3 files changed, 68 insertions, 106 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644
index 0000000000..46c57afb73
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
+From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
+From: Eric Vigeant <evigeant@gmail.com>
+Date: Wed, 2 Nov 2022 11:47:09 -0400
+Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
+When using SFTP and a path relative to the user home, do not add a
+trailing '/' to the user home dir if it already ends with one.
+Closes #9844
+CVE: CVE-2023-27534
+Note:
+- The upstream patch for CVE-2023-27534 does three things:
+1) creates new path with dynbuf(dynamic buffer)
+2) solves the tilde error which causes CVE-2023-27534
+3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
+- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
+- This patch completes the 3rd task of the patch which was implemented without using dynbuf
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..40b92ee 100644
+--- a/lib/curl_path.c
+++ b/lib/curl_path.c
+@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+       /* It is referenced to the home directory, so strip the
+          leading '/' */
+       memcpy(real_path, homedir, homelen);
+-      real_path[homelen] = '/';
+-      real_path[homelen + 1] = '\0';
+      /* Only add a trailing '/' if homedir does not end with one */
+      if(homelen == 0 || real_path[homelen - 1] != '/') {
+        real_path[homelen] = '/';
+        homelen++;
+        real_path[homelen] = '\0';
+      }
+       if(working_path_len > 3) {
+-        memcpy(real_path + homelen + 1, working_path + 3,
+        memcpy(real_path + homelen, working_path + 3,
+                1 + working_path_len -3);
+       }
+     }
+-- 
+2.24.4
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
index aeeffd5fea..3ecd181290 100644
--- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 9 Mar 2023 16:22:11 +0100
 Subject: [PATCH] curl_path: create the new path with dynbuf
+Closes #10729
 CVE: CVE-2023-27534
-Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+Note: This patch is needed to backport CVE-2023-27534
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
- lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
+ lib/curl_path.c | 2 +-
- 1 file changed, 35 insertions(+), 36 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/curl_path.c b/lib/curl_path.c
-index f429634..e17db4b 100644
+index 40b92ee..598c5dd 100644
 --- a/lib/curl_path.c
 +++ b/lib/curl_path.c
-@@ -30,6 +30,8 @@
+@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
- #include "escape.h"
+       memcpy(real_path, working_path, 1 + working_path_len);
- #include "memdebug.h"
- 
-+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
-+
- /* figure out the path to work with in this particular request */
- CURLcode Curl_getworkingpath(struct connectdata *conn,
-                              char *homedir,  /* when SFTP is used */
-@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
-                                              real path to work with */
- {
-   struct Curl_easy *data = conn->data;
-  char *real_path = NULL;
-   char *working_path;
-   size_t working_path_len;
-+  struct dynbuf npath;
-   CURLcode result =
-     Curl_urldecode(data, data->state.up.path, 0, &working_path,
-                    &working_path_len, FALSE);
-   if(result)
-     return result;
- 
-+  /* new path to switch to in case we need to */
-+  Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
-+
-   /* Check for /~/, indicating relative to the user's home directory */
-  if(conn->handler->protocol & CURLPROTO_SCP) {
-    real_path = malloc(working_path_len + 1);
-    if(real_path == NULL) {
-+  if((data->conn->handler->protocol & CURLPROTO_SCP) &&
-+     (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
-+    /* It is referenced to the home directory, so strip the leading '/~/' */
-+    if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
-       free(working_path);
-       return CURLE_OUT_OF_MEMORY;
-     }
-    if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
-      /* It is referenced to the home directory, so strip the leading '/~/' */
-      memcpy(real_path, working_path + 3, working_path_len - 2);
-    else
-      memcpy(real_path, working_path, 1 + working_path_len);
   }
-  else if(conn->handler->protocol & CURLPROTO_SFTP) {
+   else if(conn->handler->protocol & CURLPROTO_SFTP) {
 -    if((working_path_len > 1) && (working_path[1] == '~')) {
-      size_t homelen = strlen(homedir);
+    if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
-      real_path = malloc(homelen + working_path_len + 1);
+       size_t homelen = strlen(homedir);
-      if(real_path == NULL) {
+       real_path = malloc(homelen + working_path_len + 1);
-        free(working_path);
+       if(real_path == NULL) {
