diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-10-13 01:49:21 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-10-18 05:25:19 -1000 |
| commit | af8586bde2b8910ab7d0712aaf553720683cbd8e (patch) | |
| tree | 2d9cc1ca70ea77b799167c8a30c04e1eb80db8f5 | |
| parent | d1c80c5f4abbc064f23e01d8ce950b09f6a3c161 (diff) | |
| download | poky-af8586bde2b8910ab7d0712aaf553720683cbd8e.tar.gz | |
curl: fix CVE-2023-38546
A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of conditions are met.
(From OE-Core rev: a6c5931192a1315cfc5f708585d22bc7bed9f7fd)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-38546.patch | 137 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_8.0.1.bb | 1 |
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch new file mode 100644 index 0000000000..2c97c4d5a5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch | |||
| @@ -0,0 +1,137 @@ | |||
| 1 | From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Thu, 14 Sep 2023 23:28:32 +0200 | ||
| 4 | Subject: [PATCH] cookie: remove unnecessary struct fields | ||
| 5 | |||
| 6 | Plus: reduce the hash table size from 256 to 63. It seems unlikely to | ||
| 7 | make much of a speed difference for most use cases but saves 1.5KB of | ||
| 8 | data per instance. | ||
| 9 | |||
| 10 | Closes #11862 | ||
| 11 | |||
| 12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/61275672b46d9abb32857404] | ||
| 13 | |||
| 14 | CVE: CVE-2023-38546 | ||
| 15 | |||
| 16 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 17 | --- | ||
| 18 | lib/cookie.c | 13 +------------ | ||
| 19 | lib/cookie.h | 14 ++++---------- | ||
| 20 | lib/easy.c | 4 +--- | ||
| 21 | 3 files changed, 6 insertions(+), 25 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
| 24 | index 0c6e0f7..d346203 100644 | ||
| 25 | --- a/lib/cookie.c | ||
| 26 | +++ b/lib/cookie.c | ||
| 27 | @@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) | ||
| 28 | free(co->name); | ||
| 29 | free(co->value); | ||
| 30 | free(co->maxage); | ||
| 31 | - free(co->version); | ||
| 32 | free(co); | ||
| 33 | } | ||
| 34 | |||
| 35 | @@ -726,11 +725,7 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| 36 | } | ||
| 37 | } | ||
| 38 | else if((nlen == 7) && strncasecompare("version", namep, 7)) { | ||
| 39 | - strstore(&co->version, valuep, vlen); | ||
| 40 | - if(!co->version) { | ||
| 41 | - badcookie = TRUE; | ||
| 42 | - break; | ||
| 43 | - } | ||
| 44 | + /* just ignore */ | ||
| 45 | } | ||
| 46 | else if((nlen == 7) && strncasecompare("max-age", namep, 7)) { | ||
| 47 | /* | ||
| 48 | @@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| 49 | free(clist->path); | ||
| 50 | free(clist->spath); | ||
| 51 | free(clist->expirestr); | ||
| 52 | - free(clist->version); | ||
| 53 | free(clist->maxage); | ||
| 54 | |||
| 55 | *clist = *co; /* then store all the new data */ | ||
| 56 | @@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
| 57 | c = calloc(1, sizeof(struct CookieInfo)); | ||
| 58 | if(!c) | ||
| 59 | return NULL; /* failed to get memory */ | ||
| 60 | - c->filename = strdup(file?file:"none"); /* copy the name just in case */ | ||
| 61 | - if(!c->filename) | ||
| 62 | - goto fail; /* failed to get memory */ | ||
| 63 | /* | ||
| 64 | * Initialize the next_expiration time to signal that we don't have enough | ||
| 65 | * information yet. | ||
| 66 | @@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) | ||
| 67 | CLONE(name); | ||
| 68 | CLONE(value); | ||
| 69 | CLONE(maxage); | ||
| 70 | - CLONE(version); | ||
| 71 | d->expires = src->expires; | ||
| 72 | d->tailmatch = src->tailmatch; | ||
| 73 | d->secure = src->secure; | ||
