curl: CVE-2023-27533 TELNET option IAC injection

Upstream-Status: Backport from https://github.com/curl/curl/commit/0c28ba2faae2d7da780a66d2446045a560192cdc && https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 (From OE-Core rev: ff795872530975a014ae23001a4b014449783a0e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-04-11 16:46:11 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-04-19 04:44:59 -1000
commit: 7fdc49e7aee9620204eee7008661cd041b345f7e (patch)
tree: 1c0138e1741438d034cfadb96bc4813658fa6f6d /meta/recipes-support
parent: dea0c1e1f5e0d256ee7dce61fb3edb6bfcfa70f8 (diff)
download: poky-7fdc49e7aee9620204eee7008661cd041b345f7e.tar.gz
2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
new file mode 100644
index 0000000000..b69b20c85a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
@@ -0,0 +1,208 @@
+From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: parse telnet options without sscanf & only accept option arguments in ascii
+To avoid embedded telnet negotiation commands etc.
+Reported-by: Harry Sintonen
+Closes #10728
+CVE: CVE-2023-27533
+Upstream-Status: Backport [https://github.com/curl/curl/commit/0c28ba2faae2d7da780a66d2446045a560192cdc && https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/telnet.c | 149 +++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 91 insertions(+), 58 deletions(-)
+diff --git a/lib/telnet.c b/lib/telnet.c
+index e709973..3ecd680 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -768,22 +768,32 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
+static bool str_is_nonascii(const char *str)
+{
+  size_t len = strlen(str);
+  while(len--) {
+    if(*str & 0x80)
+      return TRUE;
+    str++;
+  }
+  return FALSE;
+}
+
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+   struct curl_slist *beg;
+-  char option_keyword[128] = "";
+-  char option_arg[256] = "";
+   struct TELNET *tn = data->req.p.telnet;
+-  struct connectdata *conn = data->conn;
+   CURLcode result = CURLE_OK;
+-  int binary_option;
+ 
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(data->state.aptr.user) {
+-    msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+-    beg = curl_slist_append(tn->telnet_vars, option_arg);
+    char buffer[256];
+    if(str_is_nonascii(data->conn->user))
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    msnprintf(buffer, sizeof(buffer), "USER,%s", data->conn->user);
+    beg = curl_slist_append(tn->telnet_vars, buffer);
+     if(!beg) {
+       curl_slist_free_all(tn->telnet_vars);
+       tn->telnet_vars = NULL;
+@@ -793,68 +803,91 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+     tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
+   }
+ 
+-  for(head = data->set.telnet_options; head; head = head->next) {
+-    if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+-              option_keyword, option_arg) == 2) {
+-
+-      /* Terminal type */
+-      if(strcasecompare(option_keyword, "TTYPE")) {
+-        strncpy(tn->subopt_ttype, option_arg, 31);
+-        tn->subopt_ttype[31] = 0; /* String termination */
+-        tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;
+  for(head = data->set.telnet_options; head && !result; head = head->next) {
+    size_t olen;
+    char *option = head->data;
+    char *arg;
+    char *sep = strchr(option, '=');
+    if(sep) {
+      olen = sep - option;
+      arg = ++sep;
+      if(str_is_nonascii(arg))
+         continue;
+-      }
+      switch(olen) {
+      case 5:
+        /* Terminal type */
+        if(strncasecompare(option, "TTYPE", 5)) {
+          strncpy(tn->subopt_ttype, arg, 31);
+          tn->subopt_ttype[31] = 0; /* String termination */
+          tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;
+        }
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
+ 
+-      /* Display variable */
+-      if(strcasecompare(option_keyword, "XDISPLOC")) {
+-        strncpy(tn->subopt_xdisploc, option_arg, 127);
+-        tn->subopt_xdisploc[127] = 0; /* String termination */
+-        tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;
+-        continue;
+-      }
+      case 8:
+        /* Display variable */
+        if(strncasecompare(option, "XDISPLOC", 8)) {
+          strncpy(tn->subopt_xdisploc, arg, 127);
+          tn->subopt_xdisploc[127] = 0; /* String termination */
+          tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;
+        }
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
+ 
+-      /* Environment variable */
+-      if(strcasecompare(option_keyword, "NEW_ENV")) {
+-        beg = curl_slist_append(tn->telnet_vars, option_arg);
+-        if(!beg) {
+-          result = CURLE_OUT_OF_MEMORY;
+-          break;
+      case 7:
+        /* Environment variable */
+        if(strncasecompare(option, "NEW_ENV", 7)) {
+          beg = curl_slist_append(tn->telnet_vars, arg);
+          if(!beg) {
+            result = CURLE_OUT_OF_MEMORY;
+            break;
+          }
+          tn->telnet_vars = beg;
+          tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
+         }
+-        tn->telnet_vars = beg;
+-        tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
+-        continue;
+-      }
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
+ 
+-      /* Window Size */
+-      if(strcasecompare(option_keyword, "WS")) {
+-        if(sscanf(option_arg, "%hu%*[xX]%hu",
+-                  &tn->subopt_wsx, &tn->subopt_wsy) == 2)
+-          tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
+-        else {
+-          failf(data, "Syntax error in telnet option: %s", head->data);
+-          result = CURLE_SETOPT_OPTION_SYNTAX;
+-          break;
+      case 2:
+        /* Window Size */
+        if(strncasecompare(option, "WS", 2)) {
+          if(sscanf(arg, "%hu%*[xX]%hu",
+                    &tn->subopt_wsx, &tn->subopt_wsy) == 2)
+            tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
+          else {
+            failf(data, "Syntax error in telnet option: %s", head->data);
+            result = CURLE_SETOPT_OPTION_SYNTAX;
+          }
+         }
+-        continue;
+-      }
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
+ 
+-      /* To take care or not of the 8th bit in data exchange */
+-      if(strcasecompare(option_keyword, "BINARY")) {
+-        binary_option = atoi(option_arg);
+-        if(binary_option != 1) {
+-          tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+-          tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+      case 6:
+        /* To take care or not of the 8th bit in data exchange */
+        if(strncasecompare(option, "BINARY", 6)) {
+          int binary_option = atoi(arg);
+          if(binary_option != 1) {
+            tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+            tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+          }
+         }
+-        continue;
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
+      default:
+        failf(data, "Unknown telnet option %s", head->data);
+        result = CURLE_UNKNOWN_OPTION;
+        break;
+       }
+-
+-      failf(data, "Unknown telnet option %s", head->data);
+-      result = CURLE_UNKNOWN_OPTION;
+-      break;
+     }
+-    failf(data, "Syntax error in telnet option: %s", head->data);
+-    result = CURLE_SETOPT_OPTION_SYNTAX;
+-    break;
+    else {
+      failf(data, "Syntax error in telnet option: %s", head->data);
+      result = CURLE_SETOPT_OPTION_SYNTAX;
+    }
+   }
+ 
+   if(result) {
+-- 
+2.25.1
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 945745cdde..7efec07e61 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2023-23914_5-4.patch \
           file://CVE-2023-23914_5-5.patch \
           file://CVE-2023-23916.patch \
+           file://CVE-2023-27533.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-04-11 16:46:11 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-04-19 04:44:59 -1000
commit	7fdc49e7aee9620204eee7008661cd041b345f7e (patch)
tree	1c0138e1741438d034cfadb96bc4813658fa6f6d /meta/recipes-support
parent	dea0c1e1f5e0d256ee7dce61fb3edb6bfcfa70f8 (diff)
download	poky-7fdc49e7aee9620204eee7008661cd041b345f7e.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..b69b20c85a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
