diff options
Diffstat (limited to 'external/poky/meta/recipes-support/curl')
13 files changed, 215 insertions, 617 deletions
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2018-14618.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2018-14618.patch deleted file mode 100644 index db07b436..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2018-14618.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 13 Aug 2018 10:35:52 +0200 -Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password - -... since it would cause an integer overflow if longer than (max size_t -/ 2). - -This is CVE-2018-14618 - -Bug: https://curl.haxx.se/docs/CVE-2018-14618.html -Closes #2756 -Reported-by: Zhaoyang Wu - -CVE: CVE-2018-14618 -Upstream-Status: Backport -Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> ---- - lib/curl_ntlm_core.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index e27cab353c..922e85a926 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, - unsigned char *ntbuffer /* 21 bytes */) - { - size_t len = strlen(password); -- unsigned char *pw = len ? malloc(len * 2) : strdup(""); -+ unsigned char *pw; - CURLcode result; -+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ -+ return CURLE_OUT_OF_MEMORY; -+ pw = len ? malloc(len * 2) : strdup(""); - if(!pw) - return CURLE_OUT_OF_MEMORY; diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2018-16839.patch deleted file mode 100644 index bf972d2e..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16839.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 1 Nov 2018 15:27:35 +0800 -Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check - -CVE-2018-16839 -Reported-by: Harry Sintonen -Bug: https://curl.haxx.se/docs/CVE-2018-16839.html - -Upstream-Status: Backport [https://github.com/curl/curl/commit -/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified] - -CVE: CVE-2018-16839 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - lib/vauth/cleartext.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c -index 5d61ce6..1367143 100644 ---- a/lib/vauth/cleartext.c -+++ b/lib/vauth/cleartext.c -@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, - plen = strlen(passwdp); - - /* Compute binary message length. Check for overflows. */ -- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) -+ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) - return CURLE_OUT_OF_MEMORY; - plainlen = 2 * ulen + plen + 2; - --- -2.7.4 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2018-16840.patch deleted file mode 100644 index 3d086c4d..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16840.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 1 Nov 2018 15:33:35 +0800 -Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid - use-after-free - -Regression from b46cfbc (7.59.0) -CVE-2018-16840 -Reported-by: Brian Carpenter (Geeknik Labs) - -Bug: https://curl.haxx.se/docs/CVE-2018-16840.html - -Upstream-Status: Backport [https://github.com/curl/curl/commit/ -81d135d67155c5295b1033679c606165d4e28f3f] - -CVE: CVE-2018-16840 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - lib/url.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/url.c b/lib/url.c -index 27b2c1e..7ef7c20 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data) - and detach this handle from there. */ - curl_multi_remove_handle(data->multi, data); - -- if(data->multi_easy) -+ if(data->multi_easy) { - /* when curl_easy_perform() is used, it creates its own multi handle to - use and this is the one */ - curl_multi_cleanup(data->multi_easy); -+ data->multi_easy = NULL; -+ } - - /* Destroy the timeout list that is held in the easy handle. It is - /normally/ done by curl_multi_remove_handle() but this is "just in --- -2.7.4 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2018-16842.patch deleted file mode 100644 index 82e75570..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16842.