summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRobert Joslyn <robert.joslyn@redrectangle.org>2022-09-05 12:06:08 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-09-12 08:41:47 +0100
commit68dfce5f526164560e4ae32e9548a9e87c36c690 (patch)
tree7afaacd3961cba590134ceb8cf51ec8c00409dca /meta
parent2c42fa484a6df49cae9ff238bffd7d763d640a37 (diff)
downloadpoky-68dfce5f526164560e4ae32e9548a9e87c36c690.tar.gz
curl: Backport patch for CVE-2022-35252
https://curl.se/docs/CVE-2022-35252.html (From OE-Core rev: 40bbdb43b247ffc5dd1990f51fb824a089c0987f) Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-35252.patch72
-rw-r--r--meta/recipes-support/curl/curl_7.82.0.bb1
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
new file mode 100644
index 0000000000..7b6f81bd02
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
@@ -0,0 +1,72 @@
1From 62c09239ac4e08239c8e363b06901fc80637d8c7 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 29 Aug 2022 00:09:17 +0200
4Subject: [PATCH] cookie: reject cookies with "control bytes"
5
6Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
7
8Reported-by: Axel Chong
9
10Bug: https://curl.se/docs/CVE-2022-35252.html
11
12CVE-2022-35252
13
14Closes #9381
15
16Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb]
17
18Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
19---
20 lib/cookie.c | 29 +++++++++++++++++++++++++++++
21 1 file changed, 29 insertions(+)
22
23diff --git a/lib/cookie.c b/lib/cookie.c
24index cb0c03b..e0470a1 100644
25--- a/lib/cookie.c
26+++ b/lib/cookie.c
27@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain)
28 return TRUE;
29 }
30
31+/*
32+ RFC 6265 section 4.1.1 says a server should accept this range:
33+
34+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
35+
36+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
37+ fine. The prime reason for filtering out control bytes is that some HTTP
38+ servers return 400 for requests that contain such.
39+*/
40+static int invalid_octets(const char *p)
41+{
42+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
43+ static const char badoctets[] = {
44+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
45+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
46+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
47+ };
48+ size_t vlen, len;
49+ /* scan for all the octets that are *not* in cookie-octet */
50+ len = strcspn(p, badoctets);
51+ vlen = strlen(p);
52+ return (len != vlen);
53+}
54+
55 /*
56 * Curl_cookie_add
57 *
58@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data,
59 badcookie = TRUE;
60 break;
61 }
62+ if(invalid_octets(whatptr) || invalid_octets(name)) {
63+ infof(data, "invalid octets in name/value, cookie dropped");
64+ badcookie = TRUE;
65+ break;
66+ }
67 }
68 else if(!len) {
69 /*
70--
712.35.1
72
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 67de0220c6..5368c91f5c 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
28 file://CVE-2022-32206.patch \ 28 file://CVE-2022-32206.patch \
29 file://CVE-2022-32207.patch \ 29 file://CVE-2022-32207.patch \
30 file://CVE-2022-32208.patch \ 30 file://CVE-2022-32208.patch \
31 file://CVE-2022-35252.patch \
31 " 32 "
32SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" 33SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
33 34