3 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
new file mode 100644
index 0000000000..7c617ef1db
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
@@ -0,0 +1,32 @@
+From 08aa76b7b24454a89866aaef661ea90ae3d57900 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:36:55 +0100
+Subject: [PATCH] http: use the IDN decoded name in HSTS checks
+Otherwise it stores the info HSTS into the persistent cache for the IDN
+name which will not match when the HSTS status is later checked for
+using the decoded name.
+Reported-by: Hiroki Kurosawa
+Closes #10111
+Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/http.c b/lib/http.c
+index b0ad28e..8b18e8d 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -3654,7 +3654,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
+   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+           (conn->handler->flags & PROTOPT_SSL)) {
+     CURLcode check =
+-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
+      Curl_hsts_parse(data->hsts, conn->host.name,
+                       headp + strlen("Strict-Transport-Security:"));
+     if(check)
+       infof(data, "Illegal STS header skipped");
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
new file mode 100644
index 0000000000..059dad17d8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,78 @@
+From 6ae56c9c47b02106373c9482f09c510fd5c50a84 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+It is managed by the generic layer.
+Reported-by: Trail of Bits
+Closes #10112
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe1]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+diff --git a/lib/smb.c b/lib/smb.c
+index 039d680..f682c1f 100644
+--- a/lib/smb.c
+++ b/lib/smb.c
+@@ -62,8 +62,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -78,7 +76,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -105,7 +103,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 923c7f8..48cd0d7 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
diff --git a/meta/recipes-support/curl/curl_7.85.0.bb b/meta/recipes-support/curl/curl_7.85.0.bb
index a4561494d1..1e47e9fac5 100644
--- a/meta/recipes-support/curl/curl_7.85.0.bb
+++ b/meta/recipes-support/curl/curl_7.85.0.bb
@@ -17,6 +17,8 @@ SRC_URI = " \
    file://CVE-2022-35260.patch \
    file://CVE-2022-42915.patch \
    file://CVE-2022-42916.patch \
+    file://CVE-2022-43551.patch \
+    file://CVE-2022-43552.patch \
 "
 SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6"

diff --git a/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/meta/recipes-support/curl/curl/CVE-2022-43551.patch new file mode 100644 index 0000000000..7c617ef1db --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
@@ -0,0 +1,32 @@
		1	From 08aa76b7b24454a89866aaef661ea90ae3d57900 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 19 Dec 2022 08:36:55 +0100
		4	Subject: [PATCH] http: use the IDN decoded name in HSTS checks
		5
		6	Otherwise it stores the info HSTS into the persistent cache for the IDN
		7	name which will not match when the HSTS status is later checked for
		8	using the decoded name.
		9
		10	Reported-by: Hiroki Kurosawa
		11
		12	Closes #10111
		13
		14	Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd]
		15	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		16	---
		17	lib/http.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/lib/http.c b/lib/http.c
		21	index b0ad28e..8b18e8d 100644
		22	--- a/lib/http.c
		23	+++ b/lib/http.c
		24	@@ -3654,7 +3654,7 @@ CURLcode Curl_http_header(struct Curl_easy data, struct connectdata conn,
		25	else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
		26	(conn->handler->flags & PROTOPT_SSL)) {
		27	CURLcode check =
		28	- Curl_hsts_parse(data->hsts, data->state.up.hostname,
		29	+ Curl_hsts_parse(data->hsts, conn->host.name,
		30	headp + strlen("Strict-Transport-Security:"));
		31	if(check)
		32	infof(data, "Illegal STS header skipped");


diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch new file mode 100644 index 0000000000..059dad17d8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,78 @@
		1	From 6ae56c9c47b02106373c9482f09c510fd5c50a84 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 19 Dec 2022 08:38:37 +0100
		4	Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
		5
		6	It is managed by the generic layer.
		7
		8	Reported-by: Trail of Bits
		9
		10	Closes #10112
		11
		12	Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe1]
		13	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		14	---
		15	lib/smb.c \| 14 ++------------
		16	lib/telnet.c \| 3 ---
		17	2 files changed, 2 insertions(+), 15 deletions(-)
		18
		19	diff --git a/lib/smb.c b/lib/smb.c
		20	index 039d680..f682c1f 100644
		21	--- a/lib/smb.c
		22	+++ b/lib/smb.c
		23	@@ -62,8 +62,6 @@ static CURLcode smb_connect(struct Curl_easy data, bool done);
		24	static CURLcode smb_connection_state(struct Curl_easy data, bool done);
		25	static CURLcode smb_do(struct Curl_easy data, bool done);
		26	static CURLcode smb_request_state(struct Curl_easy data, bool done);
		27	-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
		28	- bool premature);
		29	static CURLcode smb_disconnect(struct Curl_easy *data,
		30	struct connectdata *conn, bool dead);
		31	static int smb_getsock(struct Curl_easy data, struct connectdata conn,
		32	@@ -78,7 +76,7 @@ const struct Curl_handler Curl_handler_smb = {
		33	"SMB", /* scheme */
		34	smb_setup_connection, /* setup_connection */
		35	smb_do, /* do_it */
		36	- smb_done, /* done */
		37	+ ZERO_NULL, /* done */
		38	ZERO_NULL, /* do_more */
		39	smb_connect, /* connect_it */
		40	smb_connection_state, /* connecting */
		41	@@ -105,7 +103,7 @@ const struct Curl_handler Curl_handler_smbs = {
		42	"SMBS", /* scheme */
		43	smb_setup_connection, /* setup_connection */
		44	smb_do, /* do_it */
		45	- smb_done, /* done */
		46	+ ZERO_NULL, /* done */
		47	ZERO_NULL, /* do_more */
		48	smb_connect, /* connect_it */
		49	smb_connection_state, /* connecting */
		50	@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy data, bool done)
		51	return CURLE_OK;
		52	}
		53
		54	-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
		55	- bool premature)
		56	-{
		57	- (void) premature;
		58	- Curl_safefree(data->req.p.smb);
		59	- return status;
		60	-}
		61	-
		62	static CURLcode smb_disconnect(struct Curl_easy *data,
		63	struct connectdata *conn, bool dead)
		64	{
		65	diff --git a/lib/telnet.c b/lib/telnet.c
		66	index 923c7f8..48cd0d7 100644
		67	--- a/lib/telnet.c
		68	+++ b/lib/telnet.c
		69	@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
		70
		71	curl_slist_free_all(tn->telnet_vars);
		72	tn->telnet_vars = NULL;
		73	-
		74	- Curl_safefree(data->req.p.telnet);
		75	-
		76	return CURLE_OK;
		77	}
		78


diff --git a/meta/recipes-support/curl/curl_7.85.0.bb b/meta/recipes-support/curl/curl_7.85.0.bb index a4561494d1..1e47e9fac5 100644 --- a/meta/recipes-support/curl/curl_7.85.0.bb +++ b/meta/recipes-support/curl/curl_7.85.0.bb
@@ -17,6 +17,8 @@ SRC_URI = " \
17	file://CVE-2022-35260.patch \	17	file://CVE-2022-35260.patch \
18	file://CVE-2022-42915.patch \	18	file://CVE-2022-42915.patch \
19	file://CVE-2022-42916.patch \	19	file://CVE-2022-42916.patch \
		20	file://CVE-2022-43551.patch \
		21	file://CVE-2022-43552.patch \
20	"	22	"
21	SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6"	23	SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6"
22		24