diff options
Diffstat (limited to 'external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch')
-rw-r--r-- | external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch deleted file mode 100644 index 194e6e64..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 40f6c913f63cdbfa81daa7ac7f1c7415bb99edeb Mon Sep 17 00:00:00 2001 -From: Daniel Gustafsson <daniel@yesql.se> -Date: Sat, 19 Jan 2019 00:42:47 +0100 -Subject: [PATCH 3/3] smtp: avoid risk of buffer overflow in strtol - -If the incoming len 5, but the buffer does not have a termination -after 5 bytes, the strtol() call may keep reading through the line -buffer until is exceeds its boundary. Fix by ensuring that we are -using a bounded read with a temporary buffer on the stack. - -Bug: https://curl.haxx.se/docs/CVE-2019-3823.html -Reported-by: Brian Carpenter (Geeknik Labs) -CVE-2019-3823 - -Upstream-Status: Backport -[https://github.com/curl/curl/commit -/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484] - -CVE: CVE-2019-3823 - -Signed-off-by: Kevin Weng <t-keweng@microsoft.com> ---- - lib/smtp.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/smtp.c b/lib/smtp.c -index ecf10a41a..1b9f92d30 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len, - Section 4. Examples of RFC-4954 but some e-mail servers ignore this and - only send the response code instead as per Section 4.2. */ - if(line[3] == ' ' || len == 5) { -+ char tmpline[6]; -+ - result = TRUE; -- *resp = curlx_sltosi(strtol(line, NULL, 10)); -+ memset(tmpline, '\0', sizeof(tmpline)); -+ memcpy(tmpline, line, (len == 5 ? 5 : 3)); -+ *resp = curlx_sltosi(strtol(tmpline, NULL, 10)); - - /* Make sure real server never sends internal value */ - if(*resp == 1) --- -2.22.0 - |