[oe-commits] [openembedded-core] 22/53: curl: Security fix for CVE-2016-8620
git at git.openembedded.org
git at git.openembedded.org
Tue Nov 21 14:44:43 UTC 2017
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch morty
in repository openembedded-core.
commit daeb0f5369f7c9ff470c9db3ba6ae42ac5abea2c
Author: Thiruvadi Rajaraman <trajaraman at mvista.com>
AuthorDate: Sat Nov 4 07:56:07 2017 -0700
curl: Security fix for CVE-2016-8620
Affected versions: curl 7.34.0 to and including 7.50.3
Not affected versions: curl < 7.34.0 and curl >= 7.51.0
Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-support/curl/curl/CVE-2016-8620.patch | 146 +++++++++++++++++++++
meta/recipes-support/curl/curl_7.50.1.bb | 1 +
2 files changed, 147 insertions(+)
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
new file mode 100644
index 0000000..db3da6f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
@@ -0,0 +1,146 @@
+From 52f3e1d1092c81a4f574c9fc6cb3818b88434c8d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Mon, 3 Oct 2016 17:27:16 +0200
+Subject: [PATCH 1/3] range: prevent negative end number in a glob range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-8620
+
+Bug: https://curl.haxx.se/docs/adv_20161102F.html
+Reported-by: Luật Nguyễn
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-8620.patch
+CVE: CVE-2016-8620
+Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
+
+---
+ src/tool_urlglob.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+Index: curl-7.44.0/src/tool_urlglob.c
+===================================================================
+--- curl-7.44.0.orig/src/tool_urlglob.c
++++ curl-7.44.0/src/tool_urlglob.c
+@@ -186,32 +186,36 @@ static CURLcode glob_range(URLGlob *glob
+ /* character range detected */
+ char min_c;
+ char max_c;
++ char end_c;
+ int step=1;
+
+ pat->type = UPTCharRange;
+
+- rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
++ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
+
+- if((rc == 2) && (pattern[3] == ':')) {
+- char *endp;
+- unsigned long lstep;
+- errno = 0;
+- lstep = strtoul(&pattern[4], &endp, 10);
+- if(errno || (*endp != ']'))
+- step = -1;
+- else {
+- pattern = endp+1;
+- step = (int)lstep;
+- if(step > (max_c - min_c))
++ if(rc == 3) {
++ if(end_c == ':') {
++ char *endp;
++ unsigned long lstep;
++ errno = 0;
++ lstep = strtoul(&pattern[4], &endp, 10);
++ if(errno || (*endp != ']'))
+ step = -1;
++ else {
++ pattern = endp+1;
++ step = (int)lstep;
++ if(step > (max_c - min_c))
++ step = -1;
++ }
+ }
++ else if(end_c != ']')
++ /* then this is wrong */
++ rc = 0;
+ }
+- else
+- pattern += 4;
+
+ *posp += (pattern - *patternp);
+
+- if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
++ if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+ (step <= 0) )
+ /* the pattern is not well-formed */
+ return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
+@@ -255,6 +259,12 @@ static CURLcode glob_range(URLGlob *glob
+ endp = NULL;
+ else {
+ pattern = endp+1;
++ while(*pattern && ISBLANK(*pattern))
++ pattern++;
++ if(!ISDIGIT(*pattern)) {
++ endp = NULL;
++ goto fail;
++ }
+ errno = 0;
+ max_n = strtoul(pattern, &endp, 10);
+ if(errno || (*endp == ':')) {
+@@ -275,6 +285,7 @@ static CURLcode glob_range(URLGlob *glob
+ }
+ }
+
++ fail:
+ *posp += (pattern - *patternp);
+
+ if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) ||
+@@ -423,6 +434,7 @@ CURLcode glob_url(URLGlob** glob, char*
+ glob_buffer = malloc(strlen(url) + 1);
+ if(!glob_buffer)
+ return CURLE_OUT_OF_MEMORY;
++ glob_buffer[0]=0;
+
+ glob_expand = calloc(1, sizeof(URLGlob));
+ if(!glob_expand) {
+@@ -540,20 +552,25 @@ CURLcode glob_next_url(char **globbed, U
+ switch(pat->type) {
+ case UPTSet:
+ if(pat->content.Set.elements) {
+- len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]);
+ snprintf(buf, buflen, "%s",
+ pat->content.Set.elements[pat->content.Set.ptr_s]);
++ len = strlen(buf);
+ buf += len;
+ buflen -= len;
+ }
+ break;
+ case UPTCharRange:
+- *buf++ = pat->content.CharRange.ptr_c;
++ if(buflen) {
++ *buf++ = pat->content.CharRange.ptr_c;
++ *buf = '\0';
++ buflen--;
++ }
+ break;
+ case UPTNumRange:
+- len = snprintf(buf, buflen, "%0*ld",
+- pat->content.NumRange.padlength,
+- pat->content.NumRange.ptr_n);
++ snprintf(buf, buflen, "%0*ld",
++ pat->content.NumRange.padlength,
++ pat->content.NumRange.ptr_n);
++ len = strlen(buf);
+ buf += len;
+ buflen -= len;
+ break;
+@@ -562,7 +579,6 @@ CURLcode glob_next_url(char **globbed, U
+ return CURLE_FAILED_INIT;
+ }
+ }
+- *buf = '\0';
+
+ *globbed = strdup(glob->glob_buffer);
+ if(!*globbed)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index 5441101..aa8ebeb 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -16,6 +16,7 @@ SRC_URI += " file://configure_ac.patch \
file://CVE-2016-8615.patch \
file://CVE-2016-8618.patch \
file://CVE-2016-8619.patch \
+ file://CVE-2016-8620.patch \
"
SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list