[oe] Curl security advisory CVE-2009-2417 [PATCH]
Khem Raj
raj.khem at gmail.com
Thu Aug 13 15:25:07 UTC 2009
On (12/08/09 11:55), Marc Olzheim wrote:
> Hi,
>
> I'm not sure what the policy is for patch files of this type, but in
> this patch I decided to add them to recipes/curl/files, instead of
> including the curl.haxx.se urls in the SRC_URIs. I hope that that is the
> way to do it.
>
> The patch for 7.18.1 applies on 7.18.2 fine. Apart from applying
> patches, I added 7.19.6.
You dont need to specify PR="r0" in new recipe.
You could also switch to use INC_PR
Thx
-Khem
>
> Marc
> commit aab35ef35648250da1f37e8b60574b9359dff976
> Author: Marc Olzheim <marc at iphion.nl>
> Date: Wed Aug 12 11:42:50 2009 +0200
>
> Add curl 7.19.6 and fix CVE-2009-2417 for the rest
> http://curl.haxx.se/docs/adv_20090812.html
>
> diff --git a/conf/checksums.ini b/conf/checksums.ini
> index 60d9729..f277e29 100644
> --- a/conf/checksums.ini
> +++ b/conf/checksums.ini
> @@ -4390,6 +4390,10 @@ sha256=fb3436280dedbc8f8141d3841a5964c4491dd6457bc5b7123854aed0b794be86
> md5=426d161661dce70c8ea9ad8f553363a3
> sha256=05ad84a9c8d340917370f357ad9fdce5ea595deb11f4cb70f946fa48c7b02cd0
>
> +[http://curl.haxx.se/download/curl-7.19.6.tar.bz2]
> +md5=8402c1f654c51ad7287aad57c3aa79be
> +sha256=ea88f48c8415f7d3af482e4d241277b2bdbfaffaf285e8001c88c1376cbc1021
> +
> [http://downloads.sourceforge.net/curlftpfs/curlftpfs-0.9.2.tar.gz]
> md5=b452123f755114cd4461d56c648d9f12
> sha256=4eb44739c7078ba0edde177bdd266c4cfb7c621075f47f64c85a06b12b3c6958
> diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
> index c95591b..00c6215 100644
> --- a/recipes/curl/curl-native_7.18.2.bb
> +++ b/recipes/curl/curl-native_7.18.2.bb
> @@ -1,7 +1,9 @@
> require curl-common.inc
> inherit native
> DEPENDS = "zlib-native"
> -PR = "r1"
> +PR = "r2"
> +
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
>
> do_stage () {
> autotools_stage_all
> diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
> index 35b0d88..8c667fa 100644
> --- a/recipes/curl/curl-sdk_7.18.2.bb
> +++ b/recipes/curl/curl-sdk_7.18.2.bb
> @@ -1,7 +1,9 @@
> require curl-common.inc
> inherit sdk
> DEPENDS = "zlib-sdk"
> -PR = "r1"
> +PR = "r2"
> +
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
>
> do_stage () {
> install -d ${STAGING_INCDIR}/curl
> diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
> index 3de6da4..2d32f6b 100644
> --- a/recipes/curl/curl_7.18.2.bb
> +++ b/recipes/curl/curl_7.18.2.bb
> @@ -1,4 +1,6 @@
> require curl-common.inc
> require curl-target.inc
>
> -PR = "r1"
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
> +
> +PR = "r2"
> diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
> index b5b6182..61914e1 100644
> --- a/recipes/curl/curl_7.19.5.bb
> +++ b/recipes/curl/curl_7.19.5.bb
> @@ -2,5 +2,6 @@ require curl-common.inc
> require curl-target.inc
>
> SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
> - file://curl-add_all_algorithms.patch;patch=1"
> -PR = "r1"
> + file://curl-add_all_algorithms.patch;patch=1 \
> + file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
> +PR = "r2"
> diff --git a/recipes/curl/curl_7.19.6.bb b/recipes/curl/curl_7.19.6.bb
> new file mode 100644
> index 0000000..df83fe8
> --- /dev/null
> +++ b/recipes/curl/curl_7.19.6.bb
> @@ -0,0 +1,5 @@
> +require curl-common.inc
> +require curl-target.inc
> +
> +SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0"
> +PR = "r0"
> diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
> new file mode 100644
> index 0000000..e7c24c0
> --- /dev/null
> +++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
> @@ -0,0 +1,83 @@
> +---
> + lib/ssluse.c | 40 +++++++++++++++++++++++++++-------------
> + 1 file changed, 27 insertions(+), 13 deletions(-)
> +
> +--- lib/ssluse.c.orig
> ++++ lib/ssluse.c
> +@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
> + if(check->type == target) {
> + /* get data and length */
> + const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
> +- int altlen;
> ++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> +
> + switch(target) {
> + case GEN_DNS: /* name/pattern comparison */
> +@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
> + "I checked the 0.9.6 and 0.9.8 sources before my patch and
> + it always 0-terminates an IA5String."
