aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThiruvadi Rajaraman <trajaraman@mvista.com>2017-11-04 08:10:45 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-21 14:42:57 +0000
commit559ccc284987846c5b266cc2bc5ecd91c1c155f9 (patch)
treec1ee0cfa0a57d42b089317c6a568857b65f3be12
parent26e464767ab53cb78e4ede10c77fe12907a7daad (diff)
downloadopenembedded-core-559ccc284987846c5b266cc2bc5ecd91c1c155f9.zip
openembedded-core-559ccc284987846c5b266cc2bc5ecd91c1c155f9.tar.gz
openembedded-core-559ccc284987846c5b266cc2bc5ecd91c1c155f9.tar.bz2
curl: Security fix for CVE-2016-9586
Affected versions: libcurl 7.1 to and including 7.51.0 Not affected versions: libcurl >= 7.52.0 Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-9586.patch66
-rw-r--r--meta/recipes-support/curl/curl_7.50.1.bb1
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
new file mode 100644
index 0000000..1103cb0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
@@ -0,0 +1,66 @@
+commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Author: Daniel Stenberg <daniel@haxx.se>
+Date: Tue Nov 8 15:32:37 2016 +0100
+
+ printf: fix floating point buffer overflow issues
+
+ ... and add a bunch of floating point printf tests
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-9586.patch
+dropped the tests as they require more changes to work.
+
+CVE: CVE-2016-9586
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: curl-7.50.1/lib/mprintf.c
+===================================================================
+--- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530
++++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530
+@@ -92,7 +92,8 @@
+ # define mp_uintmax_t unsigned long
+ #endif
+
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
++ fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+
+ #ifdef __AMIGA__
+@@ -910,12 +911,25 @@
+ *fptr = 0;
+
+ if(width >= 0) {
++ if(width >= (long)sizeof(work))
++ width = sizeof(work)-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, "%ld", width);
+ fptr += len;
+ left -= len;
+ }
+ if(prec >= 0) {
++ /* for each digit in the integer part, we can have one less
++ precision */
++ size_t maxprec = sizeof(work) - 2;
++ double val = p->data.dnum;
++ while(val >= 10.0) {
++ val /= 10;
++ maxprec--;
++ }
++
++ if(prec > (long)maxprec)
++ prec = maxprec-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, ".%ld", prec);
+ fptr += len;
+@@ -935,7 +949,9 @@
+ /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+ output characters */
+ (sprintf)(work, formatbuf, p->data.dnum);
+-
++#ifdef CURLDEBUG
++ assert(strlen(work) <= sizeof(work));
++#endif
+ for(fptr=work; *fptr; fptr++)
+ OUTCHAR(*fptr);
+ }
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index bdf5d73..67bbdeb 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \
file://CVE-2016-8623.patch \
file://CVE-2016-8617.patch \
file://CVE-2016-8624.patch \
+ file://CVE-2016-9586.patch \
"
SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"