5 files changed, 579 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32205.patch b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
new file mode 100644
index 0000000000..165fd8af47
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
@@ -0,0 +1,174 @@
+From a91c22a072cbb32e296f1efba3502f1b7775dfaf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 26 Jun 2022 11:00:48 +0200
+Subject: [PATCH] cookie: apply limits
+- Send no more than 150 cookies per request
+- Cap the max length used for a cookie: header to 8K
+- Cap the max number of received Set-Cookie: headers to 50
+Bug: https://curl.se/docs/CVE-2022-32205.html
+CVE-2022-32205
+Reported-by: Harry Sintonen
+Closes #9048
+Upstream-Status: Backport [https://github.com/curl/curl/commit/48d7064a49148f0394]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/cookie.c  | 14 ++++++++++++--
+ lib/cookie.h  | 21 +++++++++++++++++++--
+ lib/http.c    | 13 +++++++++++--
+ lib/urldata.h |  1 +
+ 4 files changed, 43 insertions(+), 6 deletions(-)
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 1b8c8f9..8a6aa1a 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data,
+   (void)data;
+ #endif
+ 
+  DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
+  if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
+    return NULL;
+
+   /* First, alloc and init a new struct for it */
+   co = calloc(1, sizeof(struct Cookie));
+   if(!co)
+@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data,
+       freecookie(co);
+       return NULL;
+     }
+-
+    data->req.setcookies++;
+   }
+   else {
+     /*
+@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+  *
+  * It shall only return cookies that haven't expired.
+  */
+-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
+                                   struct CookieInfo *c,
+                                    const char *host, const char *path,
+                                    bool secure)
+ {
+@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+             mainco = newco;
+ 
+             matches++;
+            if(matches >= MAX_COOKIE_SEND_AMOUNT) {
+              infof(data, "Included max number of cookies (%u) in request!",
+                    matches);
+              break;
+            }
+           }
+           else
+             goto fail;
+diff --git a/lib/cookie.h b/lib/cookie.h
+index 0ffe08e..7411980 100644
+--- a/lib/cookie.h
+++ b/lib/cookie.h
+@@ -81,10 +81,26 @@ struct CookieInfo {
+ */
+ #define MAX_COOKIE_LINE 5000
+ 
+-/* This is the maximum length of a cookie name or content we deal with: */
+/* Maximum length of an incoming cookie name or content we deal with. Longer
+   cookies are ignored. */
+ #define MAX_NAME 4096
+ #define MAX_NAME_TXT "4095"
+ 
+/* Maximum size for an outgoing cookie line libcurl will use in an http
+   request. This is the default maximum length used in some versions of Apache
+   httpd. */
+#define MAX_COOKIE_HEADER_LEN 8190
+
+/* Maximum number of cookies libcurl will send in a single request, even if
+   there might be more cookies that match. One reason to cap the number is to
+   keep the maximum HTTP request within the maximum allowed size. */
+#define MAX_COOKIE_SEND_AMOUNT 150
+
+/* Maximum number of Set-Cookie: lines accepted in a single response. If more
+   such header lines are received, they are ignored. This value must be less
+   than 256 since an unsigned char is used to count. */
+#define MAX_SET_COOKIE_AMOUNT 50
+
+ struct Curl_easy;
+ /*
+  * Add a cookie to the internal list of cookies. The domain and path arguments
+@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
+                                const char *domain, const char *path,
+                                bool secure);
+ 
+-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host,
+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
+                                   struct CookieInfo *c, const char *host,
+                                    const char *path, bool secure);
+ void Curl_cookie_freelist(struct Cookie *cookies);
+ void Curl_cookie_clearall(struct CookieInfo *cookies);
+diff --git a/lib/http.c b/lib/http.c
+index 4433824..2c8b0c4 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn,
+ }
+ 
+ #if !defined(CURL_DISABLE_COOKIES)
+
+ CURLcode Curl_http_cookies(struct Curl_easy *data,
+                            struct connectdata *conn,
+                            struct dynbuf *r)
+ {
+   CURLcode result = CURLE_OK;
+   char *addcookies = NULL;
+  bool linecap = FALSE;
+   if(data->set.str[STRING_COOKIE] &&
+      !Curl_checkheaders(data, STRCONST("Cookie")))
+     addcookies = data->set.str[STRING_COOKIE];
+@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+         !strcmp(host, "127.0.0.1") ||
+         !strcmp(host, "[::1]") ? TRUE : FALSE;
+       Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
+-      co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
+      co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
+                                secure_context);
+       Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
+     }
+@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+             if(result)
+               break;
+           }
+          if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
+             MAX_COOKIE_HEADER_LEN) {
+            infof(data, "Restricted outgoing cookies due to header size, "
+                  "'%s' not sent", co->name);
+            linecap = TRUE;
+            break;
+          }
+           result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
+                                  co->name, co->value);
+           if(result)
+@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+       }
+       Curl_cookie_freelist(store);
+     }
+-    if(addcookies && !result) {
+    if(addcookies && !result && !linecap) {
+       if(!count)
+         result = Curl_dyn_addn(r, STRCONST("Cookie: "));
+       if(!result) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index e006495..54faf7d 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -707,6 +707,7 @@ struct SingleRequest {
+ #ifndef CURL_DISABLE_DOH
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
+  unsigned char setcookies;
+   BIT(header);        /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
new file mode 100644
index 0000000000..25f5b27cc7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
@@ -0,0 +1,51 @@
+From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH] content_encoding: return error on too many compression steps
+The max allowed steps is arbitrarily set to 5.
