[oe-commits] [openembedded-core] 23/53: curl: Security fix for CVE-2016-8621

git at git.openembedded.org git at git.openembedded.org
Tue Nov 21 14:44:44 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch morty
in repository openembedded-core.

commit d664a1372c3322093038fc8443026e3499e977ec
Author: Thiruvadi Rajaraman <trajaraman at mvista.com>
AuthorDate: Sat Nov 4 07:59:11 2017 -0700

    curl: Security fix for CVE-2016-8621
    
    Affected versions: curl 7.12.2 to and including 7.50.3
    Not affected versions: curl < 7.12.2 and curl >= 7.51.0
    
    Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
    Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8621.patch | 104 +++++++++++++++++++++
 meta/recipes-support/curl/curl_7.50.1.bb           |   1 +
 2 files changed, 105 insertions(+)

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8621.patch b/meta/recipes-support/curl/curl/CVE-2016-8621.patch
new file mode 100644
index 0000000..5506277
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8621.patch
@@ -0,0 +1,104 @@
+From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Tue, 4 Oct 2016 16:59:38 +0200
+Subject: [PATCH] parsedate: handle cut off numbers better
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... and don't read outside of the given buffer!
+
+CVE-2016-8621
+
+bug: https://curl.haxx.se/docs/adv_20161102G.html
+Reported-by: Luật Nguyễn
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-8621.patch
+CVE: CVE-2016-8621
+Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
+
+---
+ lib/parsedate.c        | 12 +++++++-----
+ tests/data/test517     |  6 ++++++
+ tests/libtest/lib517.c |  8 +++++++-
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+Index: curl-7.44.0/lib/parsedate.c
+===================================================================
+--- curl-7.44.0.orig/lib/parsedate.c
++++ curl-7.44.0/lib/parsedate.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel at haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel at haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -386,15 +386,17 @@ static int parsedate(const char *date, t
+       /* a digit */
+       int val;
+       char *end;
++      int len=0;
+       if((secnum == -1) &&
+-         (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {
++         (3 == sscanf(date, "%02d:%02d:%02d%n",
++                      &hournum, &minnum, &secnum, &len))) {
+         /* time stamp! */
+-        date += 8;
++        date += len;
+       }
+       else if((secnum == -1) &&
+-              (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {
++              (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {
+         /* time stamp without seconds */
+-        date += 5;
++        date += len;
+         secnum = 0;
+       }
+       else {
+Index: curl-7.44.0/tests/data/test517
+===================================================================
+--- curl-7.44.0.orig/tests/data/test517
++++ curl-7.44.0/tests/data/test517
+@@ -116,6 +116,12 @@ nothing
+ 81: 20111323 12:34:56 => -1
+ 82: 20110623 12:34:79 => -1
+ 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
++84: 20110623 12:3 => 1308830580
++85: 20110623 1:3 => 1308790980
++86: 20110623 1:30 => 1308792600
++87: 20110623 12:12:3 => 1308831123
++88: 20110623 01:12:3 => 1308791523
++89: 20110623 01:99:30 => -1
+ </stdout>
+ 
+ # This test case previously tested an overflow case ("2094 Nov 6 =>
+Index: curl-7.44.0/tests/libtest/lib517.c
+===================================================================
+--- curl-7.44.0.orig/tests/libtest/lib517.c
++++ curl-7.44.0/tests/libtest/lib517.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel at haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel at haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -116,6 +116,12 @@ static const char * const dates[]={
+   "20111323 12:34:56",
+   "20110623 12:34:79",
+   "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
++  "20110623 12:3",
++  "20110623 1:3",
++  "20110623 1:30",
++  "20110623 12:12:3",
++  "20110623 01:12:3",
++  "20110623 01:99:30",
+   NULL
+ };
+ 
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index aa8ebeb..548bb46 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -17,6 +17,7 @@ SRC_URI += " file://configure_ac.patch \
              file://CVE-2016-8618.patch \
              file://CVE-2016-8619.patch \ 
              file://CVE-2016-8620.patch \
+             file://CVE-2016-8621.patch \
            "
 
 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list