| 74 | @@ -1611,7 +1601,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) | ||
| 75 | { | ||
| 76 | if(c) { | ||
| 77 | unsigned int i; | ||
| 78 | - free(c->filename); | ||
| 79 | for(i = 0; i < COOKIE_HASH_SIZE; i++) | ||
| 80 | Curl_cookie_freelist(c->cookies[i]); | ||
| 81 | free(c); /* free the base struct as well */ | ||
| 82 | diff --git a/lib/cookie.h b/lib/cookie.h | ||
| 83 | index 39bb08b..3a43bbf 100644 | ||
| 84 | --- a/lib/cookie.h | ||
| 85 | +++ b/lib/cookie.h | ||
| 86 | @@ -36,11 +36,7 @@ struct Cookie { | ||
| 87 | char *domain; /* domain = <this> */ | ||
| 88 | curl_off_t expires; /* expires = <this> */ | ||
| 89 | char *expirestr; /* the plain text version */ | ||
| 90 | - | ||
| 91 | - /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ | ||
| 92 | - char *version; /* Version = <value> */ | ||
| 93 | char *maxage; /* Max-Age = <value> */ | ||
| 94 | - | ||
| 95 | bool tailmatch; /* whether we do tail-matching of the domain name */ | ||
| 96 | bool secure; /* whether the 'secure' keyword was used */ | ||
| 97 | bool livecookie; /* updated from a server, not a stored file */ | ||
| 98 | @@ -56,18 +52,16 @@ struct Cookie { | ||
| 99 | #define COOKIE_PREFIX__SECURE (1<<0) | ||
| 100 | #define COOKIE_PREFIX__HOST (1<<1) | ||
| 101 | |||
| 102 | -#define COOKIE_HASH_SIZE 256 | ||
| 103 | +#define COOKIE_HASH_SIZE 63 | ||
| 104 | |||
| 105 | struct CookieInfo { | ||
| 106 | /* linked list of cookies we know of */ | ||
| 107 | struct Cookie *cookies[COOKIE_HASH_SIZE]; | ||
| 108 | - | ||
| 109 | - char *filename; /* file we read from/write to */ | ||
| 110 | - long numcookies; /* number of cookies in the "jar" */ | ||
| 111 | + curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
| 112 | + int numcookies; /* number of cookies in the "jar" */ | ||
| 113 | + int lastct; /* last creation-time used in the jar */ | ||
| 114 | bool running; /* state info, for cookie adding information */ | ||
| 115 | bool newsession; /* new session, discard session cookies on load */ | ||
| 116 | - int lastct; /* last creation-time used in the jar */ | ||
| 117 | - curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
| 118 | }; | ||
| 119 | |||
| 120 | /* This is the maximum line length we accept for a cookie line. RFC 2109 | ||
| 121 | diff --git a/lib/easy.c b/lib/easy.c | ||
| 122 | index 27124a7..fddf047 100644 | ||
| 123 | --- a/lib/easy.c | ||
| 124 | +++ b/lib/easy.c | ||
| 125 | @@ -911,9 +911,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) | ||
| 126 | if(data->cookies) { | ||
| 127 | /* If cookies are enabled in the parent handle, we enable them | ||
| 128 | in the clone as well! */ | ||
| 129 | - outcurl->cookies = Curl_cookie_init(data, | ||
| 130 | - data->cookies->filename, | ||
| 131 | - outcurl->cookies, | ||
| 132 | + outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, | ||
| 133 | data->set.cookiesession); | ||
| 134 | if(!outcurl->cookies) | ||
| 135 | goto fail; | ||
| 136 | -- | ||
| 137 | 2.40.0 | ||
diff --git a/meta/recipes-support/curl/curl_8.0.1.bb b/meta/recipes-support/curl/curl_8.0.1.bb index bdffe7be34..375b4d2f93 100644 --- a/meta/recipes-support/curl/curl_8.0.1.bb +++ b/meta/recipes-support/curl/curl_8.0.1.bb | |||
| @@ -20,6 +20,7 @@ SRC_URI = " \ | |||
| 20 | file://CVE-2023-32001.patch \ | 20 | file://CVE-2023-32001.patch \ |
| 21 | file://CVE-2023-28320-fol1.patch \ | 21 | file://CVE-2023-28320-fol1.patch \ |
| 22 | file://CVE-2023-38545.patch \ | 22 | file://CVE-2023-38545.patch \ |
| 23 | file://CVE-2023-38546.patch \ | ||
| 23 | " | 24 | " |
| 24 | SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0" | 25 | SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0" |
| 25 | 26 | ||