curl: fix CVE-2023-46218

(From OE-Core rev: 000b2a380021f2c7fd102b6523a986c2e7ad20ae) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2023-12-19 11:34:48 +0800
committer: Steve Sakoman <steve@sakoman.com> 2023-12-22 05:23:26 -1000
commit: 664c3401c57d4595bbd000a7d1dbf4427fcc1e88 (patch)
tree: 9f2e8e542d49e4de35ecde65c0275d258d7ac430
parent: 91bd70dbea333dcfedcb84db99b8298880a2cdd0 (diff)
download: poky-664c3401c57d4595bbd000a7d1dbf4427fcc1e88.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
new file mode 100644
index 0000000000..de2f095664
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
@@ -0,0 +1,52 @@
+CVE: CVE-2023-46218 
+Upstream-Status: Backport [ https://github.com/curl/curl/commit/2b0994c29a721c91c57 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:15:47 +0100
+Subject: [PATCH] cookie: lowercase the domain names before PSL checks
+Reported-by: Harry Sintonen
+Closes #12387
+---
+ lib/cookie.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 568cf537ad1b1f..9095cea3e97f22 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
+    * dereference it.
+    */
+   if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
+-    const psl_ctx_t *psl = Curl_psl_use(data);
+-    int acceptable;
+-
+-    if(psl) {
+-      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
+-      Curl_psl_release(data);
+    bool acceptable = FALSE;
+    char lcase[256];
+    char lcookie[256];
+    size_t dlen = strlen(domain);
+    size_t clen = strlen(co->domain);
+    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+      const psl_ctx_t *psl = Curl_psl_use(data);
+      if(psl) {
+        /* the PSL check requires lowercase domain name and pattern */
+        Curl_strntolower(lcase, domain, dlen + 1);
+        Curl_strntolower(lcookie, co->domain, clen + 1);
+        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+        Curl_psl_release(data);
+      }
+      else
+        acceptable = !bad_domain(domain, strlen(domain));
+     }
+-    else
+-      acceptable = !bad_domain(domain, strlen(domain));
+ 
+     if(!acceptable) {
+       infof(data, "cookie '%s' dropped, domain '%s' must not "
diff --git a/meta/recipes-support/curl/curl_8.4.0.bb b/meta/recipes-support/curl/curl_8.4.0.bb
index 5f97730bf4..8f1ba52692 100644
--- a/meta/recipes-support/curl/curl_8.4.0.bb
+++ b/meta/recipes-support/curl/curl_8.4.0.bb
@@ -13,6 +13,7 @@ SRC_URI = " \
    https://curl.se/download/${BP}.tar.xz \
    file://run-ptest \
    file://disable-tests \
+    file://CVE-2023-46218.patch \
 "
 SRC_URI[sha256sum] = "16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2023-12-19 11:34:48 +0800
committer	Steve Sakoman <steve@sakoman.com>	2023-12-22 05:23:26 -1000
commit	664c3401c57d4595bbd000a7d1dbf4427fcc1e88 (patch)
tree	9f2e8e542d49e4de35ecde65c0275d258d7ac430
parent	91bd70dbea333dcfedcb84db99b8298880a2cdd0 (diff)
download	poky-664c3401c57d4595bbd000a7d1dbf4427fcc1e88.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch new file mode 100644 index 0000000000..de2f095664 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
@@ -0,0 +1,52 @@
		1	CVE: CVE-2023-46218
		2	Upstream-Status: Backport [ https://github.com/curl/curl/commit/2b0994c29a721c91c57 ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5	From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
		6	From: Daniel Stenberg <daniel@haxx.se>
		7	Date: Thu, 23 Nov 2023 08:15:47 +0100
		8	Subject: [PATCH] cookie: lowercase the domain names before PSL checks
		9
		10	Reported-by: Harry Sintonen
		11
		12	Closes #12387
		13	---
		14	lib/cookie.c \| 24 ++++++++++++++++--------
		15	1 file changed, 16 insertions(+), 8 deletions(-)
		16
		17	diff --git a/lib/cookie.c b/lib/cookie.c
		18	index 568cf537ad1b1f..9095cea3e97f22 100644
		19	--- a/lib/cookie.c
		20	+++ b/lib/cookie.c
		21	@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
		22	* dereference it.
		23	*/
		24	if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
		25	- const psl_ctx_t *psl = Curl_psl_use(data);
		26	- int acceptable;
		27	-
		28	- if(psl) {
		29	- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
		30	- Curl_psl_release(data);
		31	+ bool acceptable = FALSE;
		32	+ char lcase[256];
		33	+ char lcookie[256];
		34	+ size_t dlen = strlen(domain);
		35	+ size_t clen = strlen(co->domain);
		36	+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
		37	+ const psl_ctx_t *psl = Curl_psl_use(data);
		38	+ if(psl) {
		39	+ /* the PSL check requires lowercase domain name and pattern */
		40	+ Curl_strntolower(lcase, domain, dlen + 1);
		41	+ Curl_strntolower(lcookie, co->domain, clen + 1);
		42	+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
		43	+ Curl_psl_release(data);
		44	+ }
		45	+ else
		46	+ acceptable = !bad_domain(domain, strlen(domain));
		47	}
		48	- else
		49	- acceptable = !bad_domain(domain, strlen(domain));
		50
		51	if(!acceptable) {
		52	infof(data, "cookie '%s' dropped, domain '%s' must not "


diff --git a/meta/recipes-support/curl/curl_8.4.0.bb b/meta/recipes-support/curl/curl_8.4.0.bb index 5f97730bf4..8f1ba52692 100644 --- a/meta/recipes-support/curl/curl_8.4.0.bb +++ b/meta/recipes-support/curl/curl_8.4.0.bb
@@ -13,6 +13,7 @@ SRC_URI = " \
13	https://curl.se/download/${BP}.tar.xz \	13	https://curl.se/download/${BP}.tar.xz \
14	file://run-ptest \	14	file://run-ptest \
15	file://disable-tests \	15	file://disable-tests \
		16	file://CVE-2023-46218.patch \
16	"	17	"
17	SRC_URI[sha256sum] = "16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d"	18	SRC_URI[sha256sum] = "16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d"
18		19