mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-21 21:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

curl: Security fix for CVE-2016-8623

Browse Source 
Affected versions: curl 7.10.7 to and including 7.50.3
Not affected versions: curl < 7.10.7 and curl >= 7.51.0

(From OE-Core rev: 2da99dc9f7f3d8373cc3108c18300723ad4a243a)

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Thiruvadi Rajaraman
2017-11-04 08:01:20 -07:00
committed by Richard Purdie
parent d8353bdb23
commit b0827cbb4b
2 changed files with 175 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
meta/recipes-support/curl/curl/CVE-2016-8623.patch Normal file
View File

@@ -0,0 +1,174 @@
From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 23:26:13 +0200
Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.
CVE-2016-8623
Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
Upstream-Status: Backport
https://curl.haxx.se/CVE-2016-8623.patch
CVE: CVE-2016-8623
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
---
lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
lib/cookie.h | 4 ++--
lib/http.c | 2 +-
3 files changed, 43 insertions(+), 24 deletions(-)
Index: curl-7.44.0/lib/cookie.c
===================================================================
--- curl-7.44.0.orig/lib/cookie.c
+++ curl-7.44.0/lib/cookie.c
@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c
return 0;
}
+#define CLONE(field) \
+ do { \
+ if(src->field) { \
+ dup->field = strdup(src->field); \
+ if(!dup->field) \
+ goto fail; \
+ } \
+ } while(0)
+
+static struct Cookie *dup_cookie(struct Cookie *src)
+{
+ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
+ if(dup) {
+ CLONE(expirestr);
+ CLONE(domain);
+ CLONE(path);
+ CLONE(spath);
+ CLONE(name);
+ CLONE(value);
+ CLONE(maxage);
+ CLONE(version);
+ dup->expires = src->expires;
+ dup->tailmatch = src->tailmatch;
+ dup->secure = src->secure;
+ dup->livecookie = src->livecookie;
+ dup->httponly = src->httponly;
+ }
+ return dup;
+
+ fail:
+ freecookie(dup);
+ return NULL;
+}
+
/*****************************************************************************
*
* Curl_cookie_getlist()
@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc
/* and now, we know this is a match and we should create an
entry for the return-linked-list */
- newco = malloc(sizeof(struct Cookie));
+ newco = dup_cookie(co);
if(newco) {
- /* first, copy the whole source cookie: */
- memcpy(newco, co, sizeof(struct Cookie));
-
/* then modify our next */
newco->next = mainco;
@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc
else {
fail:
/* failure, clear up the allocated chain and return NULL */
- while(mainco) {
- co = mainco->next;
- free(mainco);
- mainco = co;
- }
-
+ Curl_cookie_freelist(mainco);
return NULL;
}
}
@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc
void Curl_cookie_clearall(struct CookieInfo *cookies)
{
if(cookies) {
- Curl_cookie_freelist(cookies->cookies, TRUE);
+ Curl_cookie_freelist(cookies->cookies);
cookies->cookies = NULL;
cookies->numcookies = 0;
}
@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI
*
* Free a list of cookies previously returned by Curl_cookie_getlist();
*
- * The 'cookiestoo' argument tells this function whether to just free the
- * list or actually also free all cookies within the list as well.
- *
****************************************************************************/
-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
+void Curl_cookie_freelist(struct Cookie *co)
{
struct Cookie *next;
while(co) {
next = co->next;
- if(cookiestoo)
- freecookie(co);
- else
- free(co); /* we only free the struct since the "members" are all just
- pointed out in the main cookie list! */
+ freecookie(co);
co = next;
}
}
@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn
{
if(c) {
free(c->filename);
- Curl_cookie_freelist(c->cookies, TRUE);
+ Curl_cookie_freelist(c->cookies);
free(c); /* free the base struct as well */
}
}
Index: curl-7.44.0/lib/cookie.h
===================================================================
--- curl-7.44.0.orig/lib/cookie.h
+++ curl-7.44.0/lib/cookie.h
@@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se
struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
const char *, bool);
-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
+void Curl_cookie_freelist(struct Cookie *cookies);
void Curl_cookie_clearall(struct CookieInfo *cookies);
void Curl_cookie_clearsess(struct CookieInfo *cookies);
Index: curl-7.44.0/lib/http.c
===================================================================
--- curl-7.44.0.orig/lib/http.c
+++ curl-7.44.0/lib/http.c
@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c
}
co = co->next; /* next cookie please */
}
- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
+ Curl_cookie_freelist(store);
}
if(addcookies && !result) {
if(!count)

1
meta/recipes-support/curl/curl_7.50.1.bb
View File

@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
file://CVE-2016-8619.patch \
file://CVE-2016-8620.patch \
file://CVE-2016-8621.patch \
file://CVE-2016-8623.patch \
"
SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"