mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-18 21:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

curl: Fix CVE-2022-32206, CVE-2022-32207, and CVE-2022-32208

Browse Source 
Backport fixes for:
 * CVE-2022-32206 - https://curl.se/docs/CVE-2022-32206.html
 * CVE-2022-32207 - https://curl.se/docs/CVE-2022-32207.html
 * CVE-2022-32208 - https://curl.se/docs/CVE-2022-32208.html

(From OE-Core rev: aad2a330086b3a12aa5469499774fafdc8a21c48)

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Robert Joslyn
2022-07-17 11:16:18 -07:00
committed by Richard Purdie
parent 868ebed326
commit 24fc40faef
4 changed files with 411 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
meta/recipes-support/curl/curl/CVE-2022-32206.patch Normal file
View File

@@ -0,0 +1,52 @@
From 25e7be39be5f8ed696b6085ced9cf6c17e6128f4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 16 May 2022 16:28:13 +0200
Subject: [PATCH] content_encoding: return error on too many compression steps
The max allowed steps is arbitrarily set to 5.
Bug: https://curl.se/docs/CVE-2022-32206.html
CVE-2022-32206
Reported-by: Harry Sintonen
Closes #9049
Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
lib/content_encoding.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
index 6d47537..91e621f 100644
--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
return NULL;
}
+/* allow no more than 5 "chained" compression steps */
+#define MAX_ENCODE_STACK 5
+
/* Set-up the unencoding stack from the Content-Encoding header value.
* See RFC 7231 section 3.1.2.2. */
CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
{
struct Curl_easy *data = conn->data;
struct SingleRequest *k = &data->req;
+ int counter = 0;
do {
const char *name;
@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
if(!encoding)
encoding = &error_encoding; /* Defer error at stack use. */
+ if(++counter >= MAX_ENCODE_STACK) {
+ failf(data, "Reject response due to %u content encodings",
+ counter);
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
/* Stack the unencoding stage. */
writer = new_unencoding_writer(conn, encoding, k->writer_stack);
if(!writer)

