From b0827cbb4bac7c0c74e46a7b26a5827e01fd4cb9 Mon Sep 17 00:00:00 2001 From: Thiruvadi Rajaraman Date: Sat, 4 Nov 2017 08:01:20 -0700 Subject: curl: Security fix for CVE-2016-8623 Affected versions: curl 7.10.7 to and including 7.50.3 Not affected versions: curl < 7.10.7 and curl >= 7.51.0 (From OE-Core rev: 2da99dc9f7f3d8373cc3108c18300723ad4a243a) Signed-off-by: Thiruvadi Rajaraman Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-support/curl/curl/CVE-2016-8623.patch | 174 +++++++++++++++++++++ meta/recipes-support/curl/curl_7.50.1.bb | 1 + 2 files changed, 175 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8623.patch (limited to 'meta/recipes-support') diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch new file mode 100644 index 0000000000..17eaf2b7ee --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch @@ -0,0 +1,174 @@ +From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2016 23:26:13 +0200 +Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies + +Previously it only held references to them, which was reckless as the +thread lock was released so the cookies could get modified by other +handles that share the same cookie jar over the share interface. + +CVE-2016-8623 + +Bug: https://curl.haxx.se/docs/adv_20161102I.html +Reported-by: Cure53 + +Upstream-Status: Backport +https://curl.haxx.se/CVE-2016-8623.patch +CVE: CVE-2016-8623 +Signed-off-by: Thiruvadi Rajaraman + +--- + lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++--------------------- + lib/cookie.h | 4 ++-- + lib/http.c | 2 +- + 3 files changed, 43 insertions(+), 24 deletions(-) + +Index: curl-7.44.0/lib/cookie.c +=================================================================== +--- curl-7.44.0.orig/lib/cookie.c ++++ curl-7.44.0/lib/cookie.c +@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c + return 0; + } + ++#define CLONE(field) \ ++ do { \ ++ if(src->field) { \ ++ dup->field = strdup(src->field); \ ++ if(!dup->field) \ ++ goto fail; \ ++ } \ ++ } while(0) ++ ++static struct Cookie *dup_cookie(struct Cookie *src) ++{ ++ struct Cookie *dup = calloc(sizeof(struct Cookie), 1); ++ if(dup) { ++ CLONE(expirestr); ++ CLONE(domain); ++ CLONE(path); ++ CLONE(spath); ++ CLONE(name); ++ CLONE(value); ++ CLONE(maxage); ++ CLONE(version); ++ dup->expires = src->expires; ++ dup->tailmatch = src->tailmatch; ++ dup->secure = src->secure; ++ dup->livecookie = src->livecookie; ++ dup->httponly = src->httponly; ++ } ++ return dup; ++ ++ fail: ++ freecookie(dup); ++ return NULL; ++} ++ + /***************************************************************************** + * + * Curl_cookie_getlist() +@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc + /* and now, we know this is a match and we should create an + entry for the return-linked-list */ + +- newco = malloc(sizeof(struct Cookie)); ++ newco = dup_cookie(co); + if(newco) { +- /* first, copy the whole source cookie: */ +- memcpy(newco, co, sizeof(struct Cookie)); +- + /* then modify our next */ + newco->next = mainco; + +@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc + else { + fail: + /* failure, clear up the allocated chain and return NULL */ +- while(mainco) { +- co = mainco->next; +- free(mainco); +- mainco = co; +- } +- ++ Curl_cookie_freelist(mainco); + return NULL; + } + } +@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc + void Curl_cookie_clearall(struct CookieInfo *cookies) + { + if(cookies) { +- Curl_cookie_freelist(cookies->cookies, TRUE); ++ Curl_cookie_freelist(cookies->cookies); + cookies->cookies = NULL; + cookies->numcookies = 0; + } +@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI + * + * Free a list of cookies previously returned by Curl_cookie_getlist(); + * +- * The 'cookiestoo' argument tells this function whether to just free the +- * list or actually also free all cookies within the list as well. +- * + ****************************************************************************/ + +-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo) ++void Curl_cookie_freelist(struct Cookie *co) + { + struct Cookie *next; + while(co) { + next = co->next; +- if(cookiestoo) +- freecookie(co); +- else +- free(co); /* we only free the struct since the "members" are all just +- pointed out in the main cookie list! */ ++ freecookie(co); + co = next; + } + } +@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn + { + if(c) { + free(c->filename); +- Curl_cookie_freelist(c->cookies, TRUE); ++ Curl_cookie_freelist(c->cookies); + free(c); /* free the base struct as well */ + } + } +Index: curl-7.44.0/lib/cookie.h +=================================================================== +--- curl-7.44.0.orig/lib/cookie.h ++++ curl-7.44.0/lib/cookie.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se + + struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, + const char *, bool); +-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo); ++void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); + void Curl_cookie_clearsess(struct CookieInfo *cookies); + +Index: curl-7.44.0/lib/http.c +=================================================================== +--- curl-7.44.0.orig/lib/http.c ++++ curl-7.44.0/lib/http.c +@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c + } + co = co->next; /* next cookie please */ + } +- Curl_cookie_freelist(store, FALSE); /* free the cookie list */ ++ Curl_cookie_freelist(store); + } + if(addcookies && !result) { + if(!count) diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 548bb46f95..9a9741dfe1 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb @@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8619.patch \ file://CVE-2016-8620.patch \ file://CVE-2016-8621.patch \ + file://CVE-2016-8623.patch \ " SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" -- cgit v1.2.3-54-g00ecf