diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-11-15 10:08:10 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 13:13:34 +0100 |
commit | ba4e218d1e09aaecbdb760a299826c03202a9ba9 (patch) | |
tree | 418bbe3961428285dfc8255b567e75da52794f4f | |
parent | c14624953c856b39bb9b80dba31a8ca41ecdca93 (diff) | |
download | openembedded-core-ba4e218d1e09aaecbdb760a299826c03202a9ba9.tar.gz |
curl: CVE-2016-8615
cookie injection for other servers
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102A.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.47.1.bb | 1 |
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch b/meta/recipes-support/curl/curl/CVE-2016-8615.patch new file mode 100644 index 0000000000..5faa423a2a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch @@ -0,0 +1,77 @@ +From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Sep 2016 17:36:19 +0200 +Subject: [PATCH] cookie: replace use of fgets() with custom version + +... that will ignore lines that are too long to fit in the buffer. + +CVE: CVE-2016-8615 +Upstream-Status: Backport + +Bug: https://curl.haxx.se/docs/adv_20161102A.html +Reported-by: Cure53 +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + lib/cookie.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 0f05da2..e5097d3 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data, + } + + return co; + } + ++/* ++ * get_line() makes sure to only return complete whole lines that fit in 'len' ++ * bytes and end with a newline. ++ */ ++static char *get_line(char *buf, int len, FILE *input) ++{ ++ bool partial = FALSE; ++ while(1) { ++ char *b = fgets(buf, len, input); ++ if(b) { ++ size_t rlen = strlen(b); ++ if(rlen && (b[rlen-1] == '\n')) { ++ if(partial) { ++ partial = FALSE; ++ continue; ++ } ++ return b; ++ } ++ else ++ /* read a partial, discard the next piece that ends with newline */ ++ partial = TRUE; ++ } ++ else ++ break; ++ } ++ return NULL; ++} ++ ++ + /***************************************************************************** + * + * Curl_cookie_init() + * + * Inits a cookie struct to read data from a local file. This is always +@@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + bool headerline; + + line = malloc(MAX_COOKIE_LINE); + if(!line) + goto fail; +- while(fgets(line, MAX_COOKIE_LINE, fp)) { ++ while(get_line(line, MAX_COOKIE_LINE, fp)) { + if(checkprefix("Set-Cookie:", line)) { + /* This is a cookie line, get it! */ + lineptr=&line[11]; + headerline=TRUE; + } +-- +2.9.3 + diff --git a/meta/recipes-support/curl/curl_7.47.1.bb b/meta/recipes-support/curl/curl_7.47.1.bb index 3670a11178..1f2758c9c5 100644 --- a/meta/recipes-support/curl/curl_7.47.1.bb +++ b/meta/recipes-support/curl/curl_7.47.1.bb @@ -15,6 +15,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-5420.patch \ file://CVE-2016-5421.patch \ file://CVE-2016-7141.patch \ + file://CVE-2016-8615.patch \ " SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb" |