[oe-commits] Chong Lu : curl: Security Advisory - curl - CVE-2014-3620
git at git.openembedded.org
git at git.openembedded.org
Wed Nov 5 23:28:40 UTC 2014
Module: openembedded-core.git
Branch: daisy
Commit: 13bb2ee98cfd159455e459501dda280a78cb5a3b
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=13bb2ee98cfd159455e459501dda280a78cb5a3b
Author: Chong Lu <Chong.Lu at windriver.com>
Date: Tue Nov 4 09:35:18 2014 +0800
curl: Security Advisory - curl - CVE-2014-3620
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated site
or domain.
(From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853)
Signed-off-by: Chong Lu <Chong.Lu at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
meta/recipes-support/curl/curl/CVE-2014-3620.patch | 69 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.35.0.bb | 1 +
2 files changed, 70 insertions(+)
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
new file mode 100644
index 0000000..d11f190
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
@@ -0,0 +1,69 @@
+From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Tue, 19 Aug 2014 21:11:20 +0200
+Subject: [PATCH] cookies: reject incoming cookies set for TLDs
+
+Test 61 was modified to verify this.
+
+CVE-2014-3620
+
+Reported-by: Tim Ruehsen
+URL: http://curl.haxx.se/docs/adv_20140910B.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Chong Lu <Chong.Lu at windriver.com>
+---
+ lib/cookie.c | 6 ++++++
+ tests/data/test61 | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 46904ac..375485f 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data,
+ break;
+ }
+ }
+ else if(Curl_raw_equal("domain", name)) {
+ bool is_ip;
++ const char *dotp;
+
+ /* Now, we make sure that our host is within the given domain,
+ or the given domain is not valid and thus cannot be set. */
+
+ if('.' == whatptr[0])
+ whatptr++; /* ignore preceding dot */
+
+ is_ip = isip(domain ? domain : whatptr);
+
++ /* check for more dots */
++ dotp = strchr(whatptr, '.');
++ if(!dotp)
++ domain=":";
++
+ if(!domain
+ || (is_ip && !strcmp(whatptr, domain))
+ || (!is_ip && tailmatch(whatptr, domain))) {
+ strstore(&co->domain, whatptr);
+ if(!co->domain) {
+diff --git a/tests/data/test61 b/tests/data/test61
+index d2de279..e6dbbb9 100644
+--- a/tests/data/test61
++++ b/tests/data/test61
+@@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2
+ SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
+ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
+ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
+ Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
+ Set-Cookie: fake=fooledyou; domain=..com; path=/;
++Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
+ Content-Length: 4
+
+ boo
+ </data>
+ </reply>
+--
+2.1.0
+
diff --git a/meta/recipes-support/curl/curl_7.35.0.bb b/meta/recipes-support/curl/curl_7.35.0.bb
index b1c68be..5f2ff94 100644
--- a/meta/recipes-support/curl/curl_7.35.0.bb
+++ b/meta/recipes-support/curl/curl_7.35.0.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://generate_code_for_disable_manual.patch \
file://remove_inappropriate_file_from_rel.patch \
file://CVE-2014-3613.patch \
+ file://CVE-2014-3620.patch \
"
# curl likes to set -g0 in CFLAGS, so we stop it
More information about the Openembedded-commits
mailing list