diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-11-04 08:10:45 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:42:57 +0000 |
commit | 559ccc284987846c5b266cc2bc5ecd91c1c155f9 (patch) | |
tree | c1ee0cfa0a57d42b089317c6a568857b65f3be12 /meta/recipes-support | |
parent | 26e464767ab53cb78e4ede10c77fe12907a7daad (diff) | |
download | openembedded-core-559ccc284987846c5b266cc2bc5ecd91c1c155f9.tar.gz |
curl: Security fix for CVE-2016-9586
Affected versions: libcurl 7.1 to and including 7.51.0
Not affected versions: libcurl >= 7.52.0
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-9586.patch | 66 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.50.1.bb | 1 |
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch new file mode 100644 index 0000000000..1103cb05d8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch @@ -0,0 +1,66 @@ +commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 +Author: Daniel Stenberg <daniel@haxx.se> +Date: Tue Nov 8 15:32:37 2016 +0100 + + printf: fix floating point buffer overflow issues + + ... and add a bunch of floating point printf tests + +Upstream-Status: Backport +https://curl.haxx.se/CVE-2016-9586.patch +dropped the tests as they require more changes to work. + +CVE: CVE-2016-9586 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: curl-7.50.1/lib/mprintf.c +=================================================================== +--- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530 ++++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530 +@@ -92,7 +92,8 @@ + # define mp_uintmax_t unsigned long + #endif + +-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ ++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should ++ fit negative DBL_MAX (317 letters) */ + #define MAX_PARAMETERS 128 /* lame static limit */ + + #ifdef __AMIGA__ +@@ -910,12 +911,25 @@ + *fptr = 0; + + if(width >= 0) { ++ if(width >= (long)sizeof(work)) ++ width = sizeof(work)-1; + /* RECURSIVE USAGE */ + len = curl_msnprintf(fptr, left, "%ld", width); + fptr += len; + left -= len; + } + if(prec >= 0) { ++ /* for each digit in the integer part, we can have one less ++ precision */ ++ size_t maxprec = sizeof(work) - 2; ++ double val = p->data.dnum; ++ while(val >= 10.0) { ++ val /= 10; ++ maxprec--; ++ } ++ ++ if(prec > (long)maxprec) ++ prec = maxprec-1; + /* RECURSIVE USAGE */ + len = curl_msnprintf(fptr, left, ".%ld", prec); + fptr += len; +@@ -935,7 +949,9 @@ + /* NOTE NOTE NOTE!! Not all sprintf implementations return number of + output characters */ + (sprintf)(work, formatbuf, p->data.dnum); +- ++#ifdef CURLDEBUG ++ assert(strlen(work) <= sizeof(work)); ++#endif + for(fptr=work; *fptr; fptr++) + OUTCHAR(*fptr); + } diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb index bdf5d73b31..67bbdebfe7 100644 --- a/meta/recipes-support/curl/curl_7.50.1.bb +++ b/meta/recipes-support/curl/curl_7.50.1.bb @@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \ file://CVE-2016-8623.patch \ file://CVE-2016-8617.patch \ file://CVE-2016-8624.patch \ + file://CVE-2016-9586.patch \ " SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b" |