2 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
new file mode 100644
index 0000000000..9109faaf88
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,122 @@
+From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 16:22:11 +0100
+Subject: [PATCH] curl_path: create the new path with dynbuf
+CVE: CVE-2023-27534
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 36 deletions(-)
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index a1669d1..b9c470f 100644
+--- a/lib/curl_path.c
+++ b/lib/curl_path.c
+@@ -30,66 +30,65 @@
+ #include "escape.h"
+ #include "memdebug.h"
+ 
+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
+
+ /* figure out the path to work with in this particular request */
+ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+                              char *homedir,  /* when SFTP is used */
+                              char **path) /* returns the  allocated
+                                              real path to work with */
+ {
+-  char *real_path = NULL;
+   char *working_path;
+   size_t working_path_len;
+  struct dynbuf npath;
+   CURLcode result =
+     Curl_urldecode(data->state.up.path, 0, &working_path,
+                    &working_path_len, REJECT_ZERO);
+   if(result)
+     return result;
+ 
+  /* new path to switch to in case we need to */
+  Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
+
+   /* Check for /~/, indicating relative to the user's home directory */
+-  if(data->conn->handler->protocol & CURLPROTO_SCP) {
+-    real_path = malloc(working_path_len + 1);
+-    if(!real_path) {
+  if((data->conn->handler->protocol & CURLPROTO_SCP) &&
+     (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
+    /* It is referenced to the home directory, so strip the leading '/~/' */
+    if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
+       free(working_path);
+       return CURLE_OUT_OF_MEMORY;
+     }
+-    if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
+-      /* It is referenced to the home directory, so strip the leading '/~/' */
+-      memcpy(real_path, working_path + 3, working_path_len - 2);
+-    else
+-      memcpy(real_path, working_path, 1 + working_path_len);
+   }
+-  else if(data->conn->handler->protocol & CURLPROTO_SFTP) {
+-    if((working_path_len > 1) && (working_path[1] == '~')) {
+-      size_t homelen = strlen(homedir);
+-      real_path = malloc(homelen + working_path_len + 1);
+-      if(!real_path) {
+-        free(working_path);
+-        return CURLE_OUT_OF_MEMORY;
+-      }
+-      /* It is referenced to the home directory, so strip the
+-         leading '/' */
+-      memcpy(real_path, homedir, homelen);
+-      real_path[homelen] = '/';
+-      real_path[homelen + 1] = '\0';
+-      if(working_path_len > 3) {
+-        memcpy(real_path + homelen + 1, working_path + 3,
+-               1 + working_path_len -3);
+-      }
+  else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
+          (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+    size_t len;
+    const char *p;
+    int copyfrom = 3;
+    if(Curl_dyn_add(&npath, homedir)) {
+      free(working_path);
+      return CURLE_OUT_OF_MEMORY;
+     }
+-    else {
+-      real_path = malloc(working_path_len + 1);
+-      if(!real_path) {
+-        free(working_path);
+-        return CURLE_OUT_OF_MEMORY;
+-      }
+-      memcpy(real_path, working_path, 1 + working_path_len);
+    /* Copy a separating '/' if homedir does not end with one */
+    len = Curl_dyn_len(&npath);
+    p = Curl_dyn_ptr(&npath);
+    if(len && (p[len-1] != '/'))
+      copyfrom = 2;
+
+    if(Curl_dyn_addn(&npath,
+                     &working_path[copyfrom], working_path_len - copyfrom)) {
+      free(working_path);
+      return CURLE_OUT_OF_MEMORY;
+     }
+   }
+ 
+-  free(working_path);
+  if(Curl_dyn_len(&npath)) {
+    free(working_path);
+ 
+-  /* store the pointer for the caller to receive */
+-  *path = real_path;
+    /* store the pointer for the caller to receive */
+    *path = Curl_dyn_ptr(&npath);
+  }
+  else
+    *path = working_path;
+ 
+   return CURLE_OK;
+ }
+-- 
+2.25.1
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 7efec07e61..4c18afe293 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -41,6 +41,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2023-23914_5-5.patch \
           file://CVE-2023-23916.patch \
           file://CVE-2023-27533.patch \
+           file://CVE-2023-27534.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..9109faaf88 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,122 @@
		1	From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 9 Mar 2023 16:22:11 +0100
		4	Subject: [PATCH] curl_path: create the new path with dynbuf
		5
		6	CVE: CVE-2023-27534
		7	Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
		8
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	lib/curl_path.c \| 71 ++++++++++++++++++++++++-------------------------
		12	1 file changed, 35 insertions(+), 36 deletions(-)
		13
		14	diff --git a/lib/curl_path.c b/lib/curl_path.c
		15	index a1669d1..b9c470f 100644
		16	--- a/lib/curl_path.c
		17	+++ b/lib/curl_path.c
		18	@@ -30,66 +30,65 @@
		19	#include "escape.h"
		20	#include "memdebug.h"
		21
		22	+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
		23	+
		24	/* figure out the path to work with in this particular request */
		25	CURLcode Curl_getworkingpath(struct Curl_easy *data,
		26	char homedir, / when SFTP is used */
		27	char *path) / returns the allocated
		28	real path to work with */
		29	{
		30	- char *real_path = NULL;
		31	char *working_path;
		32	size_t working_path_len;
		33	+ struct dynbuf npath;
		34	CURLcode result =
		35	Curl_urldecode(data->state.up.path, 0, &working_path,
		36	&working_path_len, REJECT_ZERO);
		37	if(result)
		38	return result;
		39
		40	+ /* new path to switch to in case we need to */
		41	+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
		42	+
		43	/* Check for /~/, indicating relative to the user's home directory */
		44	- if(data->conn->handler->protocol & CURLPROTO_SCP) {
		45	- real_path = malloc(working_path_len + 1);
		46	- if(!real_path) {
		47	+ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
		48	+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
		49	+ /* It is referenced to the home directory, so strip the leading '/~/' */
		50	+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
		51	free(working_path);
		52	return CURLE_OUT_OF_MEMORY;
		53	}
		54	- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
		55	- /* It is referenced to the home directory, so strip the leading '/~/' */
		56	- memcpy(real_path, working_path + 3, working_path_len - 2);
		57	- else
		58	- memcpy(real_path, working_path, 1 + working_path_len);
		59	}
		60	- else if(data->conn->handler->protocol & CURLPROTO_SFTP) {
		61	- if((working_path_len > 1) && (working_path[1] == '~')) {
		62	- size_t homelen = strlen(homedir);
		63	- real_path = malloc(homelen + working_path_len + 1);
		64	- if(!real_path) {
		65	- free(working_path);
		66	- return CURLE_OUT_OF_MEMORY;
		67	- }
		68	- /* It is referenced to the home directory, so strip the
		69	- leading '/' */
		70	- memcpy(real_path, homedir, homelen);
		71	- real_path[homelen] = '/';
		72	- real_path[homelen + 1] = '\0';
		73	- if(working_path_len > 3) {
		74	- memcpy(real_path + homelen + 1, working_path + 3,
		75	- 1 + working_path_len -3);
		76	- }
		77	+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
		78	+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
		79	+ size_t len;
		80	+ const char *p;
		81	+ int copyfrom = 3;
		82	+ if(Curl_dyn_add(&npath, homedir)) {
		83	+ free(working_path);
		84	+ return CURLE_OUT_OF_MEMORY;
		85	}
		86	- else {
		87	- real_path = malloc(working_path_len + 1);
		88	- if(!real_path) {
		89	- free(working_path);
		90	- return CURLE_OUT_OF_MEMORY;
		91	- }
		92	- memcpy(real_path, working_path, 1 + working_path_len);
		93	+ /* Copy a separating '/' if homedir does not end with one */
		94	+ len = Curl_dyn_len(&npath);
		95	+ p = Curl_dyn_ptr(&npath);
		96	+ if(len && (p[len-1] != '/'))
		97	+ copyfrom = 2;
		98	+
		99	+ if(Curl_dyn_addn(&npath,
		100	+ &working_path[copyfrom], working_path_len - copyfrom)) {
		101	+ free(working_path);
		102	+ return CURLE_OUT_OF_MEMORY;
		103	}
		104	}
		105
		106	- free(working_path);
		107	+ if(Curl_dyn_len(&npath)) {
		108	+ free(working_path);
		109
		110	- /* store the pointer for the caller to receive */
		111	- *path = real_path;
		112	+ /* store the pointer for the caller to receive */
		113	+ *path = Curl_dyn_ptr(&npath);
		114	+ }
		115	+ else
		116	+ *path = working_path;
		117
		118	return CURLE_OK;
		119	}
		120	--
		121	2.25.1
		122


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 7efec07e61..4c18afe293 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -41,6 +41,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
41	file://CVE-2023-23914_5-5.patch \	41	file://CVE-2023-23914_5-5.patch \
42	file://CVE-2023-23916.patch \	42	file://CVE-2023-23916.patch \
43	file://CVE-2023-27533.patch \	43	file://CVE-2023-27533.patch \
		44	file://CVE-2023-27534.patch \
44	"	45	"
45	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	46	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
46		47