Message ID | 20230324075700.22155-2-badganchipv@gmail.com |
---|---|
State | New, archived |
Headers | show |
Series | [meta,kirkstone,1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915 | expand |
On Thu, Mar 23, 2023 at 9:57 PM Pawan Badganchi <badganchipv@gmail.com> wrote: > > From: Pawan Badganchi <badganchipv@gmail.com> > > Add below patch to fix CVE-2023-23916 > > CVE-2023-23916.patch I'm getting fuzz errors with this patch: Applying patch CVE-2023-23916.patch patching file lib/content_encoding.c patching file lib/urldata.h patching file tests/data/Makefile.inc Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). patching file tests/data/test418 Please send v2 which corrects this. Thanks! Steve > > Link: https://curl.se/docs/CVE-2023-23916.html > > Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > Signed-off-by: Pawan Badganchi <badganchipv@gmail.com> > --- > .../curl/curl/CVE-2023-23916.patch | 222 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > 2 files changed, 223 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > new file mode 100644 > index 0000000000..6a1be173cd > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > @@ -0,0 +1,222 @@ > +Backport of: > + > +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 > +From: Patrick Monnerat <patrick@monnerat.net> > +Date: Mon, 13 Feb 2023 08:33:09 +0100 > +Subject: [PATCH] content_encoding: do not reset stage counter for each header > + > +Test 418 verifies > + > +Closes #10492 > + > +CVE: CVE-2023-23916 > +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > +--- > + lib/content_encoding.c | 7 +- > + lib/urldata.h | 1 + > + tests/data/Makefile.inc | 2 +- > + tests/data/test387 | 2 +- > + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ > + 5 files changed, 158 insertions(+), 6 deletions(-) > + create mode 100644 tests/data/test418 > + > +--- a/lib/content_encoding.c > ++++ b/lib/content_encoding.c > +@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str > + const char *enclist, int maybechunked) > + { > + struct SingleRequest *k = &data->req; > +- int counter = 0; > + > + do { > + const char *name; > +@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str > + if(!encoding) > + encoding = &error_encoding; /* Defer error at stack use. */ > + > +- if(++counter >= MAX_ENCODE_STACK) { > +- failf(data, "Reject response due to %u content encodings", > +- counter); > ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { > ++ failf(data, "Reject response due to more than %u content encodings", > ++ MAX_ENCODE_STACK); > + return CURLE_BAD_CONTENT_ENCODING; > + } > + /* Stack the unencoding stage. */ > +--- a/lib/urldata.h > ++++ b/lib/urldata.h > +@@ -708,6 +708,7 @@ struct SingleRequest { > + struct dohdata *doh; /* DoH specific data for this request */ > + #endif > + unsigned char setcookies; > ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ > + BIT(header); /* incoming data has HTTP header */ > + BIT(content_range); /* set TRUE if Content-Range: was found */ > + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding > +--- a/tests/data/Makefile.inc > ++++ b/tests/data/Makefile.inc > +@@ -66,7 +66,7 @@ test370 test371 \ > + test392 test393 test394 test395 test396 test397 \ > + \ > + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ > +-test409 test410 \ > ++test409 test410 test418 \ > + \ > + test430 test431 test432 test433 test434 test435 test446 \ > + \ > +--- /dev/null > ++++ b/tests/data/test418 > +@@ -0,0 +1,152 @@ > ++<testcase> > ++<info> > ++<keywords> > ++HTTP > ++gzip > ++</keywords> > ++</info> > ++ > ++# > ++# Server-side > ++<reply> > ++<data nocheck="yes"> > ++HTTP/1.1 200 OK > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++ > ++-foo- > ++</data> > ++</reply> > ++ > ++# > ++# Client-side > ++<client> > ++<server> > ++http > ++</server> > ++ <name> > ++Response with multiple Transfer-Encoding headers > ++ </name> > ++ <command> > ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS > ++</command> > ++</client> > ++ > ++# > ++# Verify data after the test has been "shot" > ++<verify> > ++<protocol crlf="yes"> > ++GET /%TESTNUMBER HTTP/1.1 > ++Host: %HOSTIP:%HTTPPORT > ++User-Agent: curl/%VERSION > ++Accept: */* > ++ > ++</protocol> > ++ > ++# CURLE_BAD_CONTENT_ENCODING is 61 > ++<errorcode> > ++61 > ++</errorcode> > ++<stderr mode="text"> > ++curl: (61) Reject response due to more than 5 content encodings > ++</stderr> > ++</verify> > ++</testcase> > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb > index b583060889..945745cdde 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > file://CVE-2023-23914_5-3.patch \ > file://CVE-2023-23914_5-4.patch \ > file://CVE-2023-23914_5-5.patch \ > + file://CVE-2023-23916.patch \ > " > SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > -- > 2.38.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179016): https://lists.openembedded.org/g/openembedded-core/message/179016 > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hello Steve, Could you please build again including CVE-2023-23914 And CVE-2023-23195. On Fri, 24 Mar, 2023, 9:10 pm Steve Sakoman, <steve@sakoman.com> wrote: > On Thu, Mar 23, 2023 at 9:57 PM Pawan Badganchi <badganchipv@gmail.com> > wrote: > > > > From: Pawan Badganchi <badganchipv@gmail.com> > > > > Add below patch to fix CVE-2023-23916 > > > > CVE-2023-23916.patch > > I'm getting fuzz errors with this patch: > > Applying patch CVE-2023-23916.patch > patching file lib/content_encoding.c > patching file lib/urldata.h > patching file tests/data/Makefile.inc > Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). > patching file tests/data/test418 > > Please send v2 which corrects this. > > Thanks! > > Steve > > > > Link: https://curl.se/docs/CVE-2023-23916.html > > > > Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > > Signed-off-by: Pawan Badganchi <badganchipv@gmail.com> > > --- > > .../curl/curl/CVE-2023-23916.patch | 222 ++++++++++++++++++ > > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > > 2 files changed, 223 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch > b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > > new file mode 100644 > > index 0000000000..6a1be173cd > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > > @@ -0,0 +1,222 @@ > > +Backport of: > > + > > +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 > > +From: Patrick Monnerat <patrick@monnerat.net> > > +Date: Mon, 13 Feb 2023 08:33:09 +0100 > > +Subject: [PATCH] content_encoding: do not reset stage counter for each > header > > + > > +Test 418 verifies > > + > > +Closes #10492 > > + > > +CVE: CVE-2023-23916 > > +Upstream-Status: Backport [ > https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] > > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > > +--- > > + lib/content_encoding.c | 7 +- > > + lib/urldata.h | 1 + > > + tests/data/Makefile.inc | 2 +- > > + tests/data/test387 | 2 +- > > + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ > > + 5 files changed, 158 insertions(+), 6 deletions(-) > > + create mode 100644 tests/data/test418 > > + > > +--- a/lib/content_encoding.c > > ++++ b/lib/content_encoding.c > > +@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str > > + const char *enclist, int > maybechunked) > > + { > > + struct SingleRequest *k = &data->req; > > +- int counter = 0; > > + > > + do { > > + const char *name; > > +@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str > > + if(!encoding) > > + encoding = &error_encoding; /* Defer error at stack use. */ > > + > > +- if(++counter >= MAX_ENCODE_STACK) { > > +- failf(data, "Reject response due to %u content encodings", > > +- counter); > > ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { > > ++ failf(data, "Reject response due to more than %u content > encodings", > > ++ MAX_ENCODE_STACK); > > + return CURLE_BAD_CONTENT_ENCODING; > > + } > > + /* Stack the unencoding stage. */ > > +--- a/lib/urldata.h > > ++++ b/lib/urldata.h > > +@@ -708,6 +708,7 @@ struct SingleRequest { > > + struct dohdata *doh; /* DoH specific data for this request */ > > + #endif > > + unsigned char setcookies; > > ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ > > + BIT(header); /* incoming data has HTTP header */ > > + BIT(content_range); /* set TRUE if Content-Range: was found */ > > + BIT(upload_done); /* set to TRUE when doing chunked > transfer-encoding > > +--- a/tests/data/Makefile.inc > > ++++ b/tests/data/Makefile.inc > > +@@ -66,7 +66,7 @@ test370 test371 \ > > + test392 test393 test394 test395 test396 test397 \ > > + \ > > + test400 test401 test402 test403 test404 test405 test406 test407 > test408 \ > > +-test409 test410 \ > > ++test409 test410 test418 \ > > + \ > > + test430 test431 test432 test433 test434 test435 test446 \ > > + \ > > +--- /dev/null > > ++++ b/tests/data/test418 > > +@@ -0,0 +1,152 @@ > > ++<testcase> > > ++<info> > > ++<keywords> > > ++HTTP > > ++gzip > > ++</keywords> > > ++</info> > > ++ > > ++# > > ++# Server-side > > ++<reply> > > ++<data nocheck="yes"> > > ++HTTP/1.1 200 OK > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++ > > ++-foo- > > ++</data> > > ++</reply> > > ++ > > ++# > > ++# Client-side > > ++<client> > > ++<server> > > ++http > > ++</server> > > ++ <name> > > ++Response with multiple Transfer-Encoding headers > > ++ </name> > > ++ <command> > > ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS > > ++</command> > > ++</client> > > ++ > > ++# > > ++# Verify data after the test has been "shot" > > ++<verify> > > ++<protocol crlf="yes"> > > ++GET /%TESTNUMBER HTTP/1.1 > > ++Host: %HOSTIP:%HTTPPORT > > ++User-Agent: curl/%VERSION > > ++Accept: */* > > ++ > > ++</protocol> > > ++ > > ++# CURLE_BAD_CONTENT_ENCODING is 61 > > ++<errorcode> > > ++61 > > ++</errorcode> > > ++<stderr mode="text"> > > ++curl: (61) Reject response due to more than 5 content encodings > > ++</stderr> > > ++</verify> > > ++</testcase> > > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb > b/meta/recipes-support/curl/curl_7.82.0.bb > > index b583060889..945745cdde 100644 > > --- a/meta/recipes-support/curl/curl_7.82.0.bb > > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > > @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > > file://CVE-2023-23914_5-3.patch \ > > file://CVE-2023-23914_5-4.patch \ > > file://CVE-2023-23914_5-5.patch \ > > + file://CVE-2023-23916.patch \ > > " > > SRC_URI[sha256sum] = > "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > > > -- > > 2.38.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#179016): > https://lists.openembedded.org/g/openembedded-core/message/179016 > > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
Hello steve, Could you please build this patch with below patch. This is the latest version and please ignore previous sent patches. https://lists.openembedded.org/g/openembedded-core/message/179015
On Tue, Mar 28, 2023 at 9:38 PM Pawan Badganchi <badganchipv@gmail.com> wrote: > > Hello steve, > Could you please build this patch with below patch. This is the latest version and please ignore previous sent patches. > > https://lists.openembedded.org/g/openembedded-core/message/179015 We have the following patch in kirkstone already: https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=64eba948a9794c4f37d2473ad2bc3a17db2c3766 Once a patch has been merged it is too late to send a new version. At this point your options are: 1. Send a correction to the above patch with an explanation in the commit message as to why it is necessary. 2. Send a series which includes a revert of the above patch (again with explanation as to why it is necessary) along with the revised patch. Steve > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179265): https://lists.openembedded.org/g/openembedded-core/message/179265 > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi steve, I am talking about this cve *CVE-2023-23916*. Could you please build this patch with below patch. https://lists.openembedded.org/g/openembedded-core/message/179015
On Mon, Apr 3, 2023 at 03:34 AM, Pawan Badganchi wrote: > > Hi steve, > I am talking about this cve *CVE-2023-23916*. > > Could you please build this patch Hi steve, I am talking about this cve CVE-2023-23916. Could you please build this patch as CVE-2023-23914, CVE-2023-23915 patches are already present on upstream kirkstone branch.
