diff options
author | Rajkumar Veer <rveer@mvista.com> | 2017-11-04 08:13:14 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:42:57 +0000 |
commit | 2ad0d34313b30f3f18d2f15879294fab310aa874 (patch) | |
tree | b9b2f9bbe6347c0f41e09f791b8b77587b180a1c | |
parent | 559ccc284987846c5b266cc2bc5ecd91c1c155f9 (diff) | |
download | openembedded-core-2ad0d34313b30f3f18d2f15879294fab310aa874.tar.gz |
curl: Security fix for CVE-2017-1000100
Affected versions: libcurl 7.15.0 to and including 7.54.1
Not affected versions: libcurl < 7.15.0 and >= 7.55.0
Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2017-1000100.patch | 47 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000100.patch b/meta/recipes-support/curl/curl/CVE-2017-1000100.patch new file mode 100644 index 0000000000..b5f4d1014a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2017-1000100.patch @@ -0,0 +1,47 @@ +From 4f58c108fa9a9a13b7dbbd2fd420c998dc92f851 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 1 Aug 2017 17:16:46 +0200 +Subject: [PATCH] tftp: reject file name lengths that don't fit + +...and thereby avoid telling send() to send off more bytes than the +size of the buffer! + +Bug: https://curl.haxx.se/docs/adv_20170809B.html +Reported-by: Even Rouault +Credit to OSS-Fuzz for the discovery + +Upstream-Status: Backport +CVE: CVE-2017-1000100 +Signed-off-by: Rajkumar Veer <rveer@mvista.com> +--- + lib/tftp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index d7ff94f..083b083 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -489,6 +489,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) + if(!filename) + return CURLE_OUT_OF_MEMORY; + ++ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { ++ failf(data, "TFTP file name too long\n"); ++ return CURLE_TFTP_ILLEGAL; /* too long file name field */ ++ } ++ + snprintf((char *)state->spacket.data+2, + state->blksize, + "%s%c%s%c", filename, '\0', mode, '\0'); +-- +1.9.1 + diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 67bbdebfe7..8a1b162bc0 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb @@ -22,6 +22,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8617.patch \ file://CVE-2016-8624.patch \ file://CVE-2016-9586.patch \ + file://CVE-2017-1000100.patch \ " SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |