4 files changed, 259 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch
new file mode 100644
index 0000000000..55e8f6fac9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch
@@ -0,0 +1,42 @@
+From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001
+From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
+Date: Mon, 10 Jul 2023 21:43:28 +0200
+Subject: [PATCH] fopen: optimize
+Closes #11419
+CVE: CVE-2023-46219
+Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/fopen.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+diff --git a/lib/fopen.c b/lib/fopen.c
+index ad3691b..92f39cf 100644
+--- a/lib/fopen.c
+++ b/lib/fopen.c
+@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   int fd = -1;
+   *tempname = NULL;
+-  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+-    /* a non-regular file, fallback to direct fopen() */
+-    *fh = fopen(filename, FOPEN_WRITETEXT);
+-    if(*fh)
+-      return CURLE_OK;
+  *fh = fopen(filename, FOPEN_WRITETEXT);
+  if(!*fh)
+     goto fail;
+-  }
+  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
+    return CURLE_OK;
+  fclose(*fh);
+  *fh = NULL;
+   result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+   if(result)
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch
new file mode 100644
index 0000000000..f432fabbb1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch
@@ -0,0 +1,133 @@
+From 73b65e94f3531179de45c6f3c836a610e3d0a846 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:23:17 +0100
+Subject: [PATCH] fopen: create short(er) temporary file name
+Only using random letters in the name plus a ".tmp" extension. Not by
+appending characters to the final file name.
+Reported-by: Maksymilian Arciemowicz
+Closes #12388
+CVE: CVE-2023-46219
+Upstream-Status: Backport [https://github.com/curl/curl/commit/73b65e94f3531179]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/fopen.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 59 insertions(+), 4 deletions(-)
+diff --git a/lib/fopen.c b/lib/fopen.c
+index 92f39cf..1670e32 100644
+--- a/lib/fopen.c
+++ b/lib/fopen.c
+@@ -39,6 +39,50 @@
+ #include "curl_memory.h"
+ #include "memdebug.h"
+
+/*
+  The dirslash() function breaks a null-terminated pathname string into
+  directory and filename components then returns the directory component up
+  to, *AND INCLUDING*, a final '/'.  If there is no directory in the path,
+  this instead returns a "" string.
+  This function returns a pointer to malloc'ed memory.
+  The input path to this function is expected to have a file name part.
+*/
+
+#ifdef _WIN32
+#define PATHSEP "\\"
+#define IS_SEP(x) (((x) == '/') || ((x) == '\\'))
+#elif defined(MSDOS) || defined(__EMX__) || defined(OS2)
+#define PATHSEP "\\"
+#define IS_SEP(x) ((x) == '\\')
+#else
+#define PATHSEP "/"
+#define IS_SEP(x) ((x) == '/')
+#endif
+
+static char *dirslash(const char *path)
+{
+  size_t n;
+  struct dynbuf out;
+  DEBUGASSERT(path);
+  Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH);
+  n = strlen(path);
+  if(n) {
+    /* find the rightmost path separator, if any */
+    while(n && !IS_SEP(path[n-1]))
+      --n;
+    /* skip over all the path separators, if any */
+    while(n && IS_SEP(path[n-1]))
+      --n;
+  }
+  if(Curl_dyn_addn(&out, path, n))
+    return NULL;
+  /* if there was a directory, append a single trailing slash */
+  if(n && Curl_dyn_addn(&out, PATHSEP, 1))
+    return NULL;
+  return Curl_dyn_ptr(&out);
+}
+
+ /*
+  * Curl_fopen() opens a file for writing with a temp name, to be renamed
+  * to the final name when completed. If there is an existing file using this
+@@ -50,25 +94,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+                     FILE **fh, char **tempname)
+ {
+   CURLcode result = CURLE_WRITE_ERROR;
+-  unsigned char randsuffix[9];
+  unsigned char randbuf[41];
+   char *tempstore = NULL;
+   struct_stat sb;
+   int fd = -1;
+  char *dir;
+   *tempname = NULL;
+  dir = dirslash(filename);
+  if(!dir)
+    goto fail;
+
+   *fh = fopen(filename, FOPEN_WRITETEXT);
+   if(!*fh)
+     goto fail;
+-  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
+  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)){
+    free(dir);
+     return CURLE_OK;
+  }
+   fclose(*fh);
+   *fh = NULL;
+-  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+  result = Curl_rand_hex(data, randbuf, sizeof(randbuf));
+   if(result)
+     goto fail;
+-  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+  /* The temp file name should not end up too long for the target file
+     system */
+  tempstore = aprintf("%s%s.tmp", dir, randbuf);
+   if(!tempstore) {
+     result = CURLE_OUT_OF_MEMORY;
+     goto fail;
+@@ -95,6 +148,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   if(!*fh)
+     goto fail;
+  free(dir);
+   *tempname = tempstore;
+   return CURLE_OK;
+@@ -107,6 +161,7 @@ fail:
+   free(tempstore);
+   *tempname = NULL;
+  free(dir);
+   return result;
+ }
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch
new file mode 100644
index 0000000000..3b6f756549
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch
@@ -0,0 +1,81 @@
+From f27b8dba73295cb5296a50f2c19c0739b502eb94 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 24 Nov 2023 09:46:32 +0100
+Subject: [PATCH] fopen: allocate the dir after fopen
+Move the allocation of the directory name down to after the fopen() call
+to allow that shortcut code path to avoid a superfluous malloc+free
+cycle.
