[oe-commits] [openembedded-core] 27/53: curl: Security fix for CVE-2016-9586
git at git.openembedded.org
git at git.openembedded.org
Tue Nov 21 14:44:48 UTC 2017
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch morty
in repository openembedded-core.
commit 559ccc284987846c5b266cc2bc5ecd91c1c155f9
Author: Thiruvadi Rajaraman <trajaraman at mvista.com>
AuthorDate: Sat Nov 4 08:10:45 2017 -0700
curl: Security fix for CVE-2016-9586
Affected versions: libcurl 7.1 to and including 7.51.0
Not affected versions: libcurl >= 7.52.0
Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-support/curl/curl/CVE-2016-9586.patch | 66 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.50.1.bb | 1 +
2 files changed, 67 insertions(+)
diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
new file mode 100644
index 0000000..1103cb0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
@@ -0,0 +1,66 @@
+commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Author: Daniel Stenberg <daniel at haxx.se>
+Date: Tue Nov 8 15:32:37 2016 +0100
+
+ printf: fix floating point buffer overflow issues
+
+ ... and add a bunch of floating point printf tests
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-9586.patch
+dropped the tests as they require more changes to work.
+
+CVE: CVE-2016-9586
+Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
+
+Index: curl-7.50.1/lib/mprintf.c
+===================================================================
+--- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530
++++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530
+@@ -92,7 +92,8 @@
+ # define mp_uintmax_t unsigned long
+ #endif
+
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
++ fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+
+ #ifdef __AMIGA__
+@@ -910,12 +911,25 @@
+ *fptr = 0;
+
+ if(width >= 0) {
++ if(width >= (long)sizeof(work))
++ width = sizeof(work)-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, "%ld", width);
+ fptr += len;
+ left -= len;
+ }
+ if(prec >= 0) {
++ /* for each digit in the integer part, we can have one less
++ precision */
++ size_t maxprec = sizeof(work) - 2;
++ double val = p->data.dnum;
++ while(val >= 10.0) {
++ val /= 10;
++ maxprec--;
++ }
++
++ if(prec > (long)maxprec)
++ prec = maxprec-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, ".%ld", prec);
+ fptr += len;
+@@ -935,7 +949,9 @@
+ /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+ output characters */
+ (sprintf)(work, formatbuf, p->data.dnum);
+-
++#ifdef CURLDEBUG
++ assert(strlen(work) <= sizeof(work));
++#endif
+ for(fptr=work; *fptr; fptr++)
+ OUTCHAR(*fptr);
+ }
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index bdf5d73..67bbdeb 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \
file://CVE-2016-8623.patch \
file://CVE-2016-8617.patch \
file://CVE-2016-8624.patch \
+ file://CVE-2016-9586.patch \
"
SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list