On Mon, Apr 3, 2023 at 12:41 AM Pawan Badganchi <badganchipv@gmail.com> wrote: > > On Mon, Apr 3, 2023 at 03:34 AM, Pawan Badganchi wrote: > > Hi steve, > I am talking about this cve CVE-2023-23916. > > Could you please build this patch > > Hi steve, > I am talking about this cve CVE-2023-23916. > > Could you please build this patch as CVE-2023-23914, CVE-2023-23915 patches are already present on upstream kirkstone branch. As I mentioned in: https://lists.openembedded.org/g/openembedded-core/message/179016 the reason I have not taken this patch is that it has fuzz errors: WARNING: curl-native-7.82.0-r0 do_patch: Fuzz detected: Applying patch CVE-2023-23916.patch patching file lib/content_encoding.c patching file lib/urldata.h patching file tests/data/Makefile.inc Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). patching file tests/data/test418 Please submit a v2 with this fixed and I can then take the patch. Thanks! Steve
Hi steve, This patch is depends on below patch, if u build with this patch it will not give fuzz error. You no need to take this patch also now because in kirkstone it is already available. Could you please build once again, i think fuz error will not get. https://lists.openembedded.org/g/openembedded-core/message/179015
Hi Pawan, Please do a fresh clone of kirkstone. Note that "curl: Add fix for CVE-2023-23914, CVE-2023-23915" is present. Apply this patch. Note the fuzz error. Steve On Mon, Apr 3, 2023 at 5:22 AM Pawan Badganchi <badganchipv@gmail.com> wrote: > > Hi steve, > This patch is depends on below patch, if u build with this patch it will not give fuzz error. > You no need to take this patch also now because in kirkstone it is already available. > Could you please build once again, i think fuz error will not get. > > https://lists.openembedded.org/g/openembedded-core/message/179015 > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179639): https://lists.openembedded.org/g/openembedded-core/message/179639 > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, I have cloned kirkstone and applied this patch. Please find the attached screenshots below. Could you please build again, it will get build for sure.
On Mon, Apr 3, 2023 at 5:45 AM Pawan Badganchi <badganchipv@gmail.com> wrote: > > Hi Steve, > I have cloned kirkstone and applied this patch. Please find the attached screenshots below. > Could you please build again, it will get build for sure. You didn't actually try to build curl! Please do a 'bitbake curl' and you will see the fuzz error. Steve > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179641): https://lists.openembedded.org/g/openembedded-core/message/179641 > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, I have built with bitbake curl, it got built with no fuzz warnings. Could you please build again. Please find the attached screenshot below.
> Could you please build again OK, but as expected it still fails! steve@hexa ~/test $ git clone https://git.yoctoproject.org/poky Cloning into 'poky'... remote: Enumerating objects: 598292, done. remote: Counting objects: 100% (607/607), done. remote: Compressing objects: 100% (329/329), done. remote: Total 598292 (delta 412), reused 338 (delta 274), pack-reused 597685 Receiving objects: 100% (598292/598292), 190.71 MiB | 11.72 MiB/s, done. Resolving deltas: 100% (435720/435720), done. steve@hexa ~/test $ cd poky/ steve@hexa ~/test/poky (master) $ git checkout origin/kirkstone Note: switching to 'origin/kirkstone'. <snip> HEAD is now at 407c3e0237 systemd: fix wrong nobody-group assignment steve@hexa ~/test/poky ((HEAD detached at origin/kirkstone)) $ git am -3 ~/Downloads/meta-kirkstone-2-2-curl-Add-fix-for-CVE-2023-23916.patch Applying: curl: Add fix for CVE-2023-23916 steve@hexa ~/test/poky ((HEAD detached from origin/kirkstone)) $ source oe-init-build-env <snip> steve@hexa ~/test/poky/build ((HEAD detached from origin/kirkstone)) $ bitbake curl Loading cache: 100% | | ETA: --:--:-- Loaded 0 entries from dependency cache. Parsing recipes: 100% |########################################################################################################################################################################################################################################################################################| Time: 0:00:19 Parsing of 882 .bb files complete (0 cached, 882 parsed). 