+Follow-up to 73b65e94f35311
+Closes #12398
+CVE: CVE-2023-46219
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f27b8dba73295cb529]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/fopen.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+diff --git a/lib/fopen.c b/lib/fopen.c
+index 1670e32..b663f8b 100644
+--- a/lib/fopen.c
+++ b/lib/fopen.c
+@@ -98,18 +98,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   char *tempstore = NULL;
+   struct_stat sb;
+   int fd = -1;
+-  char *dir;
+  char *dir = NULL;
+   *tempname = NULL;
+-  dir = dirslash(filename);
+-  if(!dir)
+-    goto fail;
+-
+   *fh = fopen(filename, FOPEN_WRITETEXT);
+   if(!*fh)
+     goto fail;
+   if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)){
+-    free(dir);
+     return CURLE_OK;
+   }
+   fclose(*fh);
+@@ -119,9 +114,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   if(result)
+     goto fail;
+-  /* The temp file name should not end up too long for the target file
+-     system */
+-  tempstore = aprintf("%s%s.tmp", dir, randbuf);
+  dir = dirslash(filename);
+  if(dir) {
+    /* The temp file name should not end up too long for the target file
+       system */
+    tempstore = aprintf("%s%s.tmp", dir, randbuf);
+    free(dir);
+  }
+   if(!tempstore) {
+     result = CURLE_OUT_OF_MEMORY;
+     goto fail;
+@@ -148,7 +147,6 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   if(!*fh)
+     goto fail;
+-  free(dir);
+   *tempname = tempstore;
+   return CURLE_OK;
+@@ -161,7 +159,6 @@ fail:
+   free(tempstore);
+   *tempname = NULL;
+-  free(dir);
+   return result;
+ }
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 965f05bc98..de69d3d53b 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -54,6 +54,9 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2023-38545.patch \
           file://CVE-2023-38546.patch \
           file://CVE-2023-46218.patch \
+           file://CVE-2023-46219-0001.patch \
+           file://CVE-2023-46219-0002.patch \
+           file://CVE-2023-46219-0003.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch new file mode 100644 index 0000000000..55e8f6fac9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch
@@ -0,0 +1,42 @@
		1	From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001
		2	From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
		3	Date: Mon, 10 Jul 2023 21:43:28 +0200
		4	Subject: [PATCH] fopen: optimize
		5
		6	Closes #11419
		7
		8	CVE: CVE-2023-46219
		9
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6]
		11
		12	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		13	---
		14	lib/fopen.c \| 12 ++++++------
		15	1 file changed, 6 insertions(+), 6 deletions(-)
		16
		17	diff --git a/lib/fopen.c b/lib/fopen.c
		18	index ad3691b..92f39cf 100644
		19	--- a/lib/fopen.c
		20	+++ b/lib/fopen.c
		21	@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		22	int fd = -1;
		23	*tempname = NULL;
		24
		25	- if(stat(filename, &sb) == -1 \|\| !S_ISREG(sb.st_mode)) {
		26	- /* a non-regular file, fallback to direct fopen() */
		27	- *fh = fopen(filename, FOPEN_WRITETEXT);
		28	- if(*fh)
		29	- return CURLE_OK;
		30	+ *fh = fopen(filename, FOPEN_WRITETEXT);
		31	+ if(!*fh)
		32	goto fail;
		33	- }
		34	+ if(fstat(fileno(*fh), &sb) == -1 \|\| !S_ISREG(sb.st_mode))
		35	+ return CURLE_OK;
		36	+ fclose(*fh);
		37	+ *fh = NULL;
		38
		39	result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
		40	if(result)
		41	--
		42	2.40.0


diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch new file mode 100644 index 0000000000..f432fabbb1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch
@@ -0,0 +1,133 @@
		1	From 73b65e94f3531179de45c6f3c836a610e3d0a846 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 23 Nov 2023 08:23:17 +0100
		4	Subject: [PATCH] fopen: create short(er) temporary file name
		5
		6	Only using random letters in the name plus a ".tmp" extension. Not by
		7	appending characters to the final file name.
