curl: Security Advisory - curl - CVE-2017-1000254

Porting patch from <https://github.com/curl/curl/commit/ 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254. (From OE-Core rev: 08f8d5db06647b94f96d655100c358047682dd2f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-04 05:02:21 +02:00 · 2017-10-23 15:44:53 +08:00
parent 533d1541b0
commit 1ffaaa2c48
2 changed files with 139 additions and 0 deletions
--- a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
+++ b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
@@ -0,0 +1,138 @@
+From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 23 Oct 2017 00:26:50 -0700
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+
+Upstream-Status: Backport
+CVE: CVE-2017-1000254
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ lib/ftp.c               |  7 ++++--
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test1152     | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 5edec37..493dbf9 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+         const size_t buf_size = data->set.buffer_size;
+         char *dir;
+         char *store;
+        bool entry_extracted = FALSE;
+ 
+         dir = malloc(nread + 1);
+         if(!dir)
+@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+               }
+               else {
+                 /* end of path */
+-                *store = '\0'; /* zero terminate */
+                entry_extracted = TRUE;
+                 break; /* get out of this loop */
+               }
+             }
+@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+             store++;
+             ptr++;
+           }
+-
+          *store = '\0'; /* zero terminate */
+        }
+        if(entry_extracted) {
+           /* If the path name does not look like an absolute path (i.e.: it
+              does not start with a '/'), we probably need some server-dependent
+              adjustments. For example, this is the case when connecting to
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7adbee6..5284654 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 \
+test1152 \
+\
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1152 b/tests/data/test1152
+new file mode 100644
+index 0000000..aa8c0a7
+--- /dev/null
+++ b/tests/data/test1152
+@@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+LIST
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY PWD 257 "just one
+</servercmd>
+
+# When doing LIST, we get the default list output hard-coded in the test
+# FTP server
+<data mode="text">
+total 20
+drwxr-xr-x   8 98       98           512 Oct 22 13:06 .
+drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..
+drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases
+-r--r--r--   1 0        1             35 Jul 16  1996 README
+lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin
+dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev
+drwxrwxrwx   2 98       98           512 May 29 16:04 download.html
+dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc
+drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub
+dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP with uneven quote in PWD response
+ </name>
+ <command>
+ftp://%HOSTIP:%FTPPORT/test-1152/
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD test-1152
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+</verify>
+</testcase>
+-- 
+2.11.0
+
--- a/meta/recipes-support/curl/curl_7.54.1.bb
+++ b/meta/recipes-support/curl/curl_7.54.1.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://CVE-2017-1000099.patch \
           file://CVE-2017-1000100.patch \
           file://CVE-2017-1000101.patch \
+           file://CVE-2017-1000254.patch \
 "

 # curl likes to set -g0 in CFLAGS, so we stop it