mirror of
https://git.yoctoproject.org/poky
synced 2026-04-20 00:32:13 +02:00
curl: Fix CVE-2023-28319
Add patch to fix CVE-2023-28319 UAF in SSH sha256 fingerprint check libcurl offers a feature to verify an SSH server's public key using a SHA 256hash. When this check fails, libcurl would free the memory for the fingerprintbefore it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed. Link: https://curl.se/docs/CVE-2023-28319.html (From OE-Core rev: f7d6751828683ac2adbf140e77dbf7454cfa8eb1) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Bhabu Bindu
committed by
Steve Sakoman
Steve Sakoman
parent
2afcf3e39f
commit
8f3b0b8e9b
33
meta/recipes-support/curl/curl/CVE-2023-28319.patch
Normal file
33
meta/recipes-support/curl/curl/CVE-2023-28319.patch
Normal file
@@ -0,0 +1,33 @@
|
||||
From 8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 8 May 2023 14:33:54 +0200
|
||||
Subject: [PATCH] libssh2: free fingerprint better
|
||||
|
||||
Reported-by: Wei Chong Tan
|
||||
Closes #11088
|
||||
|
||||
CVE: CVE-2023-28319
|
||||
Upstream-Status: Backport [https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c]
|
||||
Comments: Hunks Refreshed
|
||||
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
|
||||
---
|
||||
lib/vssh/libssh2.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
|
||||
index bfcc94e160178..dd39a844c646b 100644
|
||||
--- a/lib/vssh/libssh2.c
|
||||
+++ b/lib/vssh/libssh2.c
|
||||
@@ -695,11 +695,10 @@
|
||||
*/
|
||||
if((pub_pos != b64_pos) ||
|
||||
Curl_strncasecompare(fingerprint_b64, pubkey_sha256, pub_pos) != 1) {
|
||||
- free(fingerprint_b64);
|
||||
-
|
||||
failf(data,
|
||||
"Denied establishing ssh session: mismatch sha256 fingerprint. "
|
||||
"Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256);
|
||||
+ free(fingerprint_b64);
|
||||
state(data, SSH_SESSION_FREE);
|
||||
sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
|
||||
return sshc->actualcode;
|
||||
@@ -45,6 +45,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
|
||||
file://CVE-2023-27535-pre1.patch \
|
||||
file://CVE-2023-27535_and_CVE-2023-27538.patch \
|
||||
file://CVE-2023-27536.patch \
|
||||
file://CVE-2023-28319.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user