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 1 Nov 2018 15:30:56 +0800 -Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr - -CVE-2018-16842 -Reported-by: Brian Carpenter -Bug: https://curl.haxx.se/docs/CVE-2018-16842.html - -Upstream-Status: Backport [https://github.com/curl/curl/commit -/d530e92f59ae9bb2d47066c3c460b25d2ffeb211] - -CVE: CVE-2018-16842 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - src/tool_msgs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tool_msgs.c b/src/tool_msgs.c -index 9cce806..05bec39 100644 ---- a/src/tool_msgs.c -+++ b/src/tool_msgs.c -@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config, - (void)fwrite(ptr, cut + 1, 1, config->errors); - fputs("\n", config->errors); - ptr += cut + 1; /* skip the space too */ -- len -= cut; -+ len -= cut + 1; - } - else { - fputs(ptr, config->errors); --- -2.7.4 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16890.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2018-16890.patch deleted file mode 100644 index 3776f362..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16890.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 53d3c2f92b4a7561b1006494badf8cf2ef9110c0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Wed, 2 Jan 2019 20:33:08 +0100 -Subject: [PATCH 1/3] NTLM: fix size check condition for type2 received data - -Bug: https://curl.haxx.se/docs/CVE-2018-16890.html -Reported-by: Wenxiang Qian -CVE-2018-16890 - -Upstream-Status: Backport -[https://github.com/curl/curl/commit -/b780b30d1377adb10bbe774835f49e9b237fb9bb] - -CVE: CVE-2018-16890 - -Signed-off-by: Kevin Weng <t-keweng@microsoft.com> ---- - lib/vauth/ntlm.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c -index cdb8d8f0d..0212756ab 100644 ---- a/lib/vauth/ntlm.c -+++ b/lib/vauth/ntlm.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data, - target_info_len = Curl_read16_le(&buffer[40]); - target_info_offset = Curl_read32_le(&buffer[44]); - if(target_info_len > 0) { -- if(((target_info_offset + target_info_len) > size) || -+ if((target_info_offset >= size) || -+ ((target_info_offset + target_info_len) > size) || - (target_info_offset < 48)) { - infof(data, "NTLM handshake failure (bad type-2 message). " -- "Target Info Offset Len is set incorrect by the peer\n"); -+ "Target Info Offset Len is set incorrect by the peer\n"); - return CURLE_BAD_CONTENT_ENCODING; - } - --- -2.22.0 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3822.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3822.patch deleted file mode 100644 index 4f612ddd..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3822.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 761b51f66c7b1cd2cd6c71b807bfdb6a27c49b30 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Thu, 3 Jan 2019 12:59:28 +0100 -Subject: [PATCH 2/3] ntlm: fix *_type3_message size check to avoid buffer - overflow - -Bug: https://curl.haxx.se/docs/CVE-2019-3822.html -Reported-by: Wenxiang Qian -CVE-2019-3822 - -Upstream-Status: Backport -[https://github.com/curl/curl/commit -/50c9484278c63b958655a717844f0721263939cc] - -CVE: CVE-2019-3822 - -Signed-off-by: Kevin Weng <t-keweng@microsoft.com> ---- - lib/vauth/ntlm.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c -index 0212756ab..3be0403d9 100644 ---- a/lib/vauth/ntlm.c -+++ b/lib/vauth/ntlm.c -@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, - }); - - #ifdef USE_NTRESPONSES -- if(size < (NTLM_BUFSIZE - ntresplen)) { -- DEBUGASSERT(size == (size_t)ntrespoff); -- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); -- size += ntresplen; -+ /* ntresplen + size should not be risking an integer overflow here */ -+ if(ntresplen + size > sizeof(ntlmbuf)) { -+ failf(data, "incoming NTLM message too big"); -+ return CURLE_OUT_OF_MEMORY; - } -+ DEBUGASSERT(size == (size_t)ntrespoff); -+ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); -+ size += ntresplen; - - DEBUG_OUT({ - fprintf(stderr, "\n ntresp="); --- -2.22.0 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch deleted file mode 100644 index 194e6e64..