diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-11-15 10:08:15 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:13:35 +0100 |
commit | 7308140d81299dca7db98259461d60e0fe86878e (patch) | |
tree | d14f8d8281425e61eded68c22c16e92d1c3f939c | |
parent | 4e18b8af45e1e7769842952f773ba71276e24372 (diff) | |
download | openembedded-core-7308140d81299dca7db98259461d60e0fe86878e.tar.gz |
curl: CVE-2016-8620
glob parser write/read out of bounds
Affected versions: curl 7.34.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102F.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8620.patch | 44 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.47.1.bb | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch b/meta/recipes-support/curl/curl/CVE-2016-8620.patch new file mode 100644 index 0000000000..613ace30b8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8620.patch @@ -0,0 +1,44 @@ +From fbb5f1aa0326d485d5a7ac643b48481897ca667f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 3 Oct 2016 17:27:16 +0200 +Subject: [PATCH] range: prevent negative end number in a glob range + +CVE: CVE-2016-8620 + +Upstream-Status: Backport + +Bug: https://curl.haxx.se/docs/adv_20161102F.html +Reported-by: Luật Nguyễn +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + src/tool_urlglob.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c +index a357b8b..64c75ba 100644 +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + endp = NULL; + else { + pattern = endp+1; ++ while(*pattern && ISBLANK(*pattern)) ++ pattern++; ++ if(!ISDIGIT(*pattern)) { ++ endp = NULL; ++ goto fail; ++ } + errno = 0; + max_n = strtoul(pattern, &endp, 10); + if(errno || (*endp == ':')) { +@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + } + } + ++ fail: + *posp += (pattern - *patternp); + + if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n) +-- +1.9.1 + diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index 9ef571834e..e6ad03f44a 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb @@ -20,6 +20,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8617.patch \ file://CVE-2016-8618.patch \ file://CVE-2016-8619.patch \ + file://CVE-2016-8620.patch \ " SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" |