mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-04 23:02:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled

Browse Source 
The upstream patch for CVE-2023-27534 does three things:
1) creates new path with dynbuf(dynamic buffer)
2) solves the tilde error which causes CVE-2023-27534
3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.

dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
This patch completes the 3rd task of the patch which was implemented without using dynbuf

Upstream-Status: Backport from [6c51adeb71]

(From OE-Core rev: df489f644e41108cf0e2ff55af7ce5e9bca40471)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Siddharth
2023-05-12 03:59:42 +05:30
committed by Steve Sakoman
parent 1824a583fa
commit ed5cd048ae
3 changed files with 68 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch Normal file
View File

@@ -0,0 +1,51 @@
From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
From: Eric Vigeant <evigeant@gmail.com>
Date: Wed, 2 Nov 2022 11:47:09 -0400
Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
When using SFTP and a path relative to the user home, do not add a
trailing '/' to the user home dir if it already ends with one.
Closes #9844
CVE: CVE-2023-27534
Note:
- The upstream patch for CVE-2023-27534 does three things:
1) creates new path with dynbuf(dynamic buffer)
2) solves the tilde error which causes CVE-2023-27534
3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
- This patch completes the 3rd task of the patch which was implemented without using dynbuf
Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
lib/curl_path.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/lib/curl_path.c b/lib/curl_path.c
index f429634..40b92ee 100644
--- a/lib/curl_path.c
+++ b/lib/curl_path.c
@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
/* It is referenced to the home directory, so strip the
leading '/' */
memcpy(real_path, homedir, homelen);
- real_path[homelen] = '/';
- real_path[homelen + 1] = '\0';
+ /* Only add a trailing '/' if homedir does not end with one */
+ if(homelen == 0 || real_path[homelen - 1] != '/') {
+ real_path[homelen] = '/';
+ homelen++;
+ real_path[homelen] = '\0';
+ }
if(working_path_len > 3) {
- memcpy(real_path + homelen + 1, working_path + 3,
+ memcpy(real_path + homelen, working_path + 3,
1 + working_path_len -3);
}
}
--
2.24.4

122
meta/recipes-support/curl/curl/CVE-2023-27534.patch
View File

@@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Mar 2023 16:22:11 +0100
Subject: [PATCH] curl_path: create the new path with dynbuf
Closes #10729
CVE: CVE-2023-27534
Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
Note: This patch is needed to backport CVE-2023-27534
Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
1 file changed, 35 insertions(+), 36 deletions(-)
lib/curl_path.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/curl_path.c b/lib/curl_path.c
index f429634..e17db4b 100644
index 40b92ee..598c5dd 100644
--- a/lib/curl_path.c
+++ b/lib/curl_path.c
@@ -30,6 +30,8 @@
#include "escape.h"
#include "memdebug.h"
+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
+
/* figure out the path to work with in this particular request */
CURLcode Curl_getworkingpath(struct connectdata *conn,
char *homedir, /* when SFTP is used */
@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
real path to work with */
{
struct Curl_easy *data = conn->data;
- char *real_path = NULL;
char *working_path;
size_t working_path_len;
+ struct dynbuf npath;
CURLcode result =
Curl_urldecode(data, data->state.up.path, 0, &working_path,
&working_path_len, FALSE);
if(result)
return result;
+ /* new path to switch to in case we need to */
+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
+
/* Check for /~/, indicating relative to the user's home directory */
- if(conn->handler->protocol & CURLPROTO_SCP) {
- real_path = malloc(working_path_len + 1);
- if(real_path == NULL) {
+ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
+ /* It is referenced to the home directory, so strip the leading '/~/' */
+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
free(working_path);
return CURLE_OUT_OF_MEMORY;
}
- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
- /* It is referenced to the home directory, so strip the leading '/~/' */
- memcpy(real_path, working_path + 3, working_path_len - 2);
- else
- memcpy(real_path, working_path, 1 + working_path_len);
@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
memcpy(real_path, working_path, 1 + working_path_len);
}
- else if(conn->handler->protocol & CURLPROTO_SFTP) {
else if(conn->handler->protocol & CURLPROTO_SFTP) {
- if((working_path_len > 1) && (working_path[1] == '~')) {
- size_t homelen = strlen(homedir);
- real_path = malloc(homelen + working_path_len + 1);
- if(real_path == NULL) {
- free(working_path);
- return CURLE_OUT_OF_MEMORY;
- }
- /* It is referenced to the home directory, so strip the
- leading '/' */
- memcpy(real_path, homedir, homelen);
- real_path[homelen] = '/';
- real_path[homelen + 1] = '\0';
- if(working_path_len > 3) {
- memcpy(real_path + homelen + 1, working_path + 3,
- 1 + working_path_len -3);
- }
+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+ size_t len;
+ const char *p;
+ int copyfrom = 3;
+ if(Curl_dyn_add(&npath, homedir)) {
+ free(working_path);
+ return CURLE_OUT_OF_MEMORY;
}
- else {
- real_path = malloc(working_path_len + 1);
- if(real_path == NULL) {
- free(working_path);
- return CURLE_OUT_OF_MEMORY;
- }
- memcpy(real_path, working_path, 1 + working_path_len);
+ /* Copy a separating '/' if homedir does not end with one */
+ len = Curl_dyn_len(&npath);
+ p = Curl_dyn_ptr(&npath);
+ if(len && (p[len-1] != '/'))
+ copyfrom = 2;
+
+ if(Curl_dyn_addn(&npath,
+ &working_path[copyfrom], working_path_len - copyfrom)) {
+ free(working_path);
+ return CURLE_OUT_OF_MEMORY;
}
}
- free(working_path);
+ if(Curl_dyn_len(&npath)) {
+ free(working_path);
- /* store the pointer for the caller to receive */
- *path = real_path;
+ /* store the pointer for the caller to receive */
+ *path = Curl_dyn_ptr(&npath);
+ }
+ else
+ *path = working_path;
return CURLE_OK;
}
+ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
size_t homelen = strlen(homedir);
real_path = malloc(homelen + working_path_len + 1);
if(real_path == NULL) {
--
2.25.1
2.24.4

1
meta/recipes-support/curl/curl_7.69.1.bb
View File

@@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-35260.patch \
file://CVE-2022-43552.patch \
file://CVE-2023-23916.patch \
file://CVE-2023-27534-pre1.patch \
file://CVE-2023-27534.patch \
file://CVE-2023-27538.patch \
file://CVE-2023-27533.patch \