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 40f6c913f63cdbfa81daa7ac7f1c7415bb99edeb Mon Sep 17 00:00:00 2001 -From: Daniel Gustafsson <daniel@yesql.se> -Date: Sat, 19 Jan 2019 00:42:47 +0100 -Subject: [PATCH 3/3] smtp: avoid risk of buffer overflow in strtol - -If the incoming len 5, but the buffer does not have a termination -after 5 bytes, the strtol() call may keep reading through the line -buffer until is exceeds its boundary. Fix by ensuring that we are -using a bounded read with a temporary buffer on the stack. - -Bug: https://curl.haxx.se/docs/CVE-2019-3823.html -Reported-by: Brian Carpenter (Geeknik Labs) -CVE-2019-3823 - -Upstream-Status: Backport -[https://github.com/curl/curl/commit -/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484] - -CVE: CVE-2019-3823 - -Signed-off-by: Kevin Weng <t-keweng@microsoft.com> ---- - lib/smtp.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/smtp.c b/lib/smtp.c -index ecf10a41a..1b9f92d30 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len, - Section 4. Examples of RFC-4954 but some e-mail servers ignore this and - only send the response code instead as per Section 4.2. */ - if(line[3] == ' ' || len == 5) { -+ char tmpline[6]; -+ - result = TRUE; -- *resp = curlx_sltosi(strtol(line, NULL, 10)); -+ memset(tmpline, '\0', sizeof(tmpline)); -+ memcpy(tmpline, line, (len == 5 ? 5 : 3)); -+ *resp = curlx_sltosi(strtol(tmpline, NULL, 10)); - - /* Make sure real server never sends internal value */ - if(*resp == 1) --- -2.22.0 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch deleted file mode 100644 index 8ac55545..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 29 Apr 2019 08:00:49 +0200 -Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size - -This limits all accepted input strings passed to libcurl to be less than -CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: -curl_easy_setopt() and curl_url_set(). - -The 8000000 number is arbitrary picked and is meant to detect mistakes -or abuse, not to limit actual practical use cases. By limiting the -acceptable string lengths we also reduce the risk of integer overflows -all over. - -NOTE: This does not apply to `CURLOPT_POSTFIELDS`. - -Test 1559 verifies. - -Closes #3805 - -Upstream-Status: Backport -Dropped a few changes to apply against this version -https://github.com/curl/curl/commit/5fc28510a4664f4 - -CVE: CVE-2019-5435 -affects: libcurl 7.19.4 to and including 7.64.1 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - lib/setopt.c | 7 +++++ - lib/urldata.h | 4 +++ - 7 files changed, 146 insertions(+), 3 deletions(-) - create mode 100644 tests/data/test1559 - create mode 100644 tests/libtest/lib1559.c - -Index: curl-7.61.0/lib/setopt.c -=================================================================== ---- curl-7.61.0.orig/lib/setopt.c -+++ curl-7.61.0/lib/setopt.c -@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, co - if(s) { - char *str = strdup(s); - -+ if(str) { -+ size_t len = strlen(str); -+ if(len > CURL_MAX_INPUT_LENGTH) { -+ free(str); -+ return CURLE_BAD_FUNCTION_ARGUMENT; -+ } -+ } - if(!str) - return CURLE_OUT_OF_MEMORY; - -Index: curl-7.61.0/lib/urldata.h -=================================================================== ---- curl-7.61.0.orig/lib/urldata.h -+++ curl-7.61.0/lib/urldata.h -@@ -79,6 +79,10 @@ - */ - #define RESP_TIMEOUT (1800*1000) - -+/* Max string intput length is a precaution against abuse and to detect junk -+ input easier and better. */ -+#define CURL_MAX_INPUT_LENGTH 8000000 -+ - #include "cookie.h" - #include "psl.h" - #include "formdata.h" -Index: curl-7.61.0/tests/data/test1559 -=================================================================== ---- /dev/null -+++ curl-7.61.0/tests/data/test1559 -@@ -0,0 +1,44 @@ -+<testcase> -+<info> -+<keywords> -+CURLOPT_URL -+</keywords> -+</info> -+ -+<reply> -+</reply> -+ -+<client> -+<server> -+none -+</server> -+ -+# require HTTP so that CURLOPT_POSTFIELDS works as assumed -+<features> -+http -+</features> -+<tool> -+lib1559 -+</tool> -+ -+<name> -+Set excessive URL lengths -+</name> -+</client> -+ -+# -+# Verify that the test runs to completion without crashing -+<verify> -+<errorcode> -+0 -+</errorcode> -+<stdout> -+CURLOPT_URL 10000000 bytes URL == 43 -+CURLOPT_POSTFIELDS 10000000 bytes data == 0 -+CURLUPART_URL 10000000 bytes URL == 3 -+CURLUPART_SCHEME 10000000 bytes scheme == 3 -+CURLUPART_USER 10000000 bytes user == 3 -+</stdout> -+</verify> -+ -+</testcase> -Index: curl-7.61.0/tests/libtest/lib1559.c -=================================================================== ---- /dev/null -+++ curl-7.61.0/tests/libtest/lib1559.c -@@ -0,0 +1,78 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.haxx.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+#include "test.h" -+ -+#include "testutil.h" -+#include "warnless.h" -+#include "memdebug.h" -+ -+#define EXCESSIVE 10*1000*1000 -+int test(char *URL) -+{ -+ CURLcode res = 0; -+ CURL *curl = NULL; -+ char *longurl = malloc(EXCESSIVE); -+ CURLU *u; -+ (void)URL; -+ -+ memset(longurl, 'a', EXCESSIVE); -+ longurl[EXCESSIVE-1] = 0; -+ -+ global_init(CURL_GLOBAL_ALL); -+ easy_init(curl); -+ -+ res = curl_easy_setopt(curl, CURLOPT_URL, longurl); -+ printf("CURLOPT_URL %d bytes URL == %d\n", -+ EXCESSIVE, (int)res); -+ -+ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl); -+ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n", -+ EXCESSIVE, (int)res); -+ -+ u = curl_url(); -+ if(u) { -+ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0); -+ printf("CURLUPART_URL %d bytes URL == %d\n", -+ EXCESSIVE, (int)uc); -+ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME); -+ printf("CURLUPART_SCHEME %d bytes scheme == %d\n", -+ EXCESSIVE, (int)uc); -+ uc = curl_url_set(u, CURLUPART_USER, longurl, 0); -+ printf("CURLUPART_USER %d bytes user == %d\n", -+ EXCESSIVE, (int)uc); -+ curl_url_cleanup(u); -+ } -+ -+ free(longurl); -+ -+ curl_easy_cleanup(curl); -+ curl_global_cleanup(); -+ -+ return 0; -+ -+test_cleanup: -+ -+ curl_easy_cleanup(curl); -+ curl_global_cleanup(); -+ -+ return res; /* return the final return code */ -+} diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5436.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5436.patch deleted file mode 100644 index 05fd8e9b..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5436.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2576003415625d7b5f0e390902f8097830b82275 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Fri, 3 May 2019 22:20:37 +0200 -Subject: [PATCH] tftp: use the current blksize for recvfrom() - -bug: https://curl.haxx.se/docs/CVE-2019-5436.html -Reported-by: l00p3r on hackerone -CVE-2019-5436 - -Upstream-Status: Backport -https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 -CVE: CVE-2019-5436 -affects: libcurl 7.19.4 to and including 7.64.1 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - lib/tftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: curl-7.61.0/lib/tftp.c -=================================================================== ---- curl-7.61.0.orig/lib/tftp.c -+++ curl-7.61.0/lib/tftp.c -@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct conn - state->sockfd = state->conn->sock[FIRSTSOCKET]; - state->state = TFTP_STATE_START; - state->error = TFTP_ERR_NONE; -- state->blksize = TFTP_BLKSIZE_DEFAULT; -+ state->blksize = blksize; - state->requested_blksize = blksize; - - ((struct sockaddr *)&state->local_addr)->sa_family = diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5482.patch deleted file mode 100644 index 91b18669..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5482.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001 -From: Thomas Vegas <> -Date: Sat, 31 Aug 2019 17:30:51 +0200 -Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is - received -Reply-To: muislam@microsoft.com - -Fixes potential buffer overflow from 'recvfrom()', should the server -return an OACK without blksize. - -Bug: https://curl.haxx.se/docs/CVE-2019-5482.html - -CVE: CVE-2019-5482 - -Upstream-Status: Backport - -Signed-off-by: Muminul Islam <muislam@microsoft.com> ---- - lib/tftp.