mirror of
https://git.yoctoproject.org/poky
synced 2026-04-17 18:32:12 +02:00
curl: Add fix for CVE-2023-23916
Add below patch to fix CVE-2023-23916 CVE-2023-23916.patch Link: https://curl.se/docs/CVE-2023-23916.html (From OE-Core rev: 1b10502deb6a542acfb9dc62dbd916e8299314da) Signed-off-by: pawan <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
pawan
219
meta/recipes-support/curl/curl/CVE-2023-23916.patch
Normal file
219
meta/recipes-support/curl/curl/CVE-2023-23916.patch
Normal file
@@ -0,0 +1,219 @@
|
||||
From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Monnerat <patrick@monnerat.net>
|
||||
Date: Mon, 13 Feb 2023 08:33:09 +0100
|
||||
Subject: [PATCH] content_encoding: do not reset stage counter for each header
|
||||
|
||||
Test 418 verifies
|
||||
|
||||
Closes #10492
|
||||
|
||||
CVE: CVE-2023-23916
|
||||
Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch]
|
||||
Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
|
||||
---
|
||||
lib/content_encoding.c | 7 +-
|
||||
lib/urldata.h | 1 +
|
||||
tests/data/Makefile.inc | 2 +-
|
||||
tests/data/test387 | 2 +-
|
||||
tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++
|
||||
5 files changed, 158 insertions(+), 6 deletions(-)
|
||||
create mode 100644 tests/data/test418
|
||||
|
||||
--- a/lib/content_encoding.c
|
||||
+++ b/lib/content_encoding.c
|
||||
@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(str
|
||||
const char *enclist, int maybechunked)
|
||||
{
|
||||
struct SingleRequest *k = &data->req;
|
||||
- int counter = 0;
|
||||
|
||||
do {
|
||||
const char *name;
|
||||
@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(str
|
||||
if(!encoding)
|
||||
encoding = &error_encoding; /* Defer error at stack use. */
|
||||
|
||||
- if(++counter >= MAX_ENCODE_STACK) {
|
||||
- failf(data, "Reject response due to %u content encodings",
|
||||
- counter);
|
||||
+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
|
||||
+ failf(data, "Reject response due to more than %u content encodings",
|
||||
+ MAX_ENCODE_STACK);
|
||||
return CURLE_BAD_CONTENT_ENCODING;
|
||||
}
|
||||
/* Stack the unencoding stage. */
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -682,6 +682,7 @@ struct SingleRequest {
|
||||
struct dohdata *doh; /* DoH specific data for this request */
|
||||
#endif
|
||||
unsigned char setcookies;
|
||||
+ unsigned char writer_stack_depth; /* Unencoding stack depth. */
|
||||
BIT(header); /* incoming data has HTTP header */
|
||||
BIT(content_range); /* set TRUE if Content-Range: was found */
|
||||
BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -69,6 +69,7 @@
|
||||
\
|
||||
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
||||
test409 test410 \
|
||||
+test418 \
|
||||
\
|
||||
test430 test431 test432 test433 test434 test435 test436 \
|
||||
\
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test418
|
||||
@@ -0,0 +1,152 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+gzip
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data nocheck="yes">
|
||||
+HTTP/1.1 200 OK
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+Transfer-Encoding: gzip
|
||||
+
|
||||
+-foo-
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+ <name>
|
||||
+Response with multiple Transfer-Encoding headers
|
||||
+ </name>
|
||||
+ <command>
|
||||
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<protocol crlf="yes">
|
||||
+GET /%TESTNUMBER HTTP/1.1
|
||||
+Host: %HOSTIP:%HTTPPORT
|
||||
+User-Agent: curl/%VERSION
|
||||
+Accept: */*
|
||||
+
|
||||
+</protocol>
|
||||
+
|
||||
+# CURLE_BAD_CONTENT_ENCODING is 61
|
||||
+<errorcode>
|
||||
+61
|
||||
+</errorcode>
|
||||
+<stderr mode="text">
|
||||
+curl: (61) Reject response due to more than 5 content encodings
|
||||
+</stderr>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
@@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
|
||||
file://CVE-2023-23914_5-3.patch \
|
||||
file://CVE-2023-23914_5-4.patch \
|
||||
file://CVE-2023-23914_5-5.patch \
|
||||
file://CVE-2023-23916.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user