summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/curl
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2017-10-23 15:44:53 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-05 13:54:44 +0000
commit08f8d5db06647b94f96d655100c358047682dd2f (patch)
treea2b6338dee850f0ff191a2f444869d9c3a43b68d /meta/recipes-support/curl
parent44676c90863c3864182c088ca51bec3bdc8dce29 (diff)
downloadopenembedded-core-08f8d5db06647b94f96d655100c358047682dd2f.tar.gz
openembedded-core-08f8d5db06647b94f96d655100c358047682dd2f.tar.bz2
openembedded-core-08f8d5db06647b94f96d655100c358047682dd2f.zip
curl: Security Advisory - curl - CVE-2017-1000254
Porting patch from <https://github.com/curl/curl/commit/ 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-support/curl')
-rw-r--r--meta/recipes-support/curl/curl/CVE-2017-1000254.patch138
-rw-r--r--meta/recipes-support/curl/curl_7.54.1.bb1
2 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
new file mode 100644
index 0000000000..2b0798b929
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
@@ -0,0 +1,138 @@
+From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 23 Oct 2017 00:26:50 -0700
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+
+Upstream-Status: Backport
+CVE: CVE-2017-1000254
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ lib/ftp.c | 7 ++++--
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 5edec37..493dbf9 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ const size_t buf_size = data->set.buffer_size;
+ char *dir;
+ char *store;
++ bool entry_extracted = FALSE;
+
+ dir = malloc(nread + 1);
+ if(!dir)
+@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ }
+ else {
+ /* end of path */
+- *store = '\0'; /* zero terminate */
++ entry_extracted = TRUE;
+ break; /* get out of this loop */
+ }
+ }
+@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ store++;
+ ptr++;
+ }
+-
++ *store = '\0'; /* zero terminate */
++ }
++ if(entry_extracted) {
+ /* If the path name does not look like an absolute path (i.e.: it
+ does not start with a '/'), we probably need some server-dependent
+ adjustments. For example, this is the case when connecting to
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7adbee6..5284654 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 \
++test1152 \
++\
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1152 b/tests/data/test1152
+new file mode 100644
+index 0000000..aa8c0a7
+--- /dev/null
++++ b/tests/data/test1152
+@@ -0,0 +1,61 @@
++<testcase>
++<info>
++<keywords>
++FTP
++PASV
++LIST
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY PWD 257 "just one
++</servercmd>
++
++# When doing LIST, we get the default list output hard-coded in the test
++# FTP server
++<data mode="text">
++total 20
++drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
++drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
++drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
++-r--r--r-- 1 0 1 35 Jul 16 1996 README
++lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
++dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
++drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
++dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
++drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
++dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++ftp
++</server>
++ <name>
++FTP with uneven quote in PWD response
++ </name>
++ <command>
++ftp://%HOSTIP:%FTPPORT/test-1152/
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD test-1152
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++</verify>
++</testcase>
+--
+2.11.0
+
diff --git a/meta/recipes-support/curl/curl_7.54.1.bb b/meta/recipes-support/curl/curl_7.54.1.bb
index cf230ed0d4..9870657ca4 100644
--- a/meta/recipes-support/curl/curl_7.54.1.bb
+++ b/meta/recipes-support/curl/curl_7.54.1.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2017-1000099.patch \
file://CVE-2017-1000100.patch \
file://CVE-2017-1000101.patch \
+ file://CVE-2017-1000254.patch \
"
# curl likes to set -g0 in CFLAGS, so we stop it