diff options
| author |   Sona Sarmadi <sona.sarmadi@enea.com> | 2016-11-15 10:08:16 +0100 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:13:35 +0100 |
| commit | db6106a208891aeb3d2c00170e61bab8c648654a (patch) | |
| tree | de7ccf8a1fa49577dfeee085545ab038e8d57b1c /meta/recipes-support | |
| parent | 7308140d81299dca7db98259461d60e0fe86878e (diff) | |
| download | openembedded-core-db6106a208891aeb3d2c00170e61bab8c648654a.tar.gz | |
curl: CVE-2016-8621
curl_getdate read out of bounds
Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-support')
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8621.patch | 120 | ||||
| -rw-r--r-- | meta/recipes-support/curl/curl_7.47.1.bb | 1 |
2 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8621.patch b/meta/recipes-support/curl/curl/CVE-2016-8621.patch new file mode 100644 index 0000000000..7345838af7 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8621.patch @@ -0,0 +1,120 @@ +From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 4 Oct 2016 16:59:38 +0200 +Subject: [PATCH] parsedate: handle cut off numbers better + +... and don't read outside of the given buffer! + +CVE: CVE-2016-8621 +Upstream-Status: Backport + +bug: https://curl.haxx.se/docs/adv_20161102G.html +Reported-by: Luật Nguyễn +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + lib/parsedate.c | 12 +++++++----- + tests/data/test517 | 6 ++++++ + tests/libtest/lib517.c | 8 +++++++- + 3 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/lib/parsedate.c b/lib/parsedate.c +index dfcf855..8e932f4 100644 +--- a/lib/parsedate.c ++++ b/lib/parsedate.c +@@ -3,11 +3,11 @@ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.haxx.se/docs/copyright.html. + * +@@ -384,19 +384,21 @@ static int parsedate(const char *date, time_t *output) + } + else if(ISDIGIT(*date)) { + /* a digit */ + int val; + char *end; ++ int len=0; + if((secnum == -1) && +- (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) { ++ (3 == sscanf(date, "%02d:%02d:%02d%n", ++ &hournum, &minnum, &secnum, &len))) { + /* time stamp! */ +- date += 8; ++ date += len; + } + else if((secnum == -1) && +- (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) { ++ (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) { + /* time stamp without seconds */ +- date += 5; ++ date += len; + secnum = 0; + } + else { + long lval; + int error; +diff --git a/tests/data/test517 b/tests/data/test517 +index c81a45e..513634f 100644 +--- a/tests/data/test517 ++++ b/tests/data/test517 +@@ -114,10 +114,16 @@ nothing + 79: 20110632 12:34:56 => -1 + 80: 20110623 56:34:56 => -1 + 81: 20111323 12:34:56 => -1 + 82: 20110623 12:34:79 => -1 + 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000 ++84: 20110623 12:3 => 1308830580 ++85: 20110623 1:3 => 1308790980 ++86: 20110623 1:30 => 1308792600 ++87: 20110623 12:12:3 => 1308831123 ++88: 20110623 01:12:3 => 1308791523 ++89: 20110623 01:99:30 => -1 + </stdout> + + # This test case previously tested an overflow case ("2094 Nov 6 => + # 2147483647") for 32bit time_t, but since some systems have 64bit time_t and + # handles this (returning 3939840000), and some 64bit-time_t systems don't +diff --git a/tests/libtest/lib517.c b/tests/libtest/lib517.c +index 2f68ebd..22162ff 100644 +--- a/tests/libtest/lib517.c ++++ b/tests/libtest/lib517.c +@@ -3,11 +3,11 @@ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.haxx.se/docs/copyright.html. + * +@@ -114,10 +114,16 @@ static const char * const dates[]={ + "20110632 12:34:56", + "20110623 56:34:56", + "20111323 12:34:56", + "20110623 12:34:79", + "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */ ++ "20110623 12:3", ++ "20110623 1:3", ++ "20110623 1:30", ++ "20110623 12:12:3", ++ "20110623 01:12:3", ++ "20110623 01:99:30", + NULL + }; + + int test(char *URL) + { +-- +2.9.3 + diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index e6ad03f44a..67b07da8d8 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb @@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8618.patch \ file://CVE-2016-8619.patch \ file://CVE-2016-8620.patch \ + file://CVE-2016-8621.patch \ " SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" |