From b754be84206b454789fbd6d444d00a4e422cb3e9 Mon Sep 17 00:00:00 2001 From: Thiruvadi Rajaraman Date: Sat, 4 Nov 2017 07:41:53 -0700 Subject: curl: Security fix for CVE-2016-8615 Affected versions: curl 7.1 to and including 7.50.3 Not affected versions: curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman Signed-off-by: Armin Kuster --- meta/recipes-support/curl/curl/CVE-2016-8615.patch | 71 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.50.1.bb | 4 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8615.patch (limited to 'meta/recipes-support') diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch b/meta/recipes-support/curl/curl/CVE-2016-8615.patch new file mode 100644 index 0000000000..d897ade3ce --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch @@ -0,0 +1,71 @@ +From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Sep 2016 17:36:19 +0200 +Subject: [PATCH] cookie: replace use of fgets() with custom version + +... that will ignore lines that are too long to fit in the buffer. + +CVE-2016-8615 + +Bug: https://curl.haxx.se/docs/adv_20161102A.html +Reported-by: Cure53 + +Upstream-Status: Backport +https://curl.haxx.se/CVE-2016-8615.patch + +CVE: CVE-2016-8615 +Signed-off-by: Thiruvadi Rajaraman + +--- + lib/cookie.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +Index: curl-7.44.0/lib/cookie.c +=================================================================== +--- curl-7.44.0.orig/lib/cookie.c ++++ curl-7.44.0/lib/cookie.c +@@ -869,6 +869,35 @@ Curl_cookie_add(struct SessionHandle *da + return co; + } + ++/* ++ * get_line() makes sure to only return complete whole lines that fit in 'len' ++ * bytes and end with a newline. ++ */ ++static char *get_line(char *buf, int len, FILE *input) ++{ ++ bool partial = FALSE; ++ while(1) { ++ char *b = fgets(buf, len, input); ++ if(b) { ++ size_t rlen = strlen(b); ++ if(rlen && (b[rlen-1] == '\n')) { ++ if(partial) { ++ partial = FALSE; ++ continue; ++ } ++ return b; ++ } ++ else ++ /* read a partial, discard the next piece that ends with newline */ ++ partial = TRUE; ++ } ++ else ++ break; ++ } ++ return NULL; ++} ++ ++ + /***************************************************************************** + * + * Curl_cookie_init() +@@ -925,7 +954,7 @@ struct CookieInfo *Curl_cookie_init(stru + line = malloc(MAX_COOKIE_LINE); + if(!line) + goto fail; +- while(fgets(line, MAX_COOKIE_LINE, fp)) { ++ while(get_line(line, MAX_COOKIE_LINE, fp)) { + if(checkprefix("Set-Cookie:", line)) { + /* This is a cookie line, get it! */ + lineptr=&line[11]; diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 653fa2e7a8..c11eb0c246 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb @@ -12,7 +12,9 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ # curl likes to set -g0 in CFLAGS, so we stop it # from mucking around with debug options # -SRC_URI += " file://configure_ac.patch" +SRC_URI += " file://configure_ac.patch \ + file://CVE-2016-8615.patch \ + " SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" SRC_URI[sha256sum] = "3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156" -- cgit 1.2.3-korg