		8
		9	Reported-by: Maksymilian Arciemowicz
		10
		11	Closes #12388
		12
		13	CVE: CVE-2023-46219
		14
		15	Upstream-Status: Backport [https://github.com/curl/curl/commit/73b65e94f3531179]
		16
		17	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		18	---
		19	lib/fopen.c \| 63 +++++++++++++++++++++++++++++++++++++++++++++++++----
		20	1 file changed, 59 insertions(+), 4 deletions(-)
		21
		22	diff --git a/lib/fopen.c b/lib/fopen.c
		23	index 92f39cf..1670e32 100644
		24	--- a/lib/fopen.c
		25	+++ b/lib/fopen.c
		26	@@ -39,6 +39,50 @@
		27	#include "curl_memory.h"
		28	#include "memdebug.h"
		29
		30	+
		31	+/*
		32	+ The dirslash() function breaks a null-terminated pathname string into
		33	+ directory and filename components then returns the directory component up
		34	+ to, AND INCLUDING, a final '/'. If there is no directory in the path,
		35	+ this instead returns a "" string.
		36	+ This function returns a pointer to malloc'ed memory.
		37	+ The input path to this function is expected to have a file name part.
		38	+*/
		39	+
		40	+#ifdef _WIN32
		41	+#define PATHSEP "\\"
		42	+#define IS_SEP(x) (((x) == '/') \|\| ((x) == '\\'))
		43	+#elif defined(MSDOS) \|\| defined(__EMX__) \|\| defined(OS2)
		44	+#define PATHSEP "\\"
		45	+#define IS_SEP(x) ((x) == '\\')
		46	+#else
		47	+#define PATHSEP "/"
		48	+#define IS_SEP(x) ((x) == '/')
		49	+#endif
		50	+
		51	+static char dirslash(const char path)
		52	+{
		53	+ size_t n;
		54	+ struct dynbuf out;
		55	+ DEBUGASSERT(path);
		56	+ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH);
		57	+ n = strlen(path);
		58	+ if(n) {
		59	+ /* find the rightmost path separator, if any */
		60	+ while(n && !IS_SEP(path[n-1]))
		61	+ --n;
		62	+ /* skip over all the path separators, if any */
		63	+ while(n && IS_SEP(path[n-1]))
		64	+ --n;
		65	+ }
		66	+ if(Curl_dyn_addn(&out, path, n))
		67	+ return NULL;
		68	+ /* if there was a directory, append a single trailing slash */
		69	+ if(n && Curl_dyn_addn(&out, PATHSEP, 1))
		70	+ return NULL;
		71	+ return Curl_dyn_ptr(&out);
		72	+}
		73	+
		74	/*
		75	* Curl_fopen() opens a file for writing with a temp name, to be renamed
		76	* to the final name when completed. If there is an existing file using this
		77	@@ -50,25 +94,34 @@ CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		78	FILE fh, char tempname)
		79	{
		80	CURLcode result = CURLE_WRITE_ERROR;
		81	- unsigned char randsuffix[9];
		82	+ unsigned char randbuf[41];
		83	char *tempstore = NULL;
		84	struct_stat sb;
		85	int fd = -1;
		86	+ char *dir;
		87	*tempname = NULL;
		88
		89	+ dir = dirslash(filename);
		90	+ if(!dir)
		91	+ goto fail;
		92	+
		93	*fh = fopen(filename, FOPEN_WRITETEXT);
		94	if(!*fh)
		95	goto fail;
		96	- if(fstat(fileno(*fh), &sb) == -1 \|\| !S_ISREG(sb.st_mode))
		97	+ if(fstat(fileno(*fh), &sb) == -1 \|\| !S_ISREG(sb.st_mode)){
		98	+ free(dir);
		99	return CURLE_OK;
		100	+ }
		101	fclose(*fh);
		102	*fh = NULL;
		103
		104	- result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
		105	+ result = Curl_rand_hex(data, randbuf, sizeof(randbuf));
		106	if(result)
		107	goto fail;
		108
		109	- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
		110	+ /* The temp file name should not end up too long for the target file
		111	+ system */
		112	+ tempstore = aprintf("%s%s.tmp", dir, randbuf);
		113	if(!tempstore) {
		114	result = CURLE_OUT_OF_MEMORY;
		115	goto fail;
