From 3cd67ae472cf163a592aac6ca783e451068fca0c Mon Sep 17 00:00:00 2001 From: Rajkumar Veer Date: Sat, 4 Nov 2017 08:15:40 -0700 Subject: curl: Security fix for CVE-2017-1000101 Affected versions: curl 7.34.0 to and including 7.54.1 Not affected versions: curl < 7.34.0 and >= 7.55.0 Signed-off-by: Rajkumar Veer Signed-off-by: Armin Kuster --- .../curl/curl/CVE-2017-1000101.patch | 94 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.50.1.bb | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2017-1000101.patch diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000101.patch b/meta/recipes-support/curl/curl/CVE-2017-1000101.patch new file mode 100644 index 0000000000..c3b542489d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2017-1000101.patch @@ -0,0 +1,94 @@ +From 9422f4a6d630258ae32199868e86758923ca3ad5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:07 +0200 +Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow + range + +Added test 1289 to verify. + +Bug: https://curl.haxx.se/docs/adv_20170809A.html +Reported-by: Brian Carpenter + +Upstream-Status: Backport +CVE: CVE-2017-1000101 +Signed-off-by: Rajkumar Veer +--- + src/tool_urlglob.c | 5 ++++- + tests/data/Makefile.inc | 2 +- + tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1289 + +diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c +index a357b8b..f30072b 100644 +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -259,7 +259,10 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, + pattern = endp+1; + errno = 0; + max_n = strtoul(pattern, &endp, 10); +- if(errno || (*endp == ':')) { ++ if(errno) ++ /* overflow */ ++ endp = NULL; ++ else if(*endp == ':') { + pattern = endp+1; + errno = 0; + step_n = strtoul(pattern, &endp, 10); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9c50673..52eaf26 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -127,7 +127,7 @@ test1216 test1217 test1218 test1219 \ + test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ + test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ + test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \ +-test1244 \ ++test1244 test1289\ + \ + test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ + test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ +diff --git a/tests/data/test1289 b/tests/data/test1289 +new file mode 100644 +index 0000000..d679cc0 +--- /dev/null ++++ b/tests/data/test1289 +@@ -0,0 +1,35 @@ ++ ++ ++ ++HTTP ++HTTP GET ++globbing ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++globbing with overflow and bad syntxx ++ ++ ++http://ur%20[0-60000000000000000000 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# curl: (3) [globbing] bad range in column ++ ++3 ++ ++ ++ +-- +1.9.1 + diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index 8a1b162bc0..f109c8c677 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb @@ -23,6 +23,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8624.patch \ file://CVE-2016-9586.patch \ file://CVE-2017-1000100.patch \ + file://CVE-2017-1000101.patch \ " SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" -- cgit 1.2.3-korg