aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThiruvadi Rajaraman <trajaraman@mvista.com>2017-11-04 08:01:20 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-21 14:42:56 +0000
commit2da99dc9f7f3d8373cc3108c18300723ad4a243a (patch)
tree9987c1ffd0614d1fbdc06273cb1e0cd8530e45ab
parentd664a1372c3322093038fc8443026e3499e977ec (diff)
downloadopenembedded-core-2da99dc9f7f3d8373cc3108c18300723ad4a243a.zip
openembedded-core-2da99dc9f7f3d8373cc3108c18300723ad4a243a.tar.gz
openembedded-core-2da99dc9f7f3d8373cc3108c18300723ad4a243a.tar.bz2
curl: Security fix for CVE-2016-8623
Affected versions: curl 7.10.7 to and including 7.50.3 Not affected versions: curl < 7.10.7 and curl >= 7.51.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8623.patch174
-rw-r--r--meta/recipes-support/curl/curl_7.50.1.bb1
2 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 0000000..17eaf2b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,174 @@
+From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2016 23:26:13 +0200
+Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
+
+Previously it only held references to them, which was reckless as the
+thread lock was released so the cookies could get modified by other
+handles that share the same cookie jar over the share interface.
+
+CVE-2016-8623
+
+Bug: https://curl.haxx.se/docs/adv_20161102I.html
+Reported-by: Cure53
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-8623.patch
+CVE: CVE-2016-8623
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+---
+ lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
+ lib/cookie.h | 4 ++--
+ lib/http.c | 2 +-
+ 3 files changed, 43 insertions(+), 24 deletions(-)
+
+Index: curl-7.44.0/lib/cookie.c
+===================================================================
+--- curl-7.44.0.orig/lib/cookie.c
++++ curl-7.44.0/lib/cookie.c
+@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c
+ return 0;
+ }
+
++#define CLONE(field) \
++ do { \
++ if(src->field) { \
++ dup->field = strdup(src->field); \
++ if(!dup->field) \
++ goto fail; \
++ } \
++ } while(0)
++
++static struct Cookie *dup_cookie(struct Cookie *src)
++{
++ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
++ if(dup) {
++ CLONE(expirestr);
++ CLONE(domain);
++ CLONE(path);
++ CLONE(spath);
++ CLONE(name);
++ CLONE(value);
++ CLONE(maxage);
++ CLONE(version);
++ dup->expires = src->expires;
++ dup->tailmatch = src->tailmatch;
++ dup->secure = src->secure;
++ dup->livecookie = src->livecookie;
++ dup->httponly = src->httponly;
++ }
++ return dup;
++
++ fail:
++ freecookie(dup);
++ return NULL;
++}
++
+ /*****************************************************************************
+ *
+ * Curl_cookie_getlist()
+@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc
+ /* and now, we know this is a match and we should create an
+ entry for the return-linked-list */
+
+- newco = malloc(sizeof(struct Cookie));
++ newco = dup_cookie(co);
+ if(newco) {
+- /* first, copy the whole source cookie: */
+- memcpy(newco, co, sizeof(struct Cookie));
+-
+ /* then modify our next */
+ newco->next = mainco;
+
+@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc
+ else {
+ fail:
+ /* failure, clear up the allocated chain and return NULL */
+- while(mainco) {
+- co = mainco->next;
+- free(mainco);
+- mainco = co;
+- }
+-
++ Curl_cookie_freelist(mainco);
+ return NULL;
+ }
+ }
+@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc
+ void Curl_cookie_clearall(struct CookieInfo *cookies)
+ {
+ if(cookies) {
+- Curl_cookie_freelist(cookies->cookies, TRUE);
++ Curl_cookie_freelist(cookies->cookies);
+ cookies->cookies = NULL;
+ cookies->numcookies = 0;
+ }
+@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI
+ *
+ * Free a list of cookies previously returned by Curl_cookie_getlist();
+ *
+- * The 'cookiestoo' argument tells this function whether to just free the
+- * list or actually also free all cookies within the list as well.
+- *
+ ****************************************************************************/
+
+-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
++void Curl_cookie_freelist(struct Cookie *co)
+ {
+ struct Cookie *next;
+ while(co) {
+ next = co->next;
+- if(cookiestoo)
+- freecookie(co);
+- else
+- free(co); /* we only free the struct since the "members" are all just
+- pointed out in the main cookie list! */
++ freecookie(co);
+ co = next;
+ }
+ }
+@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn
+ {
+ if(c) {
+ free(c->filename);
+- Curl_cookie_freelist(c->cookies, TRUE);
++ Curl_cookie_freelist(c->cookies);
+ free(c); /* free the base struct as well */
+ }
+ }
+Index: curl-7.44.0/lib/cookie.h
+===================================================================
+--- curl-7.44.0.orig/lib/cookie.h
++++ curl-7.44.0/lib/cookie.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se
+
+ struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
+ const char *, bool);
+-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
++void Curl_cookie_freelist(struct Cookie *cookies);
+ void Curl_cookie_clearall(struct CookieInfo *cookies);
+ void Curl_cookie_clearsess(struct CookieInfo *cookies);
+
+Index: curl-7.44.0/lib/http.c
+===================================================================
+--- curl-7.44.0.orig/lib/http.c
++++ curl-7.44.0/lib/http.c
+@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c
+ }
+ co = co->next; /* next cookie please */
+ }
+- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
++ Curl_cookie_freelist(store);
+ }
+ if(addcookies && !result) {
+ if(!count)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index 548bb46..9a9741d 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
file://CVE-2016-8619.patch \
file://CVE-2016-8620.patch \
file://CVE-2016-8621.patch \
+ file://CVE-2016-8623.patch \
"
SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"