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c03637a..6f994b3 100644
+--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
+@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
+   return NULL;
+ }
+ 
+/* allow no more than 5 "chained" compression steps */
+#define MAX_ENCODE_STACK 5
+
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+      if(++counter >= MAX_ENCODE_STACK) {
+        failf(data, "Reject response due to %u content encodings",
+              counter);
+        return CURLE_BAD_CONTENT_ENCODING;
+      }
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(data, encoding, k->writer_stack);
+       if(!writer)
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
new file mode 100644
index 0000000000..bc16b62f39
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
@@ -0,0 +1,283 @@
+From 759088694e2ba68ddc5ffe042b071dadad6ff675 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ CMakeLists.txt          |   1 +
+ configure.ac            |   1 +
+ lib/Makefile.inc        |   2 +
+ lib/cookie.c            |  19 ++-----
+ lib/curl_config.h.cmake |   3 ++
+ lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h             |  30 +++++++++++
+ 7 files changed, 154 insertions(+), 15 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b77de6d..a0bfaad 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
+   set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+ 
+check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d431870..7433bb9 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([fnmatch \
+  fchmod \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index e8f110f..5139b03 100644
+--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
+@@ -133,6 +133,7 @@ LIB_CFILES =         \
+   escape.c           \
+   file.c             \
+   fileinfo.c         \
+  fopen.c            \
+   formdata.c         \
+   ftp.c              \
+   ftplistparser.c    \
+@@ -263,6 +264,7 @@ LIB_HFILES =         \
+   escape.h           \
+   file.h             \
+   fileinfo.h         \
+  fopen.h            \
+   formdata.h         \
+   ftp.h              \
+   ftplistparser.h    \
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 8a6aa1a..cb0c03b 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -96,8 +96,8 @@ Example set of cookies:
+ #include "curl_get_line.h"
+ #include "curl_memrchr.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
+#include "fopen.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
+     use_stdout = TRUE;
+   }
+   else {
+-    unsigned char randsuffix[9];
+-
+-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-      return 2;
+-
+-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+-    if(!tempstore)
+-      return CURLE_OUT_OF_MEMORY;
+-
+-    out = fopen(tempstore, FOPEN_WRITETEXT);
+-    if(!out) {
+-      error = CURLE_WRITE_ERROR;
+    error = Curl_fopen(data, filename, &out, &tempstore);
+    if(error)
+       goto error;
+-    }
+   }
+ 
+   fputs("# Netscape HTTP Cookie File\n"
+@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
+   if(!use_stdout) {
+     fclose(out);
+     out = NULL;
+-    if(Curl_rename(tempstore, filename)) {
+    if(tempstore && Curl_rename(tempstore, filename)) {
+       unlink(tempstore);
+       error = CURLE_WRITE_ERROR;
+       goto error;
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index d2a0f43..c254359 100644
+--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
+@@ -157,6 +157,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+ 
+/* Define to 1 if you have the `fchmod' function. */
+#cmakedefine HAVE_FCHMOD 1
+
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+ 
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
+++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
+  !defined(CURL_DISABLE_HSTS)
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#include "urldata.h"
+#include "rand.h"
+#include "fopen.h"
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
+#include "curl_memory.h"
+#include "memdebug.h"
+
+/*
+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
+ * to the final name when completed. If there is an existing file using this
+ * name at the time of the open, this function will clone the mode from that
+ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
+ * written.
+ */
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+                    FILE **fh, char **tempname)
+{
+  CURLcode result = CURLE_WRITE_ERROR;
+  unsigned char randsuffix[9];
+  char *tempstore = NULL;
+  struct_stat sb;
+  int fd = -1;
+  *tempname = NULL;
+
+  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+    /* a non-regular file, fallback to direct fopen() */
+    *fh = fopen(filename, FOPEN_WRITETEXT);
+    if(*fh)
+      return CURLE_OK;
+    goto fail;
+  }
+
+  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+  if(result)
+    goto fail;
+
+  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+  if(!tempstore) {
+    result = CURLE_OUT_OF_MEMORY;
+    goto fail;
+  }
+
+  result = CURLE_WRITE_ERROR;
+  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
+  if(fd == -1)
+    goto fail;
+
+#ifdef HAVE_FCHMOD
+  {
+    struct_stat nsb;
+    if((fstat(fd, &nsb) != -1) &&
+       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
+      /* if the user and group are the same, clone the original mode */
+      if(fchmod(fd, sb.st_mode) == -1)
+        goto fail;
+    }
+  }
+#endif
+
+  *fh = fdopen(fd, FOPEN_WRITETEXT);
+  if(!*fh)
+    goto fail;
+
+  *tempname = tempstore;
+  return CURLE_OK;
+
+fail:
+  if(fd != -1) {
+    close(fd);
+    unlink(tempstore);
+  }
+
+  free(tempstore);
+
+  *tempname = NULL;
+  return result;
+}
+
+#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
+++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
+#ifndef HEADER_CURL_FOPEN_H
+#define HEADER_CURL_FOPEN_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+                    FILE **fh, char **tempname);
+
+#endif
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
new file mode 100644
index 0000000000..9a4e398370
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,67 @@
+From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
+++ b/lib/krb5.c
+@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
+  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
+  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
+    if(len > CURL_MAX_INPUT_LENGTH)
+      len = 0;
+    else
+      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
+  nread = conn->mech->decode(conn->app_data, buf->data, len,
+                             conn->data_prot, conn);
+  if(nread < 0)
+    return CURLE_RECV_ERROR;
+  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index d5dfe62a39..67de0220c6 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -24,6 +24,10 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2022-27782-1.patch \
           file://CVE-2022-27782-2.patch \
           file://0001-openssl-fix-CN-check-error-code.patch \
+           file://CVE-2022-32205.patch \
+           file://CVE-2022-32206.patch \
+           file://CVE-2022-32207.patch \
+           file://CVE-2022-32208.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32205.patch b/meta/recipes-support/curl/curl/CVE-2022-32205.patch new file mode 100644 index 0000000000..165fd8af47 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32205.patch
@@ -0,0 +1,174 @@
		1	From a91c22a072cbb32e296f1efba3502f1b7775dfaf Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Sun, 26 Jun 2022 11:00:48 +0200
		4	Subject: [PATCH] cookie: apply limits
		5
		6	- Send no more than 150 cookies per request
		7	- Cap the max length used for a cookie: header to 8K
		8	- Cap the max number of received Set-Cookie: headers to 50
		9
		10	Bug: https://curl.se/docs/CVE-2022-32205.html
		11	CVE-2022-32205
		12	Reported-by: Harry Sintonen
		13	Closes #9048
		14
		15	Upstream-Status: Backport [https://github.com/curl/curl/commit/48d7064a49148f0394]
		16	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		17	---
		18	lib/cookie.c \| 14 ++++++++++++--
		19	lib/cookie.h \| 21 +++++++++++++++++++--
		20	lib/http.c \| 13 +++++++++++--
		21	lib/urldata.h \| 1 +
		22	4 files changed, 43 insertions(+), 6 deletions(-)
		23
		24	diff --git a/lib/cookie.c b/lib/cookie.c
		25	index 1b8c8f9..8a6aa1a 100644
		26	--- a/lib/cookie.c
		27	+++ b/lib/cookie.c
		28	@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data,
		29	(void)data;
		30	#endif
		31
		32	+ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
		33	+ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
		34	+ return NULL;
		35	+
		36	/* First, alloc and init a new struct for it */
		37	co = calloc(1, sizeof(struct Cookie));
		38	if(!co)
		39	@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data,
		40	freecookie(co);
		41	return NULL;
		42	}
		43	-
		44	+ data->req.setcookies++;
		45	}
		46	else {
		47	/*
		48	@@ -1354,7 +1358,8 @@ static struct Cookie dup_cookie(struct Cookie src)
		49	*
		50	* It shall only return cookies that haven't expired.
