connectdata *conn,
+ 
+   Curl_unencode_cleanup(conn);
+ 
+ #ifdef USE_SPNEGO
+   if(data->state.proxyneg.state == GSS_AUTHSENT ||
+-      data->state.negotiate.state == GSS_AUTHSENT)
++      data->state.negotiate.state == GSS_AUTHSENT) {
++    /* add forbid re-use if http-code != 401 as a WA
++     * only needed for 401 that failed handling
++     * otherwie state will be RECV with current code */
++    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
++      connclose(conn, "Negotiate transfer completed");
+     Curl_cleanup_negotiate(data);
++  }
+ #endif
+ 
+   /* set the proper values (possibly modified on POST) */
+   conn->fread_func = data->set.fread_func; /* restore */
+   conn->fread_in = data->set.in; /* restore */
+-- 
+2.1.4
+
diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb
index 4cde9c6baa..2b39d11411 100644
--- a/meta/recipes-support/curl/curl_7.40.0.bb
+++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e66
 
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://pkgconfig_fix.patch \
+           file://CVE-2015-3143.patch \
+           file://CVE-2015-3144.patch \
+           file://CVE-2015-3145.patch \
+           file://CVE-2015-3148.patch \
           "
 
 # curl likes to set -g0 in CFLAGS, so we stop it
-- 
cgit v1.2.3-54-g00ecf