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/lib/tftp.c b/lib/tftp.c -index 064eef318..2c148e3e1 100644 ---- a/lib/tftp.c -+++ b/lib/tftp.c -@@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) - { - tftp_state_data_t *state; - int blksize; -+ int need_blksize; - - blksize = TFTP_BLKSIZE_DEFAULT; - -@@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) - return CURLE_TFTP_ILLEGAL; - } - -+ need_blksize = blksize; -+ /* default size is the fallback when no OACK is received */ -+ if(need_blksize < TFTP_BLKSIZE_DEFAULT) -+ need_blksize = TFTP_BLKSIZE_DEFAULT; -+ - if(!state->rpacket.data) { -- state->rpacket.data = calloc(1, blksize + 2 + 2); -+ state->rpacket.data = calloc(1, need_blksize + 2 + 2); - - if(!state->rpacket.data) - return CURLE_OUT_OF_MEMORY; - } - - if(!state->spacket.data) { -- state->spacket.data = calloc(1, blksize + 2 + 2); -+ state->spacket.data = calloc(1, need_blksize + 2 + 2); - - if(!state->spacket.data) - return CURLE_OUT_OF_MEMORY; -@@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) - state->sockfd = state->conn->sock[FIRSTSOCKET]; - state->state = TFTP_STATE_START; - state->error = TFTP_ERR_NONE; -- state->blksize = blksize; -+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ - state->requested_blksize = blksize; - - ((struct sockaddr *)&state->local_addr)->sa_family = --- -2.23.0 - diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2020-8169.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2020-8169.patch new file mode 100644 index 00000000..7d1be24a --- /dev/null +++ b/external/poky/meta/recipes-support/curl/curl/CVE-2020-8169.patch @@ -0,0 +1,140 @@ +From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 14 May 2020 14:37:12 +0200 +Subject: [PATCH] url: make the updated credentials URL-encoded in the URL + +Found-by: Gregory Jefferis +Reported-by: Jeroen Ooms +Added test 1168 to verify. Bug spotted when doing a redirect. +Bug: https://github.com/jeroen/curl/issues/224 +Closes #5400 + +Upstream-Status: Backport +https://github.com/curl/curl/commit/600a8cded447cd + +CVE: CVE-2020-8169 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + lib/url.c | 6 ++-- + tests/data/Makefile.inc | 1 + + tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 83 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1168 + +Index: curl-7.69.1/lib/url.c +=================================================================== +--- curl-7.69.1.orig/lib/url.c ++++ curl-7.69.1/lib/url.c +@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu + + /* for updated strings, we update them in the URL */ + if(user_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } + if(passwd_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } +Index: curl-7.69.1/tests/data/Makefile.inc +=================================================================== +--- curl-7.69.1.orig/tests/data/Makefile.inc ++++ curl-7.69.1/tests/data/Makefile.inc +@@ -133,6 +133,7 @@ test1136 test1137 test1138 test1139 test + test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ + test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ + test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \ ++test1168 \ + \ + test1170 test1171 test1172 test1173 test1174 test1175 test1176 \ + \ +Index: curl-7.69.1/tests/data/test1168 +=================================================================== +--- /dev/null ++++ curl-7.69.1/tests/data/test1168 +@@ -0,0 +1,78 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++followlocation ++</keywords> ++</info> ++# Server-side ++<reply> ++<data> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++This server reply is for testing a simple Location: following ++ ++</data> ++<data2> ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++</data2> ++<datacheck> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++</datacheck> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++HTTP redirect with credentials using # in user and password ++ </name> ++ <command> ++http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY" ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<strip> ++^User-Agent:.* ++</strip> ++<protocol> ++GET /want/1168 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++GET /data/11680002.txt HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++</protocol> ++</verify> ++</testcase> diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2020-8177.