curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842

(From OE-Core rev: 0f0db9fc8512a0ecd0cdba3304a195cd925a5029) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2018-11-02 14:07:49 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-07 23:08:54 +0000
commit: c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93 (patch)
tree: c3ba9ed640c2a5ddc8aca4ae49afe445f80ef47b
parent: faacc5048746c5bd0366881cdf46470bfeef4300 (diff)
download: poky-c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93.tar.gz
3 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
new file mode 100644
index 0000000000..bf972d2ed7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
@@ -0,0 +1,35 @@
+From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:27:35 +0800
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
+CVE: CVE-2018-16839
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
+  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.7.4
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
new file mode 100644
index 0000000000..3d086c4d90
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
@@ -0,0 +1,43 @@
+From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:33:35 +0800
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
+ use-after-free
+Regression from b46cfbc (7.59.0)
+CVE-2018-16840
+Reported-by: Brian Carpenter (Geeknik Labs)
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit/
+81d135d67155c5295b1033679c606165d4e28f3f]
+CVE: CVE-2018-16840
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/url.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/lib/url.c b/lib/url.c
+index 27b2c1e..7ef7c20 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
+        and detach this handle from there. */
+     curl_multi_remove_handle(data->multi, data);
+ 
+-  if(data->multi_easy)
+  if(data->multi_easy) {
+     /* when curl_easy_perform() is used, it creates its own multi handle to
+        use and this is the one */
+     curl_multi_cleanup(data->multi_easy);
+    data->multi_easy = NULL;
+  }
+ 
+   /* Destroy the timeout list that is held in the easy handle. It is
+      /normally/ done by curl_multi_remove_handle() but this is "just in
+-- 
+2.7.4
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
new file mode 100644
index 0000000000..82e7557063
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
@@ -0,0 +1,35 @@
+From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:30:56 +0800
+Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
+CVE: CVE-2018-16842
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c
+index 9cce806..05bec39 100644
+--- a/src/tool_msgs.c
+++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
+        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);
+-- 
+2.7.4
author	Changqing Li <changqing.li@windriver.com>	2018-11-02 14:07:49 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-11-07 23:08:54 +0000
commit	c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93 (patch)
tree	c3ba9ed640c2a5ddc8aca4ae49afe445f80ef47b
parent	faacc5048746c5bd0366881cdf46470bfeef4300 (diff)
download	poky-c67e7d1eb3d26d04bfe426d93f56a8b3a85dae93.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch new file mode 100644 index 0000000000..bf972d2ed7 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
@@ -0,0 +1,35 @@
	1	From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Thu, 1 Nov 2018 15:27:35 +0800
	4	Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
	5
	6	CVE-2018-16839
	7	Reported-by: Harry Sintonen
	8	Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
	9
	10	Upstream-Status: Backport [https://github.com/curl/curl/commit
	11	/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
	12
	13	CVE: CVE-2018-16839
	14
	15	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	16	---
	17	lib/vauth/cleartext.c \| 2 +-
	18	1 file changed, 1 insertion(+), 1 deletion(-)
	19
	20	diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
	21	index 5d61ce6..1367143 100644
	22	--- a/lib/vauth/cleartext.c
	23	+++ b/lib/vauth/cleartext.c
	24	@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
	25	plen = strlen(passwdp);
	26
	27	/* Compute binary message length. Check for overflows. */
	28	- if((ulen > SIZE_T_MAX/2) \|\| (plen > (SIZE_T_MAX/2 - 2)))
	29	+ if((ulen > SIZE_T_MAX/4) \|\| (plen > (SIZE_T_MAX/2 - 2)))
	30	return CURLE_OUT_OF_MEMORY;
	31	plainlen = 2 * ulen + plen + 2;
	32
	33	--
	34	2.7.4
	35


diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch new file mode 100644 index 0000000000..3d086c4d90 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
@@ -0,0 +1,43 @@
	1	From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Thu, 1 Nov 2018 15:33:35 +0800
	4	Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
	5	use-after-free
	6
	7	Regression from b46cfbc (7.59.0)
	8	CVE-2018-16840
	9	Reported-by: Brian Carpenter (Geeknik Labs)
	10
	11	Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
	12
	13	Upstream-Status: Backport [https://github.com/curl/curl/commit/
	14	81d135d67155c5295b1033679c606165d4e28f3f]
	15
	16	CVE: CVE-2018-16840
	17
	18	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	19	---
	20	lib/url.c \| 4 +++-
	21	1 file changed, 3 insertions(+), 1 deletion(-)
	22
	23	diff --git a/lib/url.c b/lib/url.c
	24	index 27b2c1e..7ef7c20 100644
	25	--- a/lib/url.c
	26	+++ b/lib/url.c
	27	@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
	28	and detach this handle from there. */
	29	curl_multi_remove_handle(data->multi, data);
	30
	31	- if(data->multi_easy)
	32	+ if(data->multi_easy) {
	33	/* when curl_easy_perform() is used, it creates its own multi handle to
	34	use and this is the one */
	35	curl_multi_cleanup(data->multi_easy);
	36	+ data->multi_easy = NULL;
	37	+ }
	38
	39	/* Destroy the timeout list that is held in the easy handle. It is
	40	/normally/ done by curl_multi_remove_handle() but this is "just in
	41	--
	42	2.7.4
	43


diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch new file mode 100644 index 0000000000..82e7557063 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
@@ -0,0 +1,35 @@
	1	From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Thu, 1 Nov 2018 15:30:56 +0800
	4	Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
	5
	6	CVE-2018-16842
	7	Reported-by: Brian Carpenter
	8	Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
	9
	10	Upstream-Status: Backport [https://github.com/curl/curl/commit
	11	/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
	12
	13	CVE: CVE-2018-16842
	14
	15	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	16	---
	17	src/tool_msgs.c \| 2 +-
	18	1 file changed, 1 insertion(+), 1 deletion(-)
	19
	20	diff --git a/src/tool_msgs.c b/src/tool_msgs.c
	21	index 9cce806..05bec39 100644
	22	--- a/src/tool_msgs.c
	23	+++ b/src/tool_msgs.c
	24	@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
	25	(void)fwrite(ptr, cut + 1, 1, config->errors);
	26	fputs("\n", config->errors);
	27	ptr += cut + 1; /* skip the space too */
	28	- len -= cut;
	29	+ len -= cut + 1;
	30	}
	31	else {
	32	fputs(ptr, config->errors);
	33	--
	34	2.7.4
	35