> + */
> +- if(cert_hostcheck(altptr, conn->host.name))
> ++ if((altlen == strlen(altptr)) &&
> ++ /* if this isn't true, there was an embedded zero in the name
> ++ string and we cannot match it. */
> ++ cert_hostcheck(altptr, conn->host.name))
> + matched = TRUE;
> + break;
> +
> + case GEN_IPADD: /* IP address comparison */
> + /* compare alternative IP address if the data chunk is the same size
> + our server IP address is */
> +- altlen = ASN1_STRING_length(check->d.ia5);
> + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
> + matched = TRUE;
> + break;
> +@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
> + string manually to avoid the problem. This code can be made
> + conditional in the future when OpenSSL has been fixed. Work-around
> + brought by Alexis S. L. Carvalho. */
> +- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> +- j = ASN1_STRING_length(tmp);
> +- if(j >= 0) {
> +- peer_CN = OPENSSL_malloc(j+1);
> +- if(peer_CN) {
> +- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> +- peer_CN[j] = '\0';
> ++ if(tmp) {
> ++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> ++ j = ASN1_STRING_length(tmp);
> ++ if(j >= 0) {
> ++ peer_CN = OPENSSL_malloc(j+1);
> ++ if(peer_CN) {
> ++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> ++ peer_CN[j] = '\0';
> ++ }
> + }
> + }
> ++ else /* not a UTF8 name */
> ++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> ++
> ++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
> ++ /* there was a terminating zero before the end of string, this
> ++ cannot match and we return failure! */
> ++ failf(data, "SSL: illegal cert name field");
> ++ res = CURLE_PEER_FAILED_VERIFICATION;
> ++ }
> + }
> +- else /* not a UTF8 name */
> +- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> + }
> +
> + if(peer_CN == nulstr)
> +@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
> + }
> + #endif /* CURL_DOES_CONVERSIONS */
> +
> +- if(!peer_CN) {
> ++ if(res)
> ++ /* error already detected, pass through */
> ++ ;
> ++ else if(!peer_CN) {
> + failf(data,
> + "SSL: unable to obtain common name from peer certificate");
> + return CURLE_PEER_FAILED_VERIFICATION;
> diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
> new file mode 100644
> index 0000000..f64232c
> --- /dev/null
> +++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
> @@ -0,0 +1,80 @@
> +--- lib/ssluse.c-7.19.5 2009-08-03 16:01:58.000000000 +0200
> ++++ lib/ssluse.c 2009-08-03 16:07:17.000000000 +0200
> +@@ -1092,7 +1092,8 @@
> + if(check->type == target) {
> + /* get data and length */
> + const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
> +- size_t altlen;
> ++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> ++
> +
> + switch(target) {
> + case GEN_DNS: /* name/pattern comparison */
> +@@ -1106,14 +1107,16 @@
> + "I checked the 0.9.6 and 0.9.8 sources before my patch and
> + it always 0-terminates an IA5String."
> + */
> +- if(cert_hostcheck(altptr, conn->host.name))
> ++ if((altlen == strlen(altptr)) &&
> ++ /* if this isn't true, there was an embedded zero in the name
> ++ string and we cannot match it. */
> ++ cert_hostcheck(altptr, conn->host.name))
> + matched = TRUE;
> + break;
> +
> + case GEN_IPADD: /* IP address comparison */
> + /* compare alternative IP address if the data chunk is the same size
> + our server IP address is */
> +- altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
> + matched = TRUE;
> + break;
> +@@ -1153,18 +1156,27 @@
> + string manually to avoid the problem. This code can be made
> + conditional in the future when OpenSSL has been fixed. Work-around
> + brought by Alexis S. L. Carvalho. */
> +- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> +- j = ASN1_STRING_length(tmp);
> +- if(j >= 0) {
> +- peer_CN = OPENSSL_malloc(j+1);
> +- if(peer_CN) {
> +- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> +- peer_CN[j] = '\0';
> ++ if(tmp) {
> ++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> ++ j = ASN1_STRING_length(tmp);
> ++ if(j >= 0) {
> ++ peer_CN = OPENSSL_malloc(j+1);
> ++ if(peer_CN) {
> ++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> ++ peer_CN[j] = '\0';
> ++ }
> + }
> + }
> ++ else /* not a UTF8 name */
> ++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> ++
> ++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
> ++ /* there was a terminating zero before the end of string, this
> ++ cannot match and we return failure! */
> ++ failf(data, "SSL: illegal cert name field");
> ++ res = CURLE_PEER_FAILED_VERIFICATION;
> ++ }
> + }
> +- else /* not a UTF8 name */
> +- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> + }
> +
> + if(peer_CN == nulstr)
> +@@ -1182,7 +1194,10 @@
> + }
> + #endif /* CURL_DOES_CONVERSIONS */
> +
> +- if(!peer_CN) {
> ++ if(res)
> ++ /* error already detected, pass through */
> ++ ;
> ++ else if(!peer_CN) {
> + failf(data,
> + "SSL: unable to obtain common name from peer certificate");
> + return CURLE_PEER_FAILED_VERIFICATION;
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel at lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
More information about the Openembedded-devel
mailing list