From 7218e2df932a95309e9d089d979f4280b0d10e40 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 21 Sep 2017 13:57:05 +0200 Subject: curl: CVE-2017-9502 URL file scheme drive letter buffer overflow References: https://curl.haxx.se/docs/adv_20170614.html https://curl.haxx.se/CVE-2017-9502.patch Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-support/curl/curl/CVE-2017-9502.patch | 69 +++++++++++++++++++++++++++ recipes-support/curl/curl_%.bbappend | 1 + 2 files changed, 70 insertions(+) create mode 100644 recipes-support/curl/curl/CVE-2017-9502.patch diff --git a/recipes-support/curl/curl/CVE-2017-9502.patch b/recipes-support/curl/curl/CVE-2017-9502.patch new file mode 100644 index 0000000..c205568 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-9502.patch @@ -0,0 +1,69 @@ +From 5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 7 Jun 2017 00:21:04 +0200 +Subject: [PATCH] url: fix buffer overwrite with file protocol (CVE-2017-9502) + +Bug: https://github.com/curl/curl/issues/1540 +Advisory: https://curl.haxx.se/docs/adv_20170614.html + +CVE: CVE-2017-9502 +Upstream-Status: Backport [backport from curl-7_54_1] + +Assisted-by: Ray Satiro +Reported-by: Marcel Raad +Signed-off-by: Sona Sarmadi +--- + lib/url.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 84822d9..87446db 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + #endif + + protop = "file"; /* protocol string */ ++ *prot_missing = !url_has_scheme; + } + else { + /* clear path */ +@@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + size_t plen = strlen(path); /* new path, should be 1 byte longer than + the original */ +- size_t urllen = strlen(data->change.url); /* original URL length */ +- + size_t prefixlen = strlen(conn->host.name); + +- if(!*prot_missing) +- prefixlen += strlen(protop) + strlen("://"); ++ if(!*prot_missing) { ++ size_t protolen = strlen(protop); ++ ++ if(curl_strnequal(protop, data->change.url, protolen)) ++ prefixlen += protolen; ++ else { ++ failf(data, " malformed"); ++ return CURLE_URL_MALFORMAT; ++ } ++ ++ if(curl_strnequal("://", &data->change.url[protolen], 3)) ++ prefixlen += 3; ++ /* only file: is allowed to omit one or both slashes */ ++ else if(curl_strnequal("file:", data->change.url, 5)) ++ prefixlen += 1 + (data->change.url[5] == '/'); ++ else { ++ failf(data, " malformed"); ++ return CURLE_URL_MALFORMAT; ++ } ++ } + +- reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */ ++ reurl = malloc(prefixlen + plen + 1); + if(!reurl) + return CURLE_OUT_OF_MEMORY; + +-- +1.9.1 + diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index ec4f997..15e74ba 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend @@ -2,4 +2,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2017-7468.patch \ + file://CVE-2017-9502.patch \ " -- cgit v1.2.3-54-g00ecf