aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChong Lu <Chong.Lu@windriver.com>2014-11-04 09:35:18 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-11-05 16:49:31 +0000
commitddbaade8afbc9767583728bfdc220639203d6853 (patch)
tree032ca740f0ef50c483cbb3397a4bcb1de0f20703
parentd7a277b35bcc67050046c76fb70412101679a545 (diff)
downloadopenembedded-core-contrib-ddbaade8afbc9767583728bfdc220639203d6853.tar.gz
curl: Security Advisory - curl - CVE-2014-3620
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2014-3620.patch69
-rw-r--r--meta/recipes-support/curl/curl_7.37.1.bb1
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
new file mode 100644
index 0000000000..d11f1908af
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
@@ -0,0 +1,69 @@
+From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 19 Aug 2014 21:11:20 +0200
+Subject: [PATCH] cookies: reject incoming cookies set for TLDs
+
+Test 61 was modified to verify this.
+
+CVE-2014-3620
+
+Reported-by: Tim Ruehsen
+URL: http://curl.haxx.se/docs/adv_20140910B.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
+---
+ lib/cookie.c | 6 ++++++
+ tests/data/test61 | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 46904ac..375485f 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data,
+ break;
+ }
+ }
+ else if(Curl_raw_equal("domain", name)) {
+ bool is_ip;
++ const char *dotp;
+
+ /* Now, we make sure that our host is within the given domain,
+ or the given domain is not valid and thus cannot be set. */
+
+ if('.' == whatptr[0])
+ whatptr++; /* ignore preceding dot */
+
+ is_ip = isip(domain ? domain : whatptr);
+
++ /* check for more dots */
++ dotp = strchr(whatptr, '.');
++ if(!dotp)
++ domain=":";
++
+ if(!domain
+ || (is_ip && !strcmp(whatptr, domain))
+ || (!is_ip && tailmatch(whatptr, domain))) {
+ strstore(&co->domain, whatptr);
+ if(!co->domain) {
+diff --git a/tests/data/test61 b/tests/data/test61
+index d2de279..e6dbbb9 100644
+--- a/tests/data/test61
++++ b/tests/data/test61
+@@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2
+ SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
+ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
+ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
+ Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
+ Set-Cookie: fake=fooledyou; domain=..com; path=/;
++Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
+ Content-Length: 4
+
+ boo
+ </data>
+ </reply>
+--
+2.1.0
+
diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb
index 1147675b85..8b854d7a8c 100644
--- a/meta/recipes-support/curl/curl_7.37.1.bb
+++ b/meta/recipes-support/curl/curl_7.37.1.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e66
SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://pkgconfig_fix.patch \
file://CVE-2014-3613.patch \
+ file://CVE-2014-3620.patch \
"
# curl likes to set -g0 in CFLAGS, so we stop it