diff options
| author | Robert Joslyn <robert.joslyn@redrectangle.org> | 2022-09-05 12:06:08 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-12 08:41:47 +0100 |
| commit | 68dfce5f526164560e4ae32e9548a9e87c36c690 (patch) | |
| tree | 7afaacd3961cba590134ceb8cf51ec8c00409dca /meta | |
| parent | 2c42fa484a6df49cae9ff238bffd7d763d640a37 (diff) | |
| download | poky-68dfce5f526164560e4ae32e9548a9e87c36c690.tar.gz | |
curl: Backport patch for CVE-2022-35252
https://curl.se/docs/CVE-2022-35252.html
(From OE-Core rev: 40bbdb43b247ffc5dd1990f51fb824a089c0987f)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-35252.patch | 72 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch new file mode 100644 index 0000000000..7b6f81bd02 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | From 62c09239ac4e08239c8e363b06901fc80637d8c7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel Stenberg <daniel@haxx.se> | ||
| 3 | Date: Mon, 29 Aug 2022 00:09:17 +0200 | ||
| 4 | Subject: [PATCH] cookie: reject cookies with "control bytes" | ||
| 5 | |||
| 6 | Rejects 0x01 - 0x1f (except 0x09) plus 0x7f | ||
| 7 | |||
| 8 | Reported-by: Axel Chong | ||
| 9 | |||
| 10 | Bug: https://curl.se/docs/CVE-2022-35252.html | ||
| 11 | |||
| 12 | CVE-2022-35252 | ||
| 13 | |||
| 14 | Closes #9381 | ||
| 15 | |||
| 16 | Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb] | ||
| 17 | |||
| 18 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
| 19 | --- | ||
| 20 | lib/cookie.c | 29 +++++++++++++++++++++++++++++ | ||
| 21 | 1 file changed, 29 insertions(+) | ||
| 22 | |||
| 23 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
| 24 | index cb0c03b..e0470a1 100644 | ||
| 25 | --- a/lib/cookie.c | ||
| 26 | +++ b/lib/cookie.c | ||
| 27 | @@ -438,6 +438,30 @@ static bool bad_domain(const char *domain) | ||
| 28 | return TRUE; | ||
| 29 | } | ||
| 30 | |||
| 31 | +/* | ||
| 32 | + RFC 6265 section 4.1.1 says a server should accept this range: | ||
| 33 | + | ||
| 34 | + cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E | ||
| 35 | + | ||
| 36 | + But Firefox and Chrome as of June 2022 accept space, comma and double-quotes | ||
| 37 | + fine. The prime reason for filtering out control bytes is that some HTTP | ||
| 38 | + servers return 400 for requests that contain such. | ||
| 39 | +*/ | ||
| 40 | +static int invalid_octets(const char *p) | ||
| 41 | +{ | ||
| 42 | + /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ | ||
| 43 | + static const char badoctets[] = { | ||
| 44 | + "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" | ||
| 45 | + "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" | ||
| 46 | + "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" | ||
| 47 | + }; | ||
| 48 | + size_t vlen, len; | ||
| 49 | + /* scan for all the octets that are *not* in cookie-octet */ | ||
| 50 | + len = strcspn(p, badoctets); | ||
| 51 | + vlen = strlen(p); | ||
| 52 | + return (len != vlen); | ||
| 53 | +} | ||
| 54 | + | ||
| 55 | /* | ||
| 56 | * Curl_cookie_add | ||
| 57 | * | ||
| 58 | @@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| 59 | badcookie = TRUE; | ||
| 60 | break; | ||
| 61 | } | ||
| 62 | + if(invalid_octets(whatptr) || invalid_octets(name)) { | ||
| 63 | + infof(data, "invalid octets in name/value, cookie dropped"); | ||
| 64 | + badcookie = TRUE; | ||
| 65 | + break; | ||
| 66 | + } | ||
| 67 | } | ||
| 68 | else if(!len) { | ||
| 69 | /* | ||
| 70 | -- | ||
| 71 | 2.35.1 | ||
| 72 | |||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 67de0220c6..5368c91f5c 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
| @@ -28,6 +28,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
| 28 | file://CVE-2022-32206.patch \ | 28 | file://CVE-2022-32206.patch \ |
| 29 | file://CVE-2022-32207.patch \ | 29 | file://CVE-2022-32207.patch \ |
| 30 | file://CVE-2022-32208.patch \ | 30 | file://CVE-2022-32208.patch \ |
| 31 | file://CVE-2022-35252.patch \ | ||
| 31 | " | 32 | " |
| 32 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 33 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
| 33 | 34 | ||
