curl: Fix CVE-2022-32221

POST following PUT confusion Link: https://ubuntu.com/security/CVE-2022-32221 (From OE-Core rev: 518bea85c9496d77c70d703b818e442eda841554) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Bhabu Bindu <bhabu.bindu@kpit.com> 2022-11-29 09:27:17 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:02:45 +0000
commit: 17c2b23373127454fecbcb6162eb89c29d1cffa0 (patch)
tree: 7646f36c1b735ffcb1980f5adb14a2c99cf39922
parent: 6c79f0424b34a329f6421d9f7b1da820c931b59c (diff)
download: poky-17c2b23373127454fecbcb6162eb89c29d1cffa0.tar.gz
2 files changed, 29 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
new file mode 100644
index 0000000000..b78b2ce1a8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,28 @@
+From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+CVE: CVE-2022-32221
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 03c4efdbf1e58..7289a4e78bdd0 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
+    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 5368c91f5c..e0099f7453 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2022-32207.patch \
           file://CVE-2022-32208.patch \
           file://CVE-2022-35252.patch \
+           file://CVE-2022-32221.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Bhabu Bindu <bhabu.bindu@kpit.com>	2022-11-29 09:27:17 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:02:45 +0000
commit	17c2b23373127454fecbcb6162eb89c29d1cffa0 (patch)
tree	7646f36c1b735ffcb1980f5adb14a2c99cf39922
parent	6c79f0424b34a329f6421d9f7b1da820c931b59c (diff)
download	poky-17c2b23373127454fecbcb6162eb89c29d1cffa0.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..b78b2ce1a8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,28 @@
		1	From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 15 Sep 2022 09:22:45 +0200
		4	Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
		5
		6	Reported-by: RobBotic1 on github
		7	Fixes #9507
		8	Closes #9511
		9
		10	CVE: CVE-2022-32221
		11	Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9]
		12	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
		13	---
		14	lib/setopt.c \| 1 +
		15	1 file changed, 1 insertion(+)
		16
		17	diff --git a/lib/setopt.c b/lib/setopt.c
		18	index 03c4efdbf1e58..7289a4e78bdd0 100644
		19	--- a/lib/setopt.c
		20	+++ b/lib/setopt.c
		21	@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
		22	}
		23	else
		24	data->set.method = HTTPREQ_GET;
		25	+ data->set.upload = FALSE;
		26	break;
		27
		28	case CURLOPT_HTTPPOST:


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 5368c91f5c..e0099f7453 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
29	file://CVE-2022-32207.patch \	29	file://CVE-2022-32207.patch \
30	file://CVE-2022-32208.patch \	30	file://CVE-2022-32208.patch \
31	file://CVE-2022-35252.patch \	31	file://CVE-2022-35252.patch \
		32	file://CVE-2022-32221.patch \
32	"	33	"
33	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	34	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
34		35