284
meta/recipes-support/curl/curl/CVE-2022-32207.patch Normal file
View File

@@ -0,0 +1,284 @@
From af92181055d7d64dfc0bc9d5a13c8b98af3196be Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 25 May 2022 10:09:53 +0200
Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
Bug: https://curl.se/docs/CVE-2022-32207.html
CVE-2022-32207
Reported-by: Harry Sintonen
Closes #9050
Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
CMakeLists.txt | 1 +
configure.ac | 1 +
lib/Makefile.inc | 4 +-
lib/cookie.c | 19 ++-----
lib/curl_config.h.cmake | 3 ++
lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
lib/fopen.h | 30 +++++++++++
7 files changed, 155 insertions(+), 16 deletions(-)
create mode 100644 lib/fopen.c
create mode 100644 lib/fopen.h
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 73b053b..cc587b0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -869,6 +869,7 @@ elseif(HAVE_LIBSOCKET)
set(CMAKE_REQUIRED_LIBRARIES socket)
endif()
+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
diff --git a/configure.ac b/configure.ac
index d090622..7071077 100755
--- a/configure.ac
+++ b/configure.ac
@@ -4059,6 +4059,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
AC_CHECK_FUNCS([fnmatch \
+ fchmod \
geteuid \
getpass_r \
getppid \
diff --git a/lib/Makefile.inc b/lib/Makefile.inc
index 46ded90..79307d8 100644
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@@ -63,7 +63,7 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
curl_multibyte.c hostcheck.c conncache.c dotdot.c \
x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \
mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \
- doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c
+ doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c fopen.c
LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h \
@@ -84,7 +84,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \
curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \
curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h \
- curl_get_line.h altsvc.h quic.h socketpair.h rename.h
+ curl_get_line.h altsvc.h quic.h socketpair.h rename.h fopen.h
LIB_RCFILES = libcurl.rc
diff --git a/lib/cookie.c b/lib/cookie.c
index 68054e1..a9ad20a 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -97,8 +97,8 @@ Example set of cookies:
#include "curl_memrchr.h"
#include "inet_pton.h"
#include "parsedate.h"
-#include "rand.h"
#include "rename.h"
+#include "fopen.h"
/* The last 3 #include files should be in this order */
#include "curl_printf.h"
@@ -1524,18 +1524,9 @@ static int cookie_output(struct Curl_easy *data,
use_stdout = TRUE;
}
else {
- unsigned char randsuffix[9];
-
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
- return 2;
-
- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
- if(!tempstore)
- return 1;
-
- out = fopen(tempstore, FOPEN_WRITETEXT);
- if(!out)
- goto error;
+ error = Curl_fopen(data, filename, &out, &tempstore);
+ if(error)
+ goto error;
}
fputs("# Netscape HTTP Cookie File\n"
@@ -1581,7 +1572,7 @@ static int cookie_output(struct Curl_easy *data,
if(!use_stdout) {
fclose(out);
out = NULL;
- if(Curl_rename(tempstore, filename)) {
+ if(tempstore && Curl_rename(tempstore, filename)) {
unlink(tempstore);
goto error;
}
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index 98cdf51..fe43751 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -124,6 +124,9 @@
/* Define to 1 if you have the <assert.h> header file. */
#cmakedefine HAVE_ASSERT_H 1
+/* Define to 1 if you have the `fchmod' function. */
+#cmakedefine HAVE_FCHMOD 1
+
/* Define to 1 if you have the `basename' function. */
#cmakedefine HAVE_BASENAME 1
diff --git a/lib/fopen.c b/lib/fopen.c
new file mode 100644
index 0000000..ad3691b
--- /dev/null
+++ b/lib/fopen.c
@@ -0,0 +1,113 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
+ !defined(CURL_DISABLE_HSTS)
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#include "urldata.h"
+#include "rand.h"
+#include "fopen.h"
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
+#include "curl_memory.h"
+#include "memdebug.h"
+
+/*
+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
+ * to the final name when completed. If there is an existing file using this
+ * name at the time of the open, this function will clone the mode from that
+ * file. if 'tempname' is non-NULL, it needs a rename after the file is
+ * written.
+ */
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+ FILE **fh, char **tempname)
+{
+ CURLcode result = CURLE_WRITE_ERROR;
+ unsigned char randsuffix[9];
+ char *tempstore = NULL;
+ struct_stat sb;
+ int fd = -1;
+ *tempname = NULL;
+
+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+ /* a non-regular file, fallback to direct fopen() */
+ *fh = fopen(filename, FOPEN_WRITETEXT);
+ if(*fh)
+ return CURLE_OK;
+ goto fail;
+ }
+
+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+ if(result)
+ goto fail;
+
+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+ if(!tempstore) {
+ result = CURLE_OUT_OF_MEMORY;
+ goto fail;
+ }
+
+ result = CURLE_WRITE_ERROR;
+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ if(fd == -1)
+ goto fail;
+
+#ifdef HAVE_FCHMOD
+ {
+ struct_stat nsb;
+ if((fstat(fd, &nsb) != -1) &&
+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
+ /* if the user and group are the same, clone the original mode */
+ if(fchmod(fd, sb.st_mode) == -1)
+ goto fail;
+ }
+ }
+#endif
+
+ *fh = fdopen(fd, FOPEN_WRITETEXT);
+ if(!*fh)
+ goto fail;
+
+ *tempname = tempstore;
+ return CURLE_OK;
+
+fail:
+ if(fd != -1) {
+ close(fd);
+ unlink(tempstore);
+ }
+
+ free(tempstore);
+
+ *tempname = NULL;
+ return result;
+}
+
+#endif /* ! disabled */
diff --git a/lib/fopen.h b/lib/fopen.h
new file mode 100644
index 0000000..289e55f
--- /dev/null
+++ b/lib/fopen.h
@@ -0,0 +1,30 @@
+#ifndef HEADER_CURL_FOPEN_H
+#define HEADER_CURL_FOPEN_H
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+ FILE **fh, char **tempname);
+
+#endif

72
meta/recipes-support/curl/curl/CVE-2022-32208.patch Normal file
View File

@@ -0,0 +1,72 @@
From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Jun 2022 09:27:24 +0200
Subject: [PATCH] krb5: return error properly on decode errors
Bug: https://curl.se/docs/CVE-2022-32208.html
CVE-2022-32208
Reported-by: Harry Sintonen
Closes #9051
Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
lib/krb5.c | 5 +----
lib/security.c | 13 ++++++++++---
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/lib/krb5.c b/lib/krb5.c
index f50287a..5b77e35 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
enc.value = buf;
enc.length = len;
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
- if(maj != GSS_S_COMPLETE) {
- if(len >= 4)
- strcpy(buf, "599 ");
+ if(maj != GSS_S_COMPLETE)
return -1;
- }
memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length);
diff --git a/lib/security.c b/lib/security.c
index fbfa707..3542210 100644
--- a/lib/security.c
+++ b/lib/security.c
@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
{
int len;
CURLcode result;
+ int nread;
result = socket_read(fd, &len, sizeof(len));
if(result)
@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
- buf->data = Curl_saferealloc(buf->data, len);
+ if(len > CURL_MAX_INPUT_LENGTH)
+ len = 0;
+ else
+ buf->data = Curl_saferealloc(buf->data, len);
}
if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
result = socket_read(fd, buf->data, len);
if(result)
return result;
- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
- conn->data_prot, conn);
+ nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+ conn->data_prot, conn);
+ if(nread < 0)
+ return CURLE_RECV_ERROR;
+ buf->size = (size_t)nread;
buf->index = 0;
return CURLE_OK;
}

3
meta/recipes-support/curl/curl_7.69.1.bb
View File

@@ -35,6 +35,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-27781.patch \
file://CVE-2022-27782-1.patch \
file://CVE-2022-27782-2.patch \
file://CVE-2022-32206.patch \
file://CVE-2022-32207.patch \
file://CVE-2022-32208.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"