diff options
| author | Rajkumar Veer <rveer@mvista.com> | 2017-11-04 08:13:14 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:43:55 +0000 |
| commit | dc96e5ae3f9dd73e5f000e637550b42fc630a021 (patch) | |
| tree | d8c605aa5e4ac921598d5626b11bf0fdf0c4823d | |
| parent | 6131edc2c9de3d2fe03243a423e2441a6ec855ce (diff) | |
| download | poky-dc96e5ae3f9dd73e5f000e637550b42fc630a021.tar.gz | |
curl: Security fix for CVE-2017-1000100
Affected versions: libcurl 7.15.0 to and including 7.54.1
Not affected versions: libcurl < 7.15.0 and >= 7.55.0
(From OE-Core rev: 2ad0d34313b30f3f18d2f15879294fab310aa874)
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2017-1000100.patch | 47 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000100.patch b/meta/recipes-support/curl/curl/CVE-2017-1000100.patch new file mode 100644 index 0000000000..b5f4d1014a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2017-1000100.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 4f58c108fa9a9a13b7dbbd2fd420c998dc92f851 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Tue, 1 Aug 2017 17:16:46 +0200 | ||
| 4 | Subject: [PATCH] tftp: reject file name lengths that don't fit | ||
| 5 | |||
| 6 | ...and thereby avoid telling send() to send off more bytes than the | ||
| 7 | size of the buffer! | ||
| 8 | |||
| 9 | Bug: https://curl.haxx.se/docs/adv_20170809B.html | ||
| 10 | Reported-by: Even Rouault | ||
| 11 | Credit to OSS-Fuzz for the discovery | ||
| 12 | |||
| 13 | Upstream-Status: Backport | ||
| 14 | CVE: CVE-2017-1000100 | ||
| 15 | Signed-off-by: Rajkumar Veer <rveer@mvista.com> | ||
| 16 | --- | ||
| 17 | lib/tftp.c | 7 ++++++- | ||
| 18 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
| 19 | |||
| 20 | diff --git a/lib/tftp.c b/lib/tftp.c | ||
| 21 | index d7ff94f..083b083 100644 | ||
| 22 | --- a/lib/tftp.c | ||
| 23 | +++ b/lib/tftp.c | ||
| 24 | @@ -5,7 +5,7 @@ | ||
| 25 | * | (__| |_| | _ <| |___ | ||
| 26 | * \___|\___/|_| \_\_____| | ||
| 27 | * | ||
| 28 | - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
| 29 | + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
| 30 | * | ||
| 31 | * This software is licensed as described in the file COPYING, which | ||
| 32 | * you should have received as part of this distribution. The terms | ||
| 33 | @@ -489,6 +489,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) | ||
| 34 | if(!filename) | ||
| 35 | return CURLE_OUT_OF_MEMORY; | ||
| 36 | |||
| 37 | + if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { | ||
| 38 | + failf(data, "TFTP file name too long\n"); | ||
| 39 | + return CURLE_TFTP_ILLEGAL; /* too long file name field */ | ||
| 40 | + } | ||
| 41 | + | ||
| 42 | snprintf((char *)state->spacket.data+2, | ||
| 43 | state->blksize, | ||
| 44 | "%s%c%s%c", filename, '\0', mode, '\0'); | ||
| 45 | -- | ||
| 46 | 1.9.1 | ||
| 47 | |||
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 67bbdebfe7..8a1b162bc0 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb | |||
| @@ -22,6 +22,7 @@ SRC_URI += " file://configure_ac.patch \ | |||
| 22 | file://CVE-2016-8617.patch \ | 22 | file://CVE-2016-8617.patch \ |
| 23 | file://CVE-2016-8624.patch \ | 23 | file://CVE-2016-8624.patch \ |
| 24 | file://CVE-2016-9586.patch \ | 24 | file://CVE-2016-9586.patch \ |
| 25 | file://CVE-2017-1000100.patch \ | ||
| 25 | " | 26 | " |
| 26 | 27 | ||
| 27 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" | 28 | SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |