[OE-core] [thud][PATCH] curl: Security fix for CVE-2019-5481
akuster808
akuster808 at gmail.com
Fri Oct 25 15:52:58 UTC 2019
On 10/16/19 2:10 PM, Muminul Islam wrote:
> CVE: CVE-2019-5481
>
> Upstream-Status: Backport
Warrior needs to be fixed before I can get this in mainline thud.
- Armin
>
> Signed-off-by: Muminul Islam <muislam at microsoft.com>
> ---
> .../curl/curl/CVE-2019-5481.patch | 52 +++++++++++++++++++
> meta/recipes-support/curl/curl_7.61.0.bb | 1 +
> 2 files changed, 53 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2019-5481.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2019-5481.patch b/meta/recipes-support/curl/curl/CVE-2019-5481.patch
> new file mode 100644
> index 0000000000..a97a95a268
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2019-5481.patch
> @@ -0,0 +1,52 @@
> +From f6fa4dffb2b973f3c7f2e8c2b6a7dc94c016f455 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel at haxx.se>
> +Date: Tue, 3 Sep 2019 22:59:32 +0200
> +Subject: [PATCH] security:read_data fix bad realloc()
> +Reply-To: muislam at microsoft.com
> +
> +... that could end up a double-free
> +
> +CVE-2019-5481
> +Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +
> +CVE: CVE-2019-5481
> +
> +Upstream-Status: Backport
> +
> +Upstream commit: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5
> +---
> + lib/security.c | 6 ++----
> + 1 file changed, 2 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/security.c b/lib/security.c
> +index abf242c38..52cce97d0 100644
> +--- a/lib/security.c
> ++++ b/lib/security.c
> +@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
> + struct krb5buffer *buf)
> + {
> + int len;
> +- void *tmp = NULL;
> + CURLcode result;
> +
> + result = socket_read(fd, &len, sizeof(len));
> +@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
> + if(len) {
> + /* only realloc if there was a length */
> + len = ntohl(len);
> +- tmp = Curl_saferealloc(buf->data, len);
> ++ buf->data = Curl_saferealloc(buf->data, len);
> + }
> +- if(tmp == NULL)
> ++ if(!len || !buf->data)
> + return CURLE_OUT_OF_MEMORY;
> +
> +- buf->data = tmp;
> + result = socket_read(fd, buf->data, len);
> + if(result)
> + return result;
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb
> index 3b54774b9d..29aaff20a1 100644
> --- a/meta/recipes-support/curl/curl_7.61.0.bb
> +++ b/meta/recipes-support/curl/curl_7.61.0.bb
> @@ -14,6 +14,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> file://CVE-2019-5435.patch \
> file://CVE-2019-5436.patch \
> file://CVE-2019-5482.patch \
> + file://CVE-2019-5481.patch \
> "
>
> SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
More information about the Openembedded-core
mailing list