-        return CURLE_OUT_OF_MEMORY;
-      }
-      /* It is referenced to the home directory, so strip the
-         leading '/' */
-      memcpy(real_path, homedir, homelen);
-      real_path[homelen] = '/';
-      real_path[homelen + 1] = '\0';
-      if(working_path_len > 3) {
-        memcpy(real_path + homelen + 1, working_path + 3,
-               1 + working_path_len -3);
-      }
-+  else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
-+          (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
-+    size_t len;
-+    const char *p;
-+    int copyfrom = 3;
-+    if(Curl_dyn_add(&npath, homedir)) {
-+      free(working_path);
-+      return CURLE_OUT_OF_MEMORY;
-     }
-    else {
-      real_path = malloc(working_path_len + 1);
-      if(real_path == NULL) {
-        free(working_path);
-        return CURLE_OUT_OF_MEMORY;
-      }
-      memcpy(real_path, working_path, 1 + working_path_len);
-+    /* Copy a separating '/' if homedir does not end with one */
-+    len = Curl_dyn_len(&npath);
-+    p = Curl_dyn_ptr(&npath);
-+    if(len && (p[len-1] != '/'))
-+      copyfrom = 2;
-+
-+    if(Curl_dyn_addn(&npath,
-+                     &working_path[copyfrom], working_path_len - copyfrom)) {
-+      free(working_path);
-+      return CURLE_OUT_OF_MEMORY;
-     }
-   }
- 
-  free(working_path);
-+  if(Curl_dyn_len(&npath)) {
-+    free(working_path);
- 
-  /* store the pointer for the caller to receive */
-  *path = real_path;
-+    /* store the pointer for the caller to receive */
-+    *path = Curl_dyn_ptr(&npath);
-+  }
-+  else
-+    *path = working_path;
- 
-   return CURLE_OK;
- }
 -- 
-2.25.1
+2.24.4
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 32d18ddb3a..13ec117099 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://CVE-2022-35260.patch \
           file://CVE-2022-43552.patch \
           file://CVE-2023-23916.patch \
+           file://CVE-2023-27534-pre1.patch \
           file://CVE-2023-27534.patch \
           file://CVE-2023-27538.patch \
           file://CVE-2023-27533.patch \

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
		1	From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
		2	From: Eric Vigeant <evigeant@gmail.com>
		3	Date: Wed, 2 Nov 2022 11:47:09 -0400
		4	Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
		5
		6	When using SFTP and a path relative to the user home, do not add a
		7	trailing '/' to the user home dir if it already ends with one.
		8
		9	Closes #9844
		10
		11	CVE: CVE-2023-27534
		12	Note:
		13	- The upstream patch for CVE-2023-27534 does three things:
		14	1) creates new path with dynbuf(dynamic buffer)
		15	2) solves the tilde error which causes CVE-2023-27534
		16	3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
		17	- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
		18	- This patch completes the 3rd task of the patch which was implemented without using dynbuf
		19	Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
		20
		21	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		22	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		23	---
		24	lib/curl_path.c \| 10 +++++++---
		25	1 file changed, 7 insertions(+), 3 deletions(-)
		26
		27	diff --git a/lib/curl_path.c b/lib/curl_path.c
		28	index f429634..40b92ee 100644
		29	--- a/lib/curl_path.c
		30	+++ b/lib/curl_path.c
		31	@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
		32	/* It is referenced to the home directory, so strip the
		33	leading '/' */
		34	memcpy(real_path, homedir, homelen);
		35	- real_path[homelen] = '/';
		36	- real_path[homelen + 1] = '\0';
		37	+ /* Only add a trailing '/' if homedir does not end with one */
		38	+ if(homelen == 0 \|\| real_path[homelen - 1] != '/') {
		39	+ real_path[homelen] = '/';
		40	+ homelen++;
		41	+ real_path[homelen] = '\0';
		42	+ }
		43	if(working_path_len > 3) {
		44	- memcpy(real_path + homelen + 1, working_path + 3,
		45	+ memcpy(real_path + homelen, working_path + 3,
		46	1 + working_path_len -3);
		47	}
		48	}
		49	--
		50	2.24.4
		51


diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se>
3	Date: Thu, 9 Mar 2023 16:22:11 +0100	3	Date: Thu, 9 Mar 2023 16:22:11 +0100
4	Subject: [PATCH] curl_path: create the new path with dynbuf	4	Subject: [PATCH] curl_path: create the new path with dynbuf
5		5
		6	Closes #10729
		7
6	CVE: CVE-2023-27534	8	CVE: CVE-2023-27534
7	Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]	9	Note: This patch is needed to backport CVE-2023-27534
		10	Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
8		11
9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>	12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		13	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
10	---	14	---
11	lib/curl_path.c \| 71 ++++++++++++++++++++++++-------------------------	15	lib/curl_path.c \| 2 +-