		51	*/
		52	-struct Cookie Curl_cookie_getlist(struct CookieInfo c,
		53	+struct Cookie Curl_cookie_getlist(struct Curl_easy data,
		54	+ struct CookieInfo *c,
		55	const char host, const char path,
		56	bool secure)
		57	{
		58	@@ -1409,6 +1414,11 @@ struct Cookie Curl_cookie_getlist(struct CookieInfo c,
		59	mainco = newco;
		60
		61	matches++;
		62	+ if(matches >= MAX_COOKIE_SEND_AMOUNT) {
		63	+ infof(data, "Included max number of cookies (%u) in request!",
		64	+ matches);
		65	+ break;
		66	+ }
		67	}
		68	else
		69	goto fail;
		70	diff --git a/lib/cookie.h b/lib/cookie.h
		71	index 0ffe08e..7411980 100644
		72	--- a/lib/cookie.h
		73	+++ b/lib/cookie.h
		74	@@ -81,10 +81,26 @@ struct CookieInfo {
		75	*/
		76	#define MAX_COOKIE_LINE 5000
		77
		78	-/* This is the maximum length of a cookie name or content we deal with: */
		79	+/* Maximum length of an incoming cookie name or content we deal with. Longer
		80	+ cookies are ignored. */
		81	#define MAX_NAME 4096
		82	#define MAX_NAME_TXT "4095"
		83
		84	+/* Maximum size for an outgoing cookie line libcurl will use in an http
		85	+ request. This is the default maximum length used in some versions of Apache
		86	+ httpd. */
		87	+#define MAX_COOKIE_HEADER_LEN 8190
		88	+
		89	+/* Maximum number of cookies libcurl will send in a single request, even if
		90	+ there might be more cookies that match. One reason to cap the number is to
		91	+ keep the maximum HTTP request within the maximum allowed size. */
		92	+#define MAX_COOKIE_SEND_AMOUNT 150
		93	+
		94	+/* Maximum number of Set-Cookie: lines accepted in a single response. If more
		95	+ such header lines are received, they are ignored. This value must be less
		96	+ than 256 since an unsigned char is used to count. */
		97	+#define MAX_SET_COOKIE_AMOUNT 50
		98	+
		99	struct Curl_easy;
		100	/*
		101	* Add a cookie to the internal list of cookies. The domain and path arguments
		102	@@ -97,7 +113,8 @@ struct Cookie Curl_cookie_add(struct Curl_easy data,
		103	const char domain, const char path,
		104	bool secure);
		105
		106	-struct Cookie Curl_cookie_getlist(struct CookieInfo c, const char *host,
		107	+struct Cookie Curl_cookie_getlist(struct Curl_easy data,
		108	+ struct CookieInfo c, const char host,
		109	const char *path, bool secure);
		110	void Curl_cookie_freelist(struct Cookie *cookies);
		111	void Curl_cookie_clearall(struct CookieInfo *cookies);
		112	diff --git a/lib/http.c b/lib/http.c
		113	index 4433824..2c8b0c4 100644
		114	--- a/lib/http.c
		115	+++ b/lib/http.c
		116	@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy data, struct connectdata conn,
		117	}
		118
		119	#if !defined(CURL_DISABLE_COOKIES)
		120	+
		121	CURLcode Curl_http_cookies(struct Curl_easy *data,
		122	struct connectdata *conn,
		123	struct dynbuf *r)
		124	{
		125	CURLcode result = CURLE_OK;
		126	char *addcookies = NULL;
		127	+ bool linecap = FALSE;
		128	if(data->set.str[STRING_COOKIE] &&
		129	!Curl_checkheaders(data, STRCONST("Cookie")))
		130	addcookies = data->set.str[STRING_COOKIE];
		131	@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
		132	!strcmp(host, "127.0.0.1") \|\|
		133	!strcmp(host, "[::1]") ? TRUE : FALSE;
		134	Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
		135	- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
		136	+ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
		137	secure_context);
		138	Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
		139	}
		140	@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
		141	if(result)
		142	break;
		143	}
		144	+ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
		145	+ MAX_COOKIE_HEADER_LEN) {
		146	+ infof(data, "Restricted outgoing cookies due to header size, "
		147	+ "'%s' not sent", co->name);
		148	+ linecap = TRUE;
		149	+ break;
		150	+ }
		151	result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
		152	co->name, co->value);
		153	if(result)
		154	@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
		155	}
		156	Curl_cookie_freelist(store);
		157	}
		158	- if(addcookies && !result) {
		159	+ if(addcookies && !result && !linecap) {
		160	if(!count)
		161	result = Curl_dyn_addn(r, STRCONST("Cookie: "));
		162	if(!result) {
		163	diff --git a/lib/urldata.h b/lib/urldata.h
		164	index e006495..54faf7d 100644
		165	--- a/lib/urldata.h
		166	+++ b/lib/urldata.h
		167	@@ -707,6 +707,7 @@ struct SingleRequest {
		168	#ifndef CURL_DISABLE_DOH
		169	struct dohdata doh; / DoH specific data for this request */
		170	#endif
		171	+ unsigned char setcookies;
		172	BIT(header); /* incoming data has HTTP header */
		173	BIT(content_range); /* set TRUE if Content-Range: was found */
		174	BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding


diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch new file mode 100644 index 0000000000..25f5b27cc7 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
@@ -0,0 +1,51 @@
		1	From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 16 May 2022 16:28:13 +0200
		4	Subject: [PATCH] content_encoding: return error on too many compression steps
		5
		6	The max allowed steps is arbitrarily set to 5.
		7
		8	Bug: https://curl.se/docs/CVE-2022-32206.html
		9	CVE-2022-32206
		10	Reported-by: Harry Sintonen
		11	Closes #9049
		12
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
		14	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		15	---
		16	lib/content_encoding.c \| 9 +++++++++
		17	1 file changed, 9 insertions(+)
		18
		19	diff --git a/lib/content_encoding.c b/lib/content_encoding.c
		20	index c03637a..6f994b3 100644
		21	--- a/lib/content_encoding.c
		22	+++ b/lib/content_encoding.c
		23	@@ -1026,12 +1026,16 @@ static const struct content_encoding find_encoding(const char name,
		24	return NULL;
		25	}
		26
		27	+/* allow no more than 5 "chained" compression steps */
		28	+#define MAX_ENCODE_STACK 5
		29	+
		30	/* Set-up the unencoding stack from the Content-Encoding header value.
		31	* See RFC 7231 section 3.1.2.2. */
		32	CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
		33	const char *enclist, int maybechunked)
		34	{
		35	struct SingleRequest *k = &data->req;
		36	+ int counter = 0;
		37
		38	do {
		39	const char *name;
		40	@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
		41	if(!encoding)
		42	encoding = &error_encoding; /* Defer error at stack use. */
		43
		44	+ if(++counter >= MAX_ENCODE_STACK) {
		45	+ failf(data, "Reject response due to %u content encodings",
		46	+ counter);
		47	+ return CURLE_BAD_CONTENT_ENCODING;
		48	+ }
		49	/* Stack the unencoding stage. */
		50	writer = new_unencoding_writer(data, encoding, k->writer_stack);
		51	if(!writer)


diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch new file mode 100644 index 0000000000..bc16b62f39 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
@@ -0,0 +1,283 @@
		1	From 759088694e2ba68ddc5ffe042b071dadad6ff675 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Wed, 25 May 2022 10:09:53 +0200
		4	Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
		5
		6	Bug: https://curl.se/docs/CVE-2022-32207.html
		7	CVE-2022-32207
		8	Reported-by: Harry Sintonen
		9	Closes #9050
		10
		11	Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
		12	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		13	---
		14	CMakeLists.txt \| 1 +
		15	configure.ac \| 1 +
		16	lib/Makefile.inc \| 2 +
		17	lib/cookie.c \| 19 ++-----
		18	lib/curl_config.h.cmake \| 3 ++
		19	lib/fopen.c \| 113 ++++++++++++++++++++++++++++++++++++++++
		20	lib/fopen.h \| 30 +++++++++++
		21	7 files changed, 154 insertions(+), 15 deletions(-)
		22	create mode 100644 lib/fopen.c
		23	create mode 100644 lib/fopen.h
		24
		25	diff --git a/CMakeLists.txt b/CMakeLists.txt
		26	index b77de6d..a0bfaad 100644
		27	--- a/CMakeLists.txt
		28	+++ b/CMakeLists.txt
		29	@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
		30	set(CMAKE_REQUIRED_LIBRARIES socket)
		31	endif()
		32
		33	+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
		34	check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
		35	check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
		36	check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
		37	diff --git a/configure.ac b/configure.ac
		38	index d431870..7433bb9 100644
		39	--- a/configure.ac
		40	+++ b/configure.ac
		41	@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
		42
		43
		44	AC_CHECK_FUNCS([fnmatch \
		45	+ fchmod \
		46	geteuid \
		47	getpass_r \
		48	getppid \
		49	diff --git a/lib/Makefile.inc b/lib/Makefile.inc
		50	index e8f110f..5139b03 100644
		51	--- a/lib/Makefile.inc
		52	+++ b/lib/Makefile.inc
		53	@@ -133,6 +133,7 @@ LIB_CFILES = \
		54	escape.c \
		55	file.c \
		56	fileinfo.c \
		57	+ fopen.c \
		58	formdata.c \
		59	ftp.c \
		60	ftplistparser.c \
		61	@@ -263,6 +264,7 @@ LIB_HFILES = \
		62	escape.h \
		63	file.h \
		64	fileinfo.h \
		65	+ fopen.h \
		66	formdata.h \
		67	ftp.h \
		68	ftplistparser.h \
		69	diff --git a/lib/cookie.c b/lib/cookie.c
		70	index 8a6aa1a..cb0c03b 100644
		71	--- a/lib/cookie.c
		72	+++ b/lib/cookie.c
		73	@@ -96,8 +96,8 @@ Example set of cookies:
		74	#include "curl_get_line.h"
		75	#include "curl_memrchr.h"
		76	#include "parsedate.h"
		77	-#include "rand.h"
		78	#include "rename.h"
		79	+#include "fopen.h"
		80
		81	/* The last 3 #include files should be in this order */
		82	#include "curl_printf.h"
		83	@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
		84	use_stdout = TRUE;
		85	}
		86	else {
		87	- unsigned char randsuffix[9];
		88	-
		89	- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
		90	- return 2;
		91	-
		92	- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
		93	- if(!tempstore)
		94	- return CURLE_OUT_OF_MEMORY;
		95	-
		96	- out = fopen(tempstore, FOPEN_WRITETEXT);
		97	- if(!out) {
		98	- error = CURLE_WRITE_ERROR;
		99	+ error = Curl_fopen(data, filename, &out, &tempstore);
		100	+ if(error)
		101	goto error;
		102	- }
		103	}
		104
		105	fputs("# Netscape HTTP Cookie File\n"
		106	@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
		107	if(!use_stdout) {
		108	fclose(out);
		109	out = NULL;
		110	- if(Curl_rename(tempstore, filename)) {
		111	+ if(tempstore && Curl_rename(tempstore, filename)) {
		112	unlink(tempstore);
		113	error = CURLE_WRITE_ERROR;
		114	goto error;
		115	diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
		116	index d2a0f43..c254359 100644
		117	--- a/lib/curl_config.h.cmake
		118	+++ b/lib/curl_config.h.cmake
		119	@@ -157,6 +157,9 @@
		120	/* Define to 1 if you have the <assert.h> header file. */
		121	#cmakedefine HAVE_ASSERT_H 1
		122
		123	+/* Define to 1 if you have the `fchmod' function. */
		124	+#cmakedefine HAVE_FCHMOD 1
		125	+
		126	/* Define to 1 if you have the `basename' function. */
		127	#cmakedefine HAVE_BASENAME 1
		128
		129	diff --git a/lib/fopen.c b/lib/fopen.c
		130	new file mode 100644
		131	index 0000000..ad3691b
		132	--- /dev/null
		133	+++ b/lib/fopen.c
		134	@@ -0,0 +1,113 @@
		135	+/***************************************************************************
		136	+ * _ _ ____ _
		137	+ * Project ___\| \| \| \| _ \\| \|
		138	+ * / __\| \| \| \| \|_) \| \|
		139	+ * \| (__\| \|_\| \| _ <\| \|___
		140	+ * \___\|\___/\|_\| \_\_____\|
		141	+ *
		142	+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
		143	+ *
		144	+ * This software is licensed as described in the file COPYING, which
		145	+ * you should have received as part of this distribution. The terms
		146	+ * are also available at https://curl.se/docs/copyright.html.
		147	+ *
		148	+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
		149	+ * copies of the Software, and permit persons to whom the Software is
		150	+ * furnished to do so, under the terms of the COPYING file.
		151	+ *
		152	+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
		153	+ * KIND, either express or implied.
		154	+ *
		155	+ * SPDX-License-Identifier: curl
		156	+ *
		157	+ ***************************************************************************/
		158	+
		159	+#include "curl_setup.h"
		160	+
		161	+#if !defined(CURL_DISABLE_COOKIES) \|\| !defined(CURL_DISABLE_ALTSVC) \|\| \
		162	+ !defined(CURL_DISABLE_HSTS)
		163	+
		164	+#ifdef HAVE_FCNTL_H
		165	+#include <fcntl.h>
		166	+#endif
		167	+
		168	+#include "urldata.h"
		169	+#include "rand.h"
		170	+#include "fopen.h"
		171	+/* The last 3 #include files should be in this order */
		172	+#include "curl_printf.h"
		173	+#include "curl_memory.h"
		174	+#include "memdebug.h"
		175	+
		176	+/*
		177	+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
		178	+ * to the final name when completed. If there is an existing file using this
		179	+ * name at the time of the open, this function will clone the mode from that
		180	+ * file. if 'tempname' is non-NULL, it needs a rename after the file is
		181	+ * written.
		182	+ */
		183	+CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		184	+ FILE fh, char tempname)
		185	+{
		186	+ CURLcode result = CURLE_WRITE_ERROR;
		187	+ unsigned char randsuffix[9];
		188	+ char *tempstore = NULL;
		189	+ struct_stat sb;
		190	+ int fd = -1;
		191	+ *tempname = NULL;
		192	+
		193	+ if(stat(filename, &sb) == -1 \|\| !S_ISREG(sb.st_mode)) {
		194	+ /* a non-regular file, fallback to direct fopen() */
		195	+ *fh = fopen(filename, FOPEN_WRITETEXT);
		196	+ if(*fh)
		197	+ return CURLE_OK;
		198	+ goto fail;
		199	+ }
		200	+
		201	+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
		202	+ if(result)
		203	+ goto fail;
		204	+
		205	+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
		206	+ if(!tempstore) {
		207	+ result = CURLE_OUT_OF_MEMORY;
		208	+ goto fail;
		209	+ }
		210	+
		211	+ result = CURLE_WRITE_ERROR;
		212	+ fd = open(tempstore, O_WRONLY \| O_CREAT \| O_EXCL, 0600);
		213	+ if(fd == -1)
		214	+ goto fail;
		215	+
		216	+#ifdef HAVE_FCHMOD
		217	+ {
		218	+ struct_stat nsb;
		219	+ if((fstat(fd, &nsb) != -1) &&
		220	+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
		221	+ /* if the user and group are the same, clone the original mode */
		222	+ if(fchmod(fd, sb.st_mode) == -1)
		223	+ goto fail;
		224	+ }
		225	+ }
		226	+#endif
		227	+
		228	+ *fh = fdopen(fd, FOPEN_WRITETEXT);
		229	+ if(!*fh)
		230	+ goto fail;
		231	+
		232	+ *tempname = tempstore;
		233	+ return CURLE_OK;
		234	+
		235	+fail:
		236	+ if(fd != -1) {
		237	+ close(fd);
		238	+ unlink(tempstore);
		239	+ }
		240	+
		241	+ free(tempstore);
		242	+
		243	+ *tempname = NULL;
		244	+ return result;
		245	+}
		246	+
		247	+#endif /* ! disabled */
		248	diff --git a/lib/fopen.h b/lib/fopen.h
		249	new file mode 100644
		250	index 0000000..289e55f
		251	--- /dev/null
		252	+++ b/lib/fopen.h
		253	@@ -0,0 +1,30 @@
		254	+#ifndef HEADER_CURL_FOPEN_H
		255	+#define HEADER_CURL_FOPEN_H
		256	+/***************************************************************************
		257	+ * _ _ ____ _
		258	+ * Project ___\| \| \| \| _ \\| \|
		259	+ * / __\| \| \| \| \|_) \| \|
		260	+ * \| (__\| \|_\| \| _ <\| \|___
		261	+ * \___\|\___/\|_\| \_\_____\|
		262	+ *
		263	+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
		264	+ *
		265	+ * This software is licensed as described in the file COPYING, which
		266	+ * you should have received as part of this distribution. The terms
		267	+ * are also available at https://curl.se/docs/copyright.html.
