diff options
| author |   Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-11-04 07:44:32 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:42:56 +0000 |
| commit | 1fc1c9a11eee2f5ba727b18300a92949b166b035 (patch) | |
| tree | 0e88dbec9b5a95943e92c33db679052de3043097 | |
| parent | b754be84206b454789fbd6d444d00a4e422cb3e9 (diff) | |
| download | openembedded-core-1fc1c9a11eee2f5ba727b18300a92949b166b035.tar.gz | |
curl: Security fix for CVE-2016-8618
Affected versions: curl 7.1 to and including 7.50.3
Not affected versions: curl >= 7.51.0
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8618.patch | 49 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch b/meta/recipes-support/curl/curl/CVE-2016-8618.patch new file mode 100644 index 0000000000..73be6754e1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch @@ -0,0 +1,49 @@ +From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 28 Sep 2016 10:15:34 +0200 +Subject: [PATCH] aprintf: detect wrap-around when growing allocation + +On 32bit systems we could otherwise wrap around after 2GB and allocate 0 +bytes and crash. + +CVE-2016-8618 + +Bug: https://curl.haxx.se/docs/adv_20161102D.html +Reported-by: Cure53 + +Upstream-Status: Backport +https://curl.haxx.se/CVE-2016-8618.patch +CVE: CVE-2016-8618 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +--- + lib/mprintf.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +Index: curl-7.44.0/lib/mprintf.c +=================================================================== +--- curl-7.44.0.orig/lib/mprintf.c ++++ curl-7.44.0/lib/mprintf.c +@@ -1011,16 +1011,19 @@ static int alloc_addbyter(int output, FI + infop->len =0; + } + else if(infop->len+1 >= infop->alloc) { +- char *newptr; ++ char *newptr = NULL; ++ size_t newsize = infop->alloc*2; + +- newptr = realloc(infop->buffer, infop->alloc*2); ++ /* detect wrap-around or other overflow problems */ ++ if(newsize > infop->alloc) ++ newptr = realloc(infop->buffer, newsize); + + if(!newptr) { + infop->fail = 1; + return -1; /* fail */ + } + infop->buffer = newptr; +- infop->alloc *= 2; ++ infop->alloc = newsize; + } + + infop->buffer[ infop->len ] = outc; diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index c11eb0c246..5c63996df1 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb @@ -14,6 +14,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ # SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8615.patch \ + file://CVE-2016-8618.patch \ " SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |