curl: cleanup CVE patches for hardknott

The patch backported to address CVE-2021-22890 was missing a bracket to properly close out the logic in lib/vtls/wolfssl.c. Fix this so to avoid any surprise failures when using curl with hardknott. Also fix the CVE designation in the patch descriptions for CVEs CVE-2021-22890 and CVE-2021-22876 so that CVE checks run with bitbake correctly detect that they are patched. (From OE-Core rev: 456ba1717fc3ebb9d10cc6a3c916b07f7c4e8a22) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-14 17:02:22 +02:00 · 2021-06-16 09:02:01 -04:00
parent 74dbb08c37
commit 35f5ce1fbd
2 changed files with 12 additions and 9 deletions
--- a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
+++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
@@ -1,15 +1,14 @@
-From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001
+From e499142d377b56c7606437d14c99d3cb27aba9fd Mon Sep 17 00:00:00 2001
 From: Trevor Gamblin <trevor.gamblin@windriver.com>
 Date: Tue, 1 Jun 2021 09:50:20 -0400
-Subject: [PATCH 1/2] vtls: add 'isproxy' argument to
- Curl_ssl_get/addsessionid()
+Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

 To make sure we set and extract the correct session.

 Reported-by: Mingtao Yang
 Bug: https://curl.se/docs/CVE-2021-22890.html

-CVE-2021-22890
+CVE: CVE-2021-22890

 Upstream-Status: Backport
 (https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
@@ -25,8 +24,8 @@ Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
 lib/vtls/sectransp.c | 10 ++++----
 lib/vtls/vtls.c      | 12 +++++++---
 lib/vtls/vtls.h      |  2 ++
- lib/vtls/wolfssl.c   | 28 +++++++++++++----------
- 10 files changed, 111 insertions(+), 51 deletions(-)
+ lib/vtls/wolfssl.c   | 29 ++++++++++++++----------
+ 10 files changed, 112 insertions(+), 51 deletions(-)

 diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
 index 29b08c0e6..0432dfadc 100644
@@ -463,7 +462,7 @@ index 9666682ec..4dc29794c 100644
                                size_t idsize,
                                int sockindex);
 diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
-index e1fa45926..e4c70877f 100644
+index e1fa45926..f1b12b1d8 100644
 --- a/lib/vtls/wolfssl.c
 +++ b/lib/vtls/wolfssl.c
@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
@@ -477,7 +476,7 @@ index e1fa45926..e4c70877f 100644
       /* we got a session id, use it! */
       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
-@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+@@ -774,21 +776,24 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
     void *old_ssl_sessionid = NULL;
 
     our_ssl_sessionid = SSL_get_session(backend->handle);
@@ -501,6 +500,7 @@ index e1fa45926..e4c70877f 100644
 +            infof(data, "old SSL session ID is stale, removing\n");
 +            Curl_ssl_delsessionid(data, old_ssl_sessionid);
 +            incache = FALSE;
+        }
       }
     }
 
--- a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
+++ b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
@@ -6,7 +6,10 @@ Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header

 Added test 2081 to verify.

-CVE-2021-22876
+CVE: CVE-2021-22876
+
+Upstream-Status: Backport
+(https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)

 Bug: https://curl.se/docs/CVE-2021-22876.html