curl: Fix CVE-2023-46218

Add patch to fix CVE-2023-46218 Link: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.88.1-8ubuntu2.4/curl_7.88.1-8ubuntu2.4.debian.tar.xz https://github.com/curl/curl/commit/2b0994c29a721c91c57 (From OE-Core rev: f27a93299f554e0bde610f70e6a042b4a24abf20) Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Poonam Jadhav <ppjadhav456@gmail.com> 2023-12-14 15:30:07 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-12-22 16:36:54 -1000
commit: 7008d999c51c5e72269e5997f19b77321e2e1336 (patch)
tree: 56312187d0bb946635ea3c1c7775a84e72535bcb
parent: a7f86b0e7881d6241d1e9a147ae59f3ae7ea724e (diff)
download: poky-7008d999c51c5e72269e5997f19b77321e2e1336.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
new file mode 100644
index 0000000000..d7d7908ea0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
@@ -0,0 +1,52 @@
+Backport of:
+From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:15:47 +0100
+Subject: [PATCH] cookie: lowercase the domain names before PSL checks
+Reported-by: Harry Sintonen
+Closes #12387
+CVE: CVE-2023-46218
+Upstream-Status: Backport [https://github.com/curl/curl/commit/2b0994c29a721c91c57]
+Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
+---
+ lib/cookie.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -1044,15 +1044,23 @@ Curl_cookie_add(struct Curl_easy *data,
+    * dereference it.
+    */
+   if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
+-    const psl_ctx_t *psl = Curl_psl_use(data);
+-    int acceptable;
+-
+-    if(psl) {
+-      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
+-      Curl_psl_release(data);
+    bool acceptable = FALSE;
+    char lcase[256];
+    char lcookie[256];
+    size_t dlen = strlen(domain);
+    size_t clen = strlen(co->domain);
+    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+      const psl_ctx_t *psl = Curl_psl_use(data);
+      if(psl) {
+        /* the PSL check requires lowercase domain name and pattern */
+        Curl_strntolower(lcase, domain, dlen + 1);
+        Curl_strntolower(lcookie, co->domain, clen + 1);
+        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+        Curl_psl_release(data);
+      }
+      else
+        acceptable = !bad_domain(domain);
+     }
+-    else
+-      acceptable = !bad_domain(domain);
+ 
+     if(!acceptable) {
+       infof(data, "cookie '%s' dropped, domain '%s' must not "
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 471bc47f34..a36d03f668 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2023-32001.patch \
           file://CVE-2023-38545.patch \
           file://CVE-2023-38546.patch \
+           file://CVE-2023-46218.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Poonam Jadhav <ppjadhav456@gmail.com>	2023-12-14 15:30:07 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-12-22 16:36:54 -1000
commit	7008d999c51c5e72269e5997f19b77321e2e1336 (patch)
tree	56312187d0bb946635ea3c1c7775a84e72535bcb
parent	a7f86b0e7881d6241d1e9a147ae59f3ae7ea724e (diff)
download	poky-7008d999c51c5e72269e5997f19b77321e2e1336.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch new file mode 100644 index 0000000000..d7d7908ea0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
@@ -0,0 +1,52 @@
		1	Backport of:
		2
		3	From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
		4	From: Daniel Stenberg <daniel@haxx.se>
		5	Date: Thu, 23 Nov 2023 08:15:47 +0100
		6	Subject: [PATCH] cookie: lowercase the domain names before PSL checks
		7
		8	Reported-by: Harry Sintonen
		9
		10	Closes #12387
		11
		12	CVE: CVE-2023-46218
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/2b0994c29a721c91c57]
		14	Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
		15	---
		16	lib/cookie.c \| 24 ++++++++++++++++--------
		17	1 file changed, 16 insertions(+), 8 deletions(-)
		18
		19	--- a/lib/cookie.c
		20	+++ b/lib/cookie.c
		21	@@ -1044,15 +1044,23 @@ Curl_cookie_add(struct Curl_easy *data,
		22	* dereference it.
		23	*/
		24	if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
		25	- const psl_ctx_t *psl = Curl_psl_use(data);
		26	- int acceptable;
		27	-
		28	- if(psl) {
		29	- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
		30	- Curl_psl_release(data);
		31	+ bool acceptable = FALSE;
		32	+ char lcase[256];
		33	+ char lcookie[256];
		34	+ size_t dlen = strlen(domain);
		35	+ size_t clen = strlen(co->domain);
		36	+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
		37	+ const psl_ctx_t *psl = Curl_psl_use(data);
		38	+ if(psl) {
		39	+ /* the PSL check requires lowercase domain name and pattern */
		40	+ Curl_strntolower(lcase, domain, dlen + 1);
		41	+ Curl_strntolower(lcookie, co->domain, clen + 1);
		42	+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
		43	+ Curl_psl_release(data);
		44	+ }
		45	+ else
		46	+ acceptable = !bad_domain(domain);
		47	}
		48	- else
		49	- acceptable = !bad_domain(domain);
		50
		51	if(!acceptable) {
		52	infof(data, "cookie '%s' dropped, domain '%s' must not "


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 471bc47f34..a36d03f668 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
54	file://CVE-2023-32001.patch \	54	file://CVE-2023-32001.patch \
55	file://CVE-2023-38545.patch \	55	file://CVE-2023-38545.patch \
56	file://CVE-2023-38546.patch \	56	file://CVE-2023-38546.patch \
		57	file://CVE-2023-46218.patch \
57	"	58	"
58	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	59	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
59		60