diff options
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch | 51 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-27534.patch | 122 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.69.1.bb | 1 |
3 files changed, 68 insertions, 106 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch | |||
| @@ -0,0 +1,51 @@ | |||
| 1 | From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eric Vigeant <evigeant@gmail.com> | ||
| 3 | Date: Wed, 2 Nov 2022 11:47:09 -0400 | ||
| 4 | Subject: [PATCH] cur_path: do not add '/' if homedir ends with one | ||
| 5 | |||
| 6 | When using SFTP and a path relative to the user home, do not add a | ||
| 7 | trailing '/' to the user home dir if it already ends with one. | ||
| 8 | |||
| 9 | Closes #9844 | ||
| 10 | |||
| 11 | CVE: CVE-2023-27534 | ||
| 12 | Note: | ||
| 13 | - The upstream patch for CVE-2023-27534 does three things: | ||
| 14 | 1) creates new path with dynbuf(dynamic buffer) | ||
| 15 | 2) solves the tilde error which causes CVE-2023-27534 | ||
| 16 | 3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. | ||
| 17 | - dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. | ||
| 18 | - This patch completes the 3rd task of the patch which was implemented without using dynbuf | ||
| 19 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] | ||
| 20 | |||
| 21 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 22 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
| 23 | --- | ||
| 24 | lib/curl_path.c | 10 +++++++--- | ||
| 25 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/lib/curl_path.c b/lib/curl_path.c | ||
| 28 | index f429634..40b92ee 100644 | ||
| 29 | --- a/lib/curl_path.c | ||
| 30 | +++ b/lib/curl_path.c | ||
| 31 | @@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, | ||
| 32 | /* It is referenced to the home directory, so strip the | ||
| 33 | leading '/' */ | ||
| 34 | memcpy(real_path, homedir, homelen); | ||
| 35 | - real_path[homelen] = '/'; | ||
| 36 | - real_path[homelen + 1] = '\0'; | ||
| 37 | + /* Only add a trailing '/' if homedir does not end with one */ | ||
| 38 | + if(homelen == 0 || real_path[homelen - 1] != '/') { | ||
| 39 | + real_path[homelen] = '/'; | ||
| 40 | + homelen++; | ||
| 41 | + real_path[homelen] = '\0'; | ||
| 42 | + } | ||
| 43 | if(working_path_len > 3) { | ||
| 44 | - memcpy(real_path + homelen + 1, working_path + 3, | ||
| 45 | + memcpy(real_path + homelen, working_path + 3, | ||
| 46 | 1 + working_path_len -3); | ||
| 47 | } | ||
| 48 | } | ||
| 49 | -- | ||
| 50 | 2.24.4 | ||
| 51 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch | |||
| @@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se> | |||
| 3 | Date: Thu, 9 Mar 2023 16:22:11 +0100 | 3 | Date: Thu, 9 Mar 2023 16:22:11 +0100 |
| 4 | Subject: [PATCH] curl_path: create the new path with dynbuf | 4 | Subject: [PATCH] curl_path: create the new path with dynbuf |
| 5 | 5 | ||
| 6 | Closes #10729 | ||
| 7 | |||
| 6 | CVE: CVE-2023-27534 | 8 | CVE: CVE-2023-27534 |
| 7 | Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] | 9 | Note: This patch is needed to backport CVE-2023-27534 |
| 10 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] | ||
| 8 | 11 | ||
| 9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | 12 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| 13 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
| 10 | --- | 14 | --- |
| 11 | lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- | 15 | lib/curl_path.c | 2 +- |
| 12 | 1 file changed, 35 insertions(+), 36 deletions(-) | 16 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 13 | 17 | ||
| 14 | diff --git a/lib/curl_path.c b/lib/curl_path.c | 18 | diff --git a/lib/curl_path.c b/lib/curl_path.c |
| 15 | index f429634..e17db4b 100644 | 19 | index 40b92ee..598c5dd 100644 |
| 16 | --- a/lib/curl_path.c | 20 | --- a/lib/curl_path.c |
| 17 | +++ b/lib/curl_path.c | 21 | +++ b/lib/curl_path.c |
| 18 | @@ -30,6 +30,8 @@ | 22 | @@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, |
| 19 | #include "escape.h" | 23 | memcpy(real_path, working_path, 1 + working_path_len); |
| 20 | #include "memdebug.h" | ||
| 21 | |||
| 22 | +#define MAX_SSHPATH_LEN 100000 /* arbitrary */ | ||
| 23 | + | ||
| 24 | /* figure out the path to work with in this particular request */ | ||
| 25 | CURLcode Curl_getworkingpath(struct connectdata *conn, | ||
| 26 | char *homedir, /* when SFTP is used */ | ||
| 27 | @@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, | ||
| 28 | real path to work with */ | ||
| 29 | { | ||
| 30 | struct Curl_easy *data = conn->data; | ||
| 31 | - char *real_path = NULL; | ||
| 32 | char *working_path; | ||
| 33 | size_t working_path_len; | ||
| 34 | + struct dynbuf npath; | ||