12	1 file changed, 35 insertions(+), 36 deletions(-)	16	1 file changed, 1 insertion(+), 1 deletion(-)
13		17
14	diff --git a/lib/curl_path.c b/lib/curl_path.c	18	diff --git a/lib/curl_path.c b/lib/curl_path.c
15	index f429634..e17db4b 100644	19	index 40b92ee..598c5dd 100644
16	--- a/lib/curl_path.c	20	--- a/lib/curl_path.c
17	+++ b/lib/curl_path.c	21	+++ b/lib/curl_path.c
18	@@ -30,6 +30,8 @@	22	@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
19	#include "escape.h"	23	memcpy(real_path, working_path, 1 + working_path_len);
20	#include "memdebug.h"
21
22	+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
23	+
24	/* figure out the path to work with in this particular request */
25	CURLcode Curl_getworkingpath(struct connectdata *conn,
26	char homedir, / when SFTP is used */
27	@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
28	real path to work with */
29	{
30	struct Curl_easy *data = conn->data;
31	- char *real_path = NULL;
32	char *working_path;
33	size_t working_path_len;
34	+ struct dynbuf npath;
35	CURLcode result =
36	Curl_urldecode(data, data->state.up.path, 0, &working_path,
37	&working_path_len, FALSE);
38	if(result)
39	return result;
40
41	+ /* new path to switch to in case we need to */
42	+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
43	+
44	/* Check for /~/, indicating relative to the user's home directory */
45	- if(conn->handler->protocol & CURLPROTO_SCP) {
46	- real_path = malloc(working_path_len + 1);
47	- if(real_path == NULL) {
48	+ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
49	+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
50	+ /* It is referenced to the home directory, so strip the leading '/~/' */
51	+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
52	free(working_path);
53	return CURLE_OUT_OF_MEMORY;
54	}
55	- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
56	- /* It is referenced to the home directory, so strip the leading '/~/' */
57	- memcpy(real_path, working_path + 3, working_path_len - 2);
58	- else
59	- memcpy(real_path, working_path, 1 + working_path_len);
60	}	24	}
61	- else if(conn->handler->protocol & CURLPROTO_SFTP) {	25	else if(conn->handler->protocol & CURLPROTO_SFTP) {
62	- if((working_path_len > 1) && (working_path[1] == '~')) {	26	- if((working_path_len > 1) && (working_path[1] == '~')) {
63	- size_t homelen = strlen(homedir);	27	+ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
64	- real_path = malloc(homelen + working_path_len + 1);	28	size_t homelen = strlen(homedir);
65	- if(real_path == NULL) {	29	real_path = malloc(homelen + working_path_len + 1);
66	- free(working_path);	30	if(real_path == NULL) {
67	- return CURLE_OUT_OF_MEMORY;
68	- }
69	- /* It is referenced to the home directory, so strip the
70	- leading '/' */
71	- memcpy(real_path, homedir, homelen);
72	- real_path[homelen] = '/';
73	- real_path[homelen + 1] = '\0';
74	- if(working_path_len > 3) {
75	- memcpy(real_path + homelen + 1, working_path + 3,
76	- 1 + working_path_len -3);
77	- }
78	+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
79	+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
80	+ size_t len;
81	+ const char *p;
82	+ int copyfrom = 3;
83	+ if(Curl_dyn_add(&npath, homedir)) {
84	+ free(working_path);
85	+ return CURLE_OUT_OF_MEMORY;
86	}
87	- else {
88	- real_path = malloc(working_path_len + 1);
89	- if(real_path == NULL) {
90	- free(working_path);
91	- return CURLE_OUT_OF_MEMORY;
92	- }
93	- memcpy(real_path, working_path, 1 + working_path_len);
94	+ /* Copy a separating '/' if homedir does not end with one */
95	+ len = Curl_dyn_len(&npath);
96	+ p = Curl_dyn_ptr(&npath);
97	+ if(len && (p[len-1] != '/'))
98	+ copyfrom = 2;
99	+
100	+ if(Curl_dyn_addn(&npath,
101	+ &working_path[copyfrom], working_path_len - copyfrom)) {
102	+ free(working_path);
103	+ return CURLE_OUT_OF_MEMORY;
104	}
105	}
106
107	- free(working_path);
108	+ if(Curl_dyn_len(&npath)) {
109	+ free(working_path);
110
111	- /* store the pointer for the caller to receive */
112	- *path = real_path;
113	+ /* store the pointer for the caller to receive */
114	+ *path = Curl_dyn_ptr(&npath);
115	+ }
116	+ else
117	+ *path = working_path;
118
119	return CURLE_OK;
120	}
121	--	31	--
122	2.25.1	32	2.24.4
123		33


diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 32d18ddb3a..13ec117099 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
43	file://CVE-2022-35260.patch \	43	file://CVE-2022-35260.patch \
44	file://CVE-2022-43552.patch \	44	file://CVE-2022-43552.patch \
45	file://CVE-2023-23916.patch \	45	file://CVE-2023-23916.patch \
		46	file://CVE-2023-27534-pre1.patch \
46	file://CVE-2023-27534.patch \	47	file://CVE-2023-27534.patch \
47	file://CVE-2023-27538.patch \	48	file://CVE-2023-27538.patch \
48	file://CVE-2023-27533.patch \	49	file://CVE-2023-27533.patch \