curl: Fix CVEs

CVE: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 Curl in the upstream pyro is 7.53.1. CVE-2018-1000120 affected versions are 7.12.3 to and including 7.58.0 CVE-2018-1000121 affected versions are 7.21.0 to and including 7.58.0 CVE-2018-1000122 affected versions are 7.20.0 to and including 7.58.0 CVE-2018-1000301 affected versions are 7.20.0 to and including 7.59.0 Reference: CVE-2018-1000120 https://curl.haxx.se/CVE-2018-1000120.patch CVE-2018-1000121 https://curl.haxx.se/CVE-2018-1000121.patch CVE-2018-1000122 https://curl.haxx.se/CVE-2018-1000122.patch CVE-2018-1000301 https://curl.haxx.se/CVE-2018-1000301.patch Change-Id: I0b7269c83e1662ed16a1b216853c3b4408889954 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-09-13 12:57:35 +0200
committer: Dan Andresan <Dan.Andresan@enea.com> 2018-10-25 15:26:08 +0200
commit: 5b1da299fd7359849d2c4ffda796bba999bf8f7e (patch)
tree: 75153e425abad170dbc3fe0e9d5bb1a224588c39
parent: 5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download: meta-el-common-5b1da299fd7359849d2c4ffda796bba999bf8f7e.tar.gz
6 files changed, 274 insertions, 12 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
new file mode 100644
index 0000000..cd44efb
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
@@ -0,0 +1,119 @@
+From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:01:11 +0200
+Subject: [PATCH] FTP: reject path components with control codes
+Refuse to operate when given path components featuring byte values lower
+than 32.
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+Test case 340 verifies.
+CVE-2018-1000120
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch]
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/ftp.c               |  6 +++---
+ tests/data/Makefile.inc |  1 +
+ tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test340
+diff --git a/lib/ftp.c b/lib/ftp.c
+index cab3699..0e28059 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
+ 
+   if(!result)
+     /* get the "raw" path */
+-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
+    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+   if(result) {
+     /* We can limp along anyway (and should try to since we may already be in
+      * the error path) */
+@@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+                               slash_pos ? dirlen : 1,
+                               &ftpc->dirs[0], NULL,
+-                              FALSE);
+                              TRUE);
+       if(result) {
+         freedirs(ftpc);
+         return result;
+@@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+     size_t dlen;
+     char *path;
+     CURLcode result =
+-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
+      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+     if(result) {
+       freedirs(ftpc);
+       return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 135ba06..31e026f 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \
+ test307 test308 test309 test310 test311 test312 test313                 \
+                                 test320 test321 test322 test323 test324 \
+ test325 \
+test340 \
+ test350 test351 test352 test353 test354 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+diff --git a/tests/data/test340 b/tests/data/test340
+new file mode 100644
+index 0000000..d834d76
+--- /dev/null
+++ b/tests/data/test340
+@@ -0,0 +1,40 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+CWD
+--ftp-method
+singlecwd
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP using %00 in path with singlecwd
+ </name>
+ <command>
+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+</protocol>
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
diff --git a/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch
new file mode 100644
index 0000000..488d457
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch
@@ -0,0 +1,47 @@
+From 9889db043393092e9d4b5a42720bba0b3d58deba Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 6 Mar 2018 23:02:16 +0100
+Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL
+ before using
+CVE-2018-1000121
+Reported-by: Dario Weisser
+Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
+CVE: CVE-2018-1000121
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000121.patch]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/openldap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/lib/openldap.c b/lib/openldap.c
+index f2ffdfe..6927275 100644
+--- a/lib/openldap.c
+++ b/lib/openldap.c
+@@ -473,7 +473,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf,
+ 
+   for(ent = ldap_first_message(li->ld, msg); ent;
+     ent = ldap_next_message(li->ld, ent)) {
+-    struct berval bv, *bvals, **bvp = &bvals;
+    struct berval bv, *bvals;
+     int binary = 0, msgtype;
+     CURLcode writeerr;
+ 
+@@ -535,9 +535,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf,
+     }
+     data->req.bytecount += bv.bv_len + 5;
+ 
+-    for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp);
+-      rc == LDAP_SUCCESS;
+-      rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) {
+    for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals);
+        (rc == LDAP_SUCCESS) && bvals;
+        rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) {
+       int i;
+ 
+       if(bv.bv_val == NULL) break;
+-- 
+2.7.4
diff --git a/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch
new file mode 100644
index 0000000..488d2fb
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch
@@ -0,0 +1,43 @@
+From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 8 Mar 2018 10:33:16 +0100
+Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
+CVE-2018-1000122
+Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+Detected by OSS-fuzz
+CVE: CVE-2018-1000122
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000122.patch]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/transfer.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/lib/transfer.c b/lib/transfer.c
+index c46ac25..fd9af31 100644
+--- a/lib/transfer.c
+++ b/lib/transfer.c
+@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
+ 
+     } /* if(!header and data to read) */
+ 
+-    if(conn->handler->readwrite &&
+-       (excess > 0 && !conn->bits.stream_was_rewound)) {
+    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
+       /* Parse the excess data */
+       k->str += nread;
+
+      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
+        /* the excess amount was too excessive(!), make sure
+           it doesn't read out of buffer */
+        excess = &k->buf[data->set.buffer_size] - k->str;
+      }
+       nread = (ssize_t)excess;
+ 
+       result = conn->handler->readwrite(data, conn, &nread, &readmore);
+-- 
+2.7.4
diff --git a/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch
new file mode 100644
index 0000000..cf5a596
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch
@@ -0,0 +1,48 @@
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
+... leaving the k->str could lead to buffer over-reads later on.
+  
+Assisted-by: Max Dymond
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+CVE: CVE-2018-1000301
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000301.patch]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/lib/http.c b/lib/http.c
+index 1a313b4..e080ae5 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ {
+   CURLcode result;
+   struct SingleRequest *k = &data->req;
+  ssize_t onread = *nread;
+  char *ostr = k->str;
+ 
+   /* header line within buffer loop */
+   do {
+@@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+         else {
+           /* this was all we read so it's all a bad header */
+           k->badheader = HEADER_ALLBAD;
+-          *nread = (ssize_t)rest_length;
+          *nread = onread;
+          k->str = ostr;
+          return CURLE_OK;
+         }
+         break;
+       }
+-- 
+2.7.4
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
deleted file mode 100644
index 3727bea..0000000
--- a/recipes-support/curl/curl_%.bbappend
+++ /dev/null
@@ -1,12 +0,0 @@
-# look for files in the layer first
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://CVE-2017-7407.patch \
-            file://CVE-2017-7468.patch \
-            file://CVE-2017-9502.patch \
-            file://CVE-2017-1000254.patch \
-            file://CVE-2017-1000257.patch \
-            file://CVE-2017-8816.patch \
-            file://CVE-2017-8817.patch \
-            file://CVE-2018-1000005.patch \
-           "
diff --git a/recipes-support/curl/curl_7.53.1.bbappend b/recipes-support/curl/curl_7.53.1.bbappend
new file mode 100644
index 0000000..ad7241c
--- /dev/null
+++ b/recipes-support/curl/curl_7.53.1.bbappend
@@ -0,0 +1,17 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+        file://CVE-2017-7407.patch \
+        file://CVE-2017-7468.patch \
+        file://CVE-2017-9502.patch \
+        file://CVE-2017-1000254.patch \
+        file://CVE-2017-1000257.patch \
+        file://CVE-2017-8816.patch \
+        file://CVE-2017-8817.patch \
+        file://CVE-2018-1000005.patch \
+        file://CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch \
+        file://CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch \
+        file://CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch \
+        file://CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch \
+        "
author	Andreas Wellving <andreas.wellving@enea.com>	2018-09-13 12:57:35 +0200
committer	Dan Andresan <Dan.Andresan@enea.com>	2018-10-25 15:26:08 +0200
commit	5b1da299fd7359849d2c4ffda796bba999bf8f7e (patch)
tree	75153e425abad170dbc3fe0e9d5bb1a224588c39
parent	5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download	meta-el-common-5b1da299fd7359849d2c4ffda796bba999bf8f7e.tar.gz

diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch new file mode 100644 index 0000000..cd44efb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch
@@ -0,0 +1,119 @@
		1	From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001
		2	From: Andreas Wellving <andreas.wellving@enea.com>
		3	Date: Mon, 22 Oct 2018 13:01:11 +0200
		4	Subject: [PATCH] FTP: reject path components with control codes
		5
		6	Refuse to operate when given path components featuring byte values lower
		7	than 32.
		8
		9	Previously, inserting a %00 sequence early in the directory part when
		10	using the 'singlecwd' ftp method could make curl write a zero byte
		11	outside of the allocated buffer.
		12
		13	Test case 340 verifies.
		14
		15	CVE-2018-1000120
		16	Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch]
		17
		18	Reported-by: Duy Phan Thanh
		19	Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
		20
		21	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		22	---
		23	lib/ftp.c \| 6 +++---
		24	tests/data/Makefile.inc \| 1 +
		25	tests/data/test340 \| 40 ++++++++++++++++++++++++++++++++++++++++
		26	3 files changed, 44 insertions(+), 3 deletions(-)
		27	create mode 100644 tests/data/test340
		28
		29	diff --git a/lib/ftp.c b/lib/ftp.c
		30	index cab3699..0e28059 100644
		31	--- a/lib/ftp.c
		32	+++ b/lib/ftp.c
		33	@@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
		34
		35	if(!result)
		36	/* get the "raw" path */
		37	- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
		38	+ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
		39	if(result) {
		40	/* We can limp along anyway (and should try to since we may already be in
		41	* the error path) */
		42	@@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
		43	result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
		44	slash_pos ? dirlen : 1,
		45	&ftpc->dirs[0], NULL,
		46	- FALSE);
		47	+ TRUE);
		48	if(result) {
		49	freedirs(ftpc);
		50	return result;
		51	@@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
		52	size_t dlen;
		53	char *path;
		54	CURLcode result =
		55	- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
		56	+ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
		57	if(result) {
		58	freedirs(ftpc);
		59	return result;
		60	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		61	index 135ba06..31e026f 100644
		62	--- a/tests/data/Makefile.inc
		63	+++ b/tests/data/Makefile.inc
		64	@@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \
		65	test307 test308 test309 test310 test311 test312 test313 \
		66	test320 test321 test322 test323 test324 \
		67	test325 \
		68	+test340 \
		69	test350 test351 test352 test353 test354 \
		70	\
		71	test400 test401 test402 test403 test404 test405 test406 test407 test408 \
		72	diff --git a/tests/data/test340 b/tests/data/test340
		73	new file mode 100644
		74	index 0000000..d834d76
		75	--- /dev/null
		76	+++ b/tests/data/test340
		77	@@ -0,0 +1,40 @@
		78	+<testcase>
		79	+<info>
		80	+<keywords>
		81	+FTP
		82	+PASV
		83	+CWD
		84	+--ftp-method
		85	+singlecwd
		86	+</keywords>
		87	+</info>
		88	+#
		89	+# Server-side
		90	+<reply>
		91	+</reply>
		92	+
		93	+# Client-side
		94	+<client>
		95	+<server>
		96	+ftp
		97	+</server>
		98	+ <name>
		99	+FTP using %00 in path with singlecwd
		100	+ </name>
		101	+ <command>
		102	+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
		103	+</command>
		104	+</client>
		105	+
		106	+# Verify data after the test has been "shot"
		107	+<verify>
		108	+<protocol>
		109	+USER anonymous
		110	+PASS ftp@example.com
		111	+PWD
		112	+</protocol>
		113	+<errorcode>
		114	+3
		115	+</errorcode>
		116	+</verify>
		117	+</testcase>
		118
		119