		268	+ *
		269	+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
		270	+ * copies of the Software, and permit persons to whom the Software is
		271	+ * furnished to do so, under the terms of the COPYING file.
		272	+ *
		273	+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
		274	+ * KIND, either express or implied.
		275	+ *
		276	+ * SPDX-License-Identifier: curl
		277	+ *
		278	+ ***************************************************************************/
		279	+
		280	+CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		281	+ FILE fh, char tempname);
		282	+
		283	+#endif


diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch new file mode 100644 index 0000000000..9a4e398370 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,67 @@
		1	From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 9 Jun 2022 09:27:24 +0200
		4	Subject: [PATCH] krb5: return error properly on decode errors
		5
		6	Bug: https://curl.se/docs/CVE-2022-32208.html
		7	CVE-2022-32208
		8	Reported-by: Harry Sintonen
		9	Closes #9051
		10
		11	Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
		12	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		13	---
		14	lib/krb5.c \| 18 +++++++++++-------
		15	1 file changed, 11 insertions(+), 7 deletions(-)
		16
		17	diff --git a/lib/krb5.c b/lib/krb5.c
		18	index 787137c..6f9e1f7 100644
		19	--- a/lib/krb5.c
		20	+++ b/lib/krb5.c
		21	@@ -140,11 +140,8 @@ krb5_decode(void app_data, void buf, int len,
		22	enc.value = buf;
		23	enc.length = len;
		24	maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
		25	- if(maj != GSS_S_COMPLETE) {
		26	- if(len >= 4)
		27	- strcpy(buf, "599 ");
		28	+ if(maj != GSS_S_COMPLETE)
		29	return -1;
		30	- }
		31
		32	memcpy(buf, dec.value, dec.length);
		33	len = curlx_uztosi(dec.length);
		34	@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
		35	{
		36	int len;
		37	CURLcode result;
		38	+ int nread;
		39
		40	result = socket_read(fd, &len, sizeof(len));
		41	if(result)
		42	@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
		43	if(len) {
		44	/* only realloc if there was a length */
		45	len = ntohl(len);
		46	- buf->data = Curl_saferealloc(buf->data, len);
		47	+ if(len > CURL_MAX_INPUT_LENGTH)
		48	+ len = 0;
		49	+ else
		50	+ buf->data = Curl_saferealloc(buf->data, len);
		51	}
		52	if(!len \|\| !buf->data)
		53	return CURLE_OUT_OF_MEMORY;
		54	@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
		55	result = socket_read(fd, buf->data, len);
		56	if(result)
		57	return result;
		58	- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
		59	- conn->data_prot, conn);
		60	+ nread = conn->mech->decode(conn->app_data, buf->data, len,
		61	+ conn->data_prot, conn);
		62	+ if(nread < 0)
		63	+ return CURLE_RECV_ERROR;
		64	+ buf->size = (size_t)nread;
		65	buf->index = 0;
		66	return CURLE_OK;
		67	}


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index d5dfe62a39..67de0220c6 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -24,6 +24,10 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
24	file://CVE-2022-27782-1.patch \	24	file://CVE-2022-27782-1.patch \
25	file://CVE-2022-27782-2.patch \	25	file://CVE-2022-27782-2.patch \
26	file://0001-openssl-fix-CN-check-error-code.patch \	26	file://0001-openssl-fix-CN-check-error-code.patch \
		27	file://CVE-2022-32205.patch \
		28	file://CVE-2022-32206.patch \
		29	file://CVE-2022-32207.patch \
		30	file://CVE-2022-32208.patch \
27	"	31	"
28	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	32	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
29		33