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2020-8177.patch new file mode 100644 index 00000000..4f14fa23 --- /dev/null +++ b/external/poky/meta/recipes-support/curl/curl/CVE-2020-8177.patch @@ -0,0 +1,67 @@ +From 8236aba58542c5f89f1d41ca09d84579efb05e22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 31 May 2020 23:09:59 +0200 +Subject: [PATCH] tool_getparam: -i is not OK if -J is used + +Reported-by: sn on hackerone +Bug: https://curl.haxx.se/docs/CVE-2020-8177.html + +Upstream-Status: Backport +CVE:CVE-2020-8177 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/tool_cb_hdr.c | 22 ++++------------------ + src/tool_getparam.c | 5 +++++ + 2 files changed, 9 insertions(+), 18 deletions(-) + +Index: curl-7.69.1/src/tool_cb_hdr.c +=================================================================== +--- curl-7.69.1.orig/src/tool_cb_hdr.c ++++ curl-7.69.1/src/tool_cb_hdr.c +@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t + filename = parse_filename(p, len); + if(filename) { + if(outs->stream) { +- int rc; +- /* already opened and possibly written to */ +- if(outs->fopened) +- fclose(outs->stream); +- outs->stream = NULL; +- +- /* rename the initial file name to the new file name */ +- rc = rename(outs->filename, filename); +- if(rc != 0) { +- warnf(per->config->global, "Failed to rename %s -> %s: %s\n", +- outs->filename, filename, strerror(errno)); +- } +- if(outs->alloc_filename) +- Curl_safefree(outs->filename); +- if(rc != 0) { +- free(filename); +- return failure; +- } ++ /* indication of problem, get out! */ ++ free(filename); ++ return failure; + } ++ + outs->is_cd_filename = TRUE; + outs->s_isreg = TRUE; + outs->fopened = FALSE; +Index: curl-7.69.1/src/tool_getparam.c +=================================================================== +--- curl-7.69.1.orig/src/tool_getparam.c ++++ curl-7.69.1/src/tool_getparam.c +@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char * + } + break; + case 'i': ++ if(config->content_disposition) { ++ warnf(global, ++ "--include and --remote-header-name cannot be combined.\n"); ++ return PARAM_BAD_USE; ++ } + config->show_headers = toggle; /* show the headers as well in the + general output stream */ + break; diff --git a/external/poky/meta/recipes-support/curl/curl_7.61.0.bb b/external/poky/meta/recipes-support/curl/curl_7.69.1.bb index cd880f9e..8b5170f0 100644 --- a/external/poky/meta/recipes-support/curl/curl_7.61.0.bb +++ b/external/poky/meta/recipes-support/curl/curl_7.69.1.bb @@ -3,24 +3,16 @@ HOMEPAGE = "http://curl.haxx.se/" BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" SECTION = "console/network" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=ef889a37a5a874490ac7ce116396f29a" +LIC_FILES_CHKSUM = "file://COPYING;md5=2e9fb35867314fe31c6a4977ef7dd531" SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ - file://CVE-2018-14618.patch \ - file://CVE-2018-16839.patch \ - file://CVE-2018-16840.patch \ - file://CVE-2018-16842.patch \ - file://CVE-2019-5435.patch \ - file://CVE-2019-5436.patch \ - file://CVE-2018-16890.patch \ - file://CVE-2019-3822.patch \ - file://CVE-2019-3823.patch \ - file://CVE-2019-5482.patch \ + file://CVE-2020-8169.patch \ + file://CVE-2020-8177.patch \ " -SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a" -SRC_URI[sha256sum] = "5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c" +SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" +SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a56c4de8" CVE_PRODUCT = "curl libcurl" inherit autotools pkgconfig binconfig multilib_header @@ -30,7 +22,7 @@ PACKAGECONFIG_class-native = "ipv6 proxy ssl threaded-resolver verbose zlib" PACKAGECONFIG_class-nativesdk = "ipv6 proxy ssl threaded-resolver verbose zlib" # 'ares' and 'threaded-resolver' are mutually exclusive -PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares" +PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," @@ -52,9 +44,10 @@ PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl" +PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss" PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," -PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver" +PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" |