diff --git a/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch new file mode 100644 index 0000000..488d457 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch
@@ -0,0 +1,47 @@
		1	From 9889db043393092e9d4b5a42720bba0b3d58deba Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 6 Mar 2018 23:02:16 +0100
		4	Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL
		5	before using
		6
		7	CVE-2018-1000121
		8	Reported-by: Dario Weisser
		9	Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
		10
		11	CVE: CVE-2018-1000121
		12	Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000121.patch]
		13
		14	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		15	---
		16	lib/openldap.c \| 8 ++++----
		17	1 file changed, 4 insertions(+), 4 deletions(-)
		18
		19	diff --git a/lib/openldap.c b/lib/openldap.c
		20	index f2ffdfe..6927275 100644
		21	--- a/lib/openldap.c
		22	+++ b/lib/openldap.c
		23	@@ -473,7 +473,7 @@ static ssize_t ldap_recv(struct connectdata conn, int sockindex, char buf,
		24
		25	for(ent = ldap_first_message(li->ld, msg); ent;
		26	ent = ldap_next_message(li->ld, ent)) {
		27	- struct berval bv, bvals, *bvp = &bvals;
		28	+ struct berval bv, *bvals;
		29	int binary = 0, msgtype;
		30	CURLcode writeerr;
		31
		32	@@ -535,9 +535,9 @@ static ssize_t ldap_recv(struct connectdata conn, int sockindex, char buf,
		33	}
		34	data->req.bytecount += bv.bv_len + 5;
		35
		36	- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp);
		37	- rc == LDAP_SUCCESS;
		38	- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) {
		39	+ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals);
		40	+ (rc == LDAP_SUCCESS) && bvals;
		41	+ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) {
		42	int i;
		43
		44	if(bv.bv_val == NULL) break;
		45	--
		46	2.7.4
		47


diff --git a/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch new file mode 100644 index 0000000..488d2fb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch
@@ -0,0 +1,43 @@
		1	From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 8 Mar 2018 10:33:16 +0100
		4	Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
		5
		6	CVE-2018-1000122
		7	Bug: https://curl.haxx.se/docs/adv_2018-b047.html
		8
		9	Detected by OSS-fuzz
		10
		11	CVE: CVE-2018-1000122
		12	Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000122.patch]
		13
		14	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		15	---
		16	lib/transfer.c \| 9 +++++++--
		17	1 file changed, 7 insertions(+), 2 deletions(-)
		18
		19	diff --git a/lib/transfer.c b/lib/transfer.c
		20	index c46ac25..fd9af31 100644
		21	--- a/lib/transfer.c
		22	+++ b/lib/transfer.c
		23	@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
		24
		25	} /* if(!header and data to read) */
		26
		27	- if(conn->handler->readwrite &&
		28	- (excess > 0 && !conn->bits.stream_was_rewound)) {
		29	+ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
		30	/* Parse the excess data */
		31	k->str += nread;
		32	+
		33	+ if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
		34	+ /* the excess amount was too excessive(!), make sure
		35	+ it doesn't read out of buffer */
		36	+ excess = &k->buf[data->set.buffer_size] - k->str;
		37	+ }
		38	nread = (ssize_t)excess;
		39
		40	result = conn->handler->readwrite(data, conn, &nread, &readmore);
		41	--
		42	2.7.4
		43


diff --git a/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch new file mode 100644 index 0000000..cf5a596 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch
@@ -0,0 +1,48 @@
		1	From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Sat, 24 Mar 2018 23:47:41 +0100
		4	Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
		5
		6	... leaving the k->str could lead to buffer over-reads later on.
		7
		8	Assisted-by: Max Dymond
		9
		10	Detected by OSS-Fuzz.
		11	Bug: https://curl.haxx.se/docs/adv_2018-b138.html
		12	Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
		13
		14	CVE: CVE-2018-1000301
		15	Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000301.patch]
		16
		17	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		18	---
		19	lib/http.c \| 6 +++++-
		20	1 file changed, 5 insertions(+), 1 deletion(-)
		21
		22	diff --git a/lib/http.c b/lib/http.c
		23	index 1a313b4..e080ae5 100644
		24	--- a/lib/http.c
		25	+++ b/lib/http.c
		26	@@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
		27	{
		28	CURLcode result;
		29	struct SingleRequest *k = &data->req;
		30	+ ssize_t onread = *nread;
		31	+ char *ostr = k->str;
		32
		33	/* header line within buffer loop */
		34	do {
		35	@@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
		36	else {
		37	/* this was all we read so it's all a bad header */
		38	k->badheader = HEADER_ALLBAD;
		39	- *nread = (ssize_t)rest_length;
		40	+ *nread = onread;
		41	+ k->str = ostr;
		42	+ return CURLE_OK;
		43	}
		44	break;
		45	}
		46	--
		47	2.7.4
		48


diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend deleted file mode 100644 index 3727bea..0000000 --- a/recipes-support/curl/curl_%.bbappend +++ /dev/null
@@ -1,12 +0,0 @@
1	# look for files in the layer first
2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4	SRC_URI += "file://CVE-2017-7407.patch \
5	file://CVE-2017-7468.patch \
6	file://CVE-2017-9502.patch \
7	file://CVE-2017-1000254.patch \
8	file://CVE-2017-1000257.patch \
9	file://CVE-2017-8816.patch \
10	file://CVE-2017-8817.patch \
11	file://CVE-2018-1000005.patch \
12	"


diff --git a/recipes-support/curl/curl_7.53.1.bbappend b/recipes-support/curl/curl_7.53.1.bbappend new file mode 100644 index 0000000..ad7241c --- /dev/null +++ b/recipes-support/curl/curl_7.53.1.bbappend
@@ -0,0 +1,17 @@
		1	# look for files in the layer first
		2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
		3
		4	SRC_URI += " \
		5	file://CVE-2017-7407.patch \
		6	file://CVE-2017-7468.patch \
		7	file://CVE-2017-9502.patch \
		8	file://CVE-2017-1000254.patch \
		9	file://CVE-2017-1000257.patch \
		10	file://CVE-2017-8816.patch \
		11	file://CVE-2017-8817.patch \
		12	file://CVE-2018-1000005.patch \
		13	file://CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch \
		14	file://CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch \
		15	file://CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch \
		16	file://CVE-2018-1000121-openldap-check-ldap_get_attribute_ber-results-for-NU.patch \
		17	"