		116	@@ -95,6 +148,7 @@ CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		117	if(!*fh)
		118	goto fail;
		119
		120	+ free(dir);
		121	*tempname = tempstore;
		122	return CURLE_OK;
		123
		124	@@ -107,6 +161,7 @@ fail:
		125	free(tempstore);
		126
		127	*tempname = NULL;
		128	+ free(dir);
		129	return result;
		130	}
		131
		132	--
		133	2.40.0


diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch new file mode 100644 index 0000000000..3b6f756549 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch
@@ -0,0 +1,81 @@
		1	From f27b8dba73295cb5296a50f2c19c0739b502eb94 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Fri, 24 Nov 2023 09:46:32 +0100
		4	Subject: [PATCH] fopen: allocate the dir after fopen
		5
		6	Move the allocation of the directory name down to after the fopen() call
		7	to allow that shortcut code path to avoid a superfluous malloc+free
		8	cycle.
		9
		10	Follow-up to 73b65e94f35311
		11
		12	Closes #12398
		13
		14	CVE: CVE-2023-46219
		15
		16	Upstream-Status: Backport [https://github.com/curl/curl/commit/f27b8dba73295cb529]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	lib/fopen.c \| 19 ++++++++-----------
		21	1 file changed, 8 insertions(+), 11 deletions(-)
		22
		23	diff --git a/lib/fopen.c b/lib/fopen.c
		24	index 1670e32..b663f8b 100644
		25	--- a/lib/fopen.c
		26	+++ b/lib/fopen.c
		27	@@ -98,18 +98,13 @@ CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		28	char *tempstore = NULL;
		29	struct_stat sb;
		30	int fd = -1;
		31	- char *dir;
		32	+ char *dir = NULL;
		33	*tempname = NULL;
		34
		35	- dir = dirslash(filename);
		36	- if(!dir)
		37	- goto fail;
		38	-
		39	*fh = fopen(filename, FOPEN_WRITETEXT);
		40	if(!*fh)
		41	goto fail;
		42	if(fstat(fileno(*fh), &sb) == -1 \|\| !S_ISREG(sb.st_mode)){
		43	- free(dir);
		44	return CURLE_OK;
		45	}
		46	fclose(*fh);
		47	@@ -119,9 +114,13 @@ CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		48	if(result)
		49	goto fail;
		50
		51	- /* The temp file name should not end up too long for the target file
		52	- system */
		53	- tempstore = aprintf("%s%s.tmp", dir, randbuf);
		54	+ dir = dirslash(filename);
		55	+ if(dir) {
		56	+ /* The temp file name should not end up too long for the target file
		57	+ system */
		58	+ tempstore = aprintf("%s%s.tmp", dir, randbuf);
		59	+ free(dir);
		60	+ }
		61	if(!tempstore) {
		62	result = CURLE_OUT_OF_MEMORY;
		63	goto fail;
		64	@@ -148,7 +147,6 @@ CURLcode Curl_fopen(struct Curl_easy data, const char filename,
		65	if(!*fh)
		66	goto fail;
		67
		68	- free(dir);
		69	*tempname = tempstore;
		70	return CURLE_OK;
		71
		72	@@ -161,7 +159,6 @@ fail:
		73	free(tempstore);
		74
		75	*tempname = NULL;
		76	- free(dir);
		77	return result;
		78	}
		79
		80	--
		81	2.40.0


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 965f05bc98..de69d3d53b 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -54,6 +54,9 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
54	file://CVE-2023-38545.patch \	54	file://CVE-2023-38545.patch \
55	file://CVE-2023-38546.patch \	55	file://CVE-2023-38546.patch \
56	file://CVE-2023-46218.patch \	56	file://CVE-2023-46218.patch \
		57	file://CVE-2023-46219-0001.patch \
		58	file://CVE-2023-46219-0002.patch \
		59	file://CVE-2023-46219-0003.patch \
57	"	60	"
58	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	61	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
59		62