curl: Security fix for CVE-2016-9586

Affected versions: libcurl 7.1 to and including 7.51.0 Not affected versions: libcurl >= 7.52.0 (From OE-Core rev: 559ccc284987846c5b266cc2bc5ecd91c1c155f9) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-17 09:32:12 +02:00 · 2017-11-04 08:10:45 -07:00
parent c4339c0e74
commit 6131edc2c9
2 changed files with 67 additions and 0 deletions
--- a/meta/recipes-support/curl/curl/CVE-2016-9586.patch
+++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
@@ -0,0 +1,66 @@
+commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Author: Daniel Stenberg <daniel@haxx.se>
+Date:   Tue Nov 8 15:32:37 2016 +0100
+
+    printf: fix floating point buffer overflow issues
+
+    ... and add a bunch of floating point printf tests
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-9586.patch
+dropped the tests as they require more changes to work.
+
+CVE: CVE-2016-9586
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: curl-7.50.1/lib/mprintf.c
+===================================================================
+--- curl-7.50.1.orig/lib/mprintf.c	2017-06-15 18:24:08.934720707 +0530
+++ curl-7.50.1/lib/mprintf.c	2017-06-15 18:24:09.318720721 +0530
+@@ -92,7 +92,8 @@
+ #  define mp_uintmax_t unsigned long
+ #endif
+ 
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
+                        fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+ 
+ #ifdef __AMIGA__
+@@ -910,12 +911,25 @@
+         *fptr = 0;
+ 
+         if(width >= 0) {
+          if(width >= (long)sizeof(work))
+            width = sizeof(work)-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, "%ld", width);
+           fptr += len;
+           left -= len;
+         }
+         if(prec >= 0) {
+          /* for each digit in the integer part, we can have one less
+             precision */
+          size_t maxprec = sizeof(work) - 2;
+          double val = p->data.dnum;
+          while(val >= 10.0) {
+            val /= 10;
+            maxprec--;
+          }
+
+          if(prec > (long)maxprec)
+            prec = maxprec-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, ".%ld", prec);
+           fptr += len;
+@@ -935,7 +949,9 @@
+         /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+            output characters */
+         (sprintf)(work, formatbuf, p->data.dnum);
+-
+#ifdef CURLDEBUG
+        assert(strlen(work) <= sizeof(work));
+#endif
+         for(fptr=work; *fptr; fptr++)
+           OUTCHAR(*fptr);
+       }
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \
             file://CVE-2016-8623.patch \
             file://CVE-2016-8617.patch \
             file://CVE-2016-8624.patch \
+             file://CVE-2016-9586.patch \
           "

 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"