@@ -0,0 +1,208 @@
		1	From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 6 Mar 2023 12:07:33 +0100
		4	Subject: [PATCH] telnet: parse telnet options without sscanf & only accept option arguments in ascii
		5
		6	To avoid embedded telnet negotiation commands etc.
		7
		8	Reported-by: Harry Sintonen
		9	Closes #10728
		10
		11	CVE: CVE-2023-27533
		12	Upstream-Status: Backport [https://github.com/curl/curl/commit/0c28ba2faae2d7da780a66d2446045a560192cdc && https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684]
		13
		14	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		15	---
		16	lib/telnet.c \| 149 +++++++++++++++++++++++++++++++--------------------
		17	1 file changed, 91 insertions(+), 58 deletions(-)
		18
		19	diff --git a/lib/telnet.c b/lib/telnet.c
		20	index e709973..3ecd680 100644
		21	--- a/lib/telnet.c
		22	+++ b/lib/telnet.c
		23	@@ -768,22 +768,32 @@ static void printsub(struct Curl_easy *data,
		24	}
		25	}
		26
		27	+static bool str_is_nonascii(const char *str)
		28	+{
		29	+ size_t len = strlen(str);
		30	+ while(len--) {
		31	+ if(*str & 0x80)
		32	+ return TRUE;
		33	+ str++;
		34	+ }
		35	+ return FALSE;
		36	+}
		37	+
		38	static CURLcode check_telnet_options(struct Curl_easy *data)
		39	{
		40	struct curl_slist *head;
		41	struct curl_slist *beg;
		42	- char option_keyword[128] = "";
		43	- char option_arg[256] = "";
		44	struct TELNET *tn = data->req.p.telnet;
		45	- struct connectdata *conn = data->conn;
		46	CURLcode result = CURLE_OK;
		47	- int binary_option;
		48
		49	/* Add the user name as an environment variable if it
		50	was given on the command line */
		51	if(data->state.aptr.user) {
		52	- msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
		53	- beg = curl_slist_append(tn->telnet_vars, option_arg);
		54	+ char buffer[256];
		55	+ if(str_is_nonascii(data->conn->user))
		56	+ return CURLE_BAD_FUNCTION_ARGUMENT;
		57	+ msnprintf(buffer, sizeof(buffer), "USER,%s", data->conn->user);
		58	+ beg = curl_slist_append(tn->telnet_vars, buffer);
		59	if(!beg) {
		60	curl_slist_free_all(tn->telnet_vars);
		61	tn->telnet_vars = NULL;
		62	@@ -793,68 +803,91 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
		63	tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
		64	}
		65
		66	- for(head = data->set.telnet_options; head; head = head->next) {
		67	- if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
		68	- option_keyword, option_arg) == 2) {
		69	-
		70	- /* Terminal type */
		71	- if(strcasecompare(option_keyword, "TTYPE")) {
		72	- strncpy(tn->subopt_ttype, option_arg, 31);
		73	- tn->subopt_ttype[31] = 0; /* String termination */
		74	- tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;
		75	+ for(head = data->set.telnet_options; head && !result; head = head->next) {
		76	+ size_t olen;
		77	+ char *option = head->data;
		78	+ char *arg;
		79	+ char *sep = strchr(option, '=');
		80	+ if(sep) {
		81	+ olen = sep - option;
		82	+ arg = ++sep;
		83	+ if(str_is_nonascii(arg))
		84	continue;
		85	- }
		86	+ switch(olen) {
		87	+ case 5:
		88	+ /* Terminal type */
		89	+ if(strncasecompare(option, "TTYPE", 5)) {
		90	+ strncpy(tn->subopt_ttype, arg, 31);
		91	+ tn->subopt_ttype[31] = 0; /* String termination */
		92	+ tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;
		93	+ }
		94	+ else
		95	+ result = CURLE_UNKNOWN_OPTION;
		96	+ break;
		97
		98	- /* Display variable */
		99	- if(strcasecompare(option_keyword, "XDISPLOC")) {
		100	- strncpy(tn->subopt_xdisploc, option_arg, 127);
		101	- tn->subopt_xdisploc[127] = 0; /* String termination */
		102	- tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;
		103	- continue;
		104	- }
		105	+ case 8:
		106	+ /* Display variable */
		107	+ if(strncasecompare(option, "XDISPLOC", 8)) {