| 35 | CURLcode result = | ||
| 36 | Curl_urldecode(data, data->state.up.path, 0, &working_path, | ||
| 37 | &working_path_len, FALSE); | ||
| 38 | if(result) | ||
| 39 | return result; | ||
| 40 | |||
| 41 | + /* new path to switch to in case we need to */ | ||
| 42 | + Curl_dyn_init(&npath, MAX_SSHPATH_LEN); | ||
| 43 | + | ||
| 44 | /* Check for /~/, indicating relative to the user's home directory */ | ||
| 45 | - if(conn->handler->protocol & CURLPROTO_SCP) { | ||
| 46 | - real_path = malloc(working_path_len + 1); | ||
| 47 | - if(real_path == NULL) { | ||
| 48 | + if((data->conn->handler->protocol & CURLPROTO_SCP) && | ||
| 49 | + (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { | ||
| 50 | + /* It is referenced to the home directory, so strip the leading '/~/' */ | ||
| 51 | + if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { | ||
| 52 | free(working_path); | ||
| 53 | return CURLE_OUT_OF_MEMORY; | ||
| 54 | } | ||
| 55 | - if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) | ||
| 56 | - /* It is referenced to the home directory, so strip the leading '/~/' */ | ||
| 57 | - memcpy(real_path, working_path + 3, working_path_len - 2); | ||
| 58 | - else | ||
| 59 | - memcpy(real_path, working_path, 1 + working_path_len); | ||
| 60 | } | 24 | } |
| 61 | - else if(conn->handler->protocol & CURLPROTO_SFTP) { | 25 | else if(conn->handler->protocol & CURLPROTO_SFTP) { |
| 62 | - if((working_path_len > 1) && (working_path[1] == '~')) { | 26 | - if((working_path_len > 1) && (working_path[1] == '~')) { |
| 63 | - size_t homelen = strlen(homedir); | 27 | + if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { |
| 64 | - real_path = malloc(homelen + working_path_len + 1); | 28 | size_t homelen = strlen(homedir); |
| 65 | - if(real_path == NULL) { | 29 | real_path = malloc(homelen + working_path_len + 1); |
| 66 | - free(working_path); | 30 | if(real_path == NULL) { |
| 67 | - return CURLE_OUT_OF_MEMORY; | ||
| 68 | - } | ||
| 69 | - /* It is referenced to the home directory, so strip the | ||
| 70 | - leading '/' */ | ||
| 71 | - memcpy(real_path, homedir, homelen); | ||
| 72 | - real_path[homelen] = '/'; | ||
| 73 | - real_path[homelen + 1] = '\0'; | ||
| 74 | - if(working_path_len > 3) { | ||
| 75 | - memcpy(real_path + homelen + 1, working_path + 3, | ||
| 76 | - 1 + working_path_len -3); | ||
| 77 | - } | ||
| 78 | + else if((data->conn->handler->protocol & CURLPROTO_SFTP) && | ||
| 79 | + (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { | ||
| 80 | + size_t len; | ||
| 81 | + const char *p; | ||
| 82 | + int copyfrom = 3; | ||
| 83 | + if(Curl_dyn_add(&npath, homedir)) { | ||
| 84 | + free(working_path); | ||
| 85 | + return CURLE_OUT_OF_MEMORY; | ||
| 86 | } | ||
| 87 | - else { | ||
| 88 | - real_path = malloc(working_path_len + 1); | ||
| 89 | - if(real_path == NULL) { | ||
| 90 | - free(working_path); | ||
| 91 | - return CURLE_OUT_OF_MEMORY; | ||
| 92 | - } | ||
| 93 | - memcpy(real_path, working_path, 1 + working_path_len); | ||
| 94 | + /* Copy a separating '/' if homedir does not end with one */ | ||
| 95 | + len = Curl_dyn_len(&npath); | ||
| 96 | + p = Curl_dyn_ptr(&npath); | ||
| 97 | + if(len && (p[len-1] != '/')) | ||
| 98 | + copyfrom = 2; | ||
| 99 | + | ||
| 100 | + if(Curl_dyn_addn(&npath, | ||
| 101 | + &working_path[copyfrom], working_path_len - copyfrom)) { | ||
| 102 | + free(working_path); | ||
| 103 | + return CURLE_OUT_OF_MEMORY; | ||
| 104 | } | ||
| 105 | } | ||
| 106 | |||
| 107 | - free(working_path); | ||
| 108 | + if(Curl_dyn_len(&npath)) { | ||
| 109 | + free(working_path); | ||
| 110 | |||
| 111 | - /* store the pointer for the caller to receive */ | ||
| 112 | - *path = real_path; | ||
| 113 | + /* store the pointer for the caller to receive */ | ||
| 114 | + *path = Curl_dyn_ptr(&npath); | ||
| 115 | + } | ||
| 116 | + else | ||
| 117 | + *path = working_path; | ||
| 118 | |||
| 119 | return CURLE_OK; | ||
| 120 | } | ||
| 121 | -- | 31 | -- |
| 122 | 2.25.1 | 32 | 2.24.4 |
| 123 | 33 | ||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 32d18ddb3a..13ec117099 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
| @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
| 43 | file://CVE-2022-35260.patch \ | 43 | file://CVE-2022-35260.patch \ |
| 44 | file://CVE-2022-43552.patch \ | 44 | file://CVE-2022-43552.patch \ |
| 45 | file://CVE-2023-23916.patch \ | 45 | file://CVE-2023-23916.patch \ |
| 46 | file://CVE-2023-27534-pre1.patch \ | ||
| 46 | file://CVE-2023-27534.patch \ | 47 | file://CVE-2023-27534.patch \ |
| 47 | file://CVE-2023-27538.patch \ | 48 | file://CVE-2023-27538.patch \ |
| 48 | file://CVE-2023-27533.patch \ | 49 | file://CVE-2023-27533.patch \ |