		108	+ strncpy(tn->subopt_xdisploc, arg, 127);
		109	+ tn->subopt_xdisploc[127] = 0; /* String termination */
		110	+ tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;
		111	+ }
		112	+ else
		113	+ result = CURLE_UNKNOWN_OPTION;
		114	+ break;
		115
		116	- /* Environment variable */
		117	- if(strcasecompare(option_keyword, "NEW_ENV")) {
		118	- beg = curl_slist_append(tn->telnet_vars, option_arg);
		119	- if(!beg) {
		120	- result = CURLE_OUT_OF_MEMORY;
		121	- break;
		122	+ case 7:
		123	+ /* Environment variable */
		124	+ if(strncasecompare(option, "NEW_ENV", 7)) {
		125	+ beg = curl_slist_append(tn->telnet_vars, arg);
		126	+ if(!beg) {
		127	+ result = CURLE_OUT_OF_MEMORY;
		128	+ break;
		129	+ }
		130	+ tn->telnet_vars = beg;
		131	+ tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
		132	}
		133	- tn->telnet_vars = beg;
		134	- tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
		135	- continue;
		136	- }
		137	+ else
		138	+ result = CURLE_UNKNOWN_OPTION;
		139	+ break;
		140
		141	- /* Window Size */
		142	- if(strcasecompare(option_keyword, "WS")) {
		143	- if(sscanf(option_arg, "%hu%*[xX]%hu",
		144	- &tn->subopt_wsx, &tn->subopt_wsy) == 2)
		145	- tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
		146	- else {
		147	- failf(data, "Syntax error in telnet option: %s", head->data);
		148	- result = CURLE_SETOPT_OPTION_SYNTAX;
		149	- break;
		150	+ case 2:
		151	+ /* Window Size */
		152	+ if(strncasecompare(option, "WS", 2)) {
		153	+ if(sscanf(arg, "%hu%*[xX]%hu",
		154	+ &tn->subopt_wsx, &tn->subopt_wsy) == 2)
		155	+ tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
		156	+ else {
		157	+ failf(data, "Syntax error in telnet option: %s", head->data);
		158	+ result = CURLE_SETOPT_OPTION_SYNTAX;
		159	+ }
		160	}
		161	- continue;
		162	- }
		163	+ else
		164	+ result = CURLE_UNKNOWN_OPTION;
		165	+ break;
		166
		167	- /* To take care or not of the 8th bit in data exchange */
		168	- if(strcasecompare(option_keyword, "BINARY")) {
		169	- binary_option = atoi(option_arg);
		170	- if(binary_option != 1) {
		171	- tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
		172	- tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
		173	+ case 6:
		174	+ /* To take care or not of the 8th bit in data exchange */
		175	+ if(strncasecompare(option, "BINARY", 6)) {
		176	+ int binary_option = atoi(arg);
		177	+ if(binary_option != 1) {
		178	+ tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
		179	+ tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
		180	+ }
		181	}
		182	- continue;
		183	+ else
		184	+ result = CURLE_UNKNOWN_OPTION;
		185	+ break;
		186	+ default:
		187	+ failf(data, "Unknown telnet option %s", head->data);
		188	+ result = CURLE_UNKNOWN_OPTION;
		189	+ break;
		190	}
		191	-
		192	- failf(data, "Unknown telnet option %s", head->data);
		193	- result = CURLE_UNKNOWN_OPTION;
		194	- break;
		195	}
		196	- failf(data, "Syntax error in telnet option: %s", head->data);
		197	- result = CURLE_SETOPT_OPTION_SYNTAX;
		198	- break;
		199	+ else {
		200	+ failf(data, "Syntax error in telnet option: %s", head->data);
		201	+ result = CURLE_SETOPT_OPTION_SYNTAX;
		202	+ }
		203	}
		204
		205	if(result) {
		206	--
		207	2.25.1
		208


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 945745cdde..7efec07e61 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
40	file://CVE-2023-23914_5-4.patch \	40	file://CVE-2023-23914_5-4.patch \
41	file://CVE-2023-23914_5-5.patch \	41	file://CVE-2023-23914_5-5.patch \
42	file://CVE-2023-23916.patch \	42	file://CVE-2023-23916.patch \
		43	file://CVE-2023-27533.patch \
43	"	44	"
44	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	45	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
45		46