1642 targets, 44 skipped, 0 masked, 0 errors. NOTE: Resolving any missing task queue dependencies Build Configuration: BB_VERSION = "2.0.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "ubuntu-22.04" TARGET_SYS = "x86_64-poky-linux" MACHINE = "qemux86-64" DISTRO = "poky" DISTRO_VERSION = "4.0.8" TUNE_FEATURES = "m64 core2" TARGET_FPU = "" meta meta-poky meta-yocto-bsp = "HEAD:005e7dbceb28cc9925e5756d8828c898f0761bdc" NOTE: Fetching uninative binary shim http://downloads.yoctoproject.org/releases/uninative/3.7/x86_64-nativesdk-libc-3.7.tar.xz;sha256sum=b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570 (will check PREMIRRORS first) Initialising tasks: 100% |#####################################################################################################################################################################################################################################################################################| Time: 0:00:01 Sstate summary: Wanted 186 Local 0 Mirrors 0 Missed 186 Current 0 (0% match, 0% complete) NOTE: Executing Tasks WARNING: curl-native-7.82.0-r0 do_patch: Fuzz detected: Applying patch CVE-2023-23916.patch patching file lib/content_encoding.c patching file lib/urldata.h patching file tests/data/Makefile.inc Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). patching file tests/data/test418 The context lines in the patches can be updated with devtool: devtool modify curl-native devtool finish --force-patch-refresh curl-native <layer_path> Don't forget to review changes done by devtool! WARNING: curl-native-7.82.0-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] WARNING: curl-7.82.0-r0 do_patch: Fuzz detected: Applying patch CVE-2023-23916.patch patching file lib/content_encoding.c patching file lib/urldata.h patching file tests/data/Makefile.inc Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). patching file tests/data/test418 The context lines in the patches can be updated with devtool: devtool modify curl devtool finish --force-patch-refresh curl <layer_path> Don't forget to review changes done by devtool! WARNING: curl-7.82.0-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] NOTE: Tasks Summary: Attempted 746 tasks of which 0 didn't need to be rerun and all succeeded. Summary: There were 4 WARNING messages. On Mon, Apr 3, 2023 at 7:00 AM Pawan Badganchi <badganchipv@gmail.com> wrote: > > Hi Steve, > I have built with bitbake curl, it got built with no fuzz warnings. > Could you please build again. Please find the attached screenshot below. > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179647): https://lists.openembedded.org/g/openembedded-core/message/179647 > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
FWIW: I was building from contrib/stable/kirkstone-nut today and I'm seeing the same as Steve: meta = "stable/kirkstone-nut:14a050c06f25ac643582223ea29abee744cf74ea" ... ERROR: curl-native-7.82.0-r0 do_patch: Fuzz detected: Applying patch CVE-2023-23916.patch patching file lib/content_encoding.c patching file lib/urldata.h patching file tests/data/Makefile.inc Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). patching file tests/data/test418 The context lines in the patches can be updated with devtool: devtool modify curl-native devtool finish --force-patch-refresh curl-native <layer_path> Don't forget to review changes done by devtool! ERROR: curl-native-7.82.0-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] It might be useful if you compare your local MyTopic14 with 14a050c06f25ac643582223ea29abee744cf74ea in oe-core-contrib to see the diff. On Mon, Apr 3, 2023 at 7:45 PM Steve Sakoman <steve@sakoman.com> wrote: > > Could you please build again > > OK, but as expected it still fails! > > steve@hexa ~/test $ git clone https://git.yoctoproject.org/poky > Cloning into 'poky'... > remote: Enumerating objects: 598292, done. > remote: Counting objects: 100% (607/607), done. > remote: Compressing objects: 100% (329/329), done. > remote: Total 598292 (delta 412), reused 338 (delta 274), pack-reused > 597685 > Receiving objects: 100% (598292/598292), 190.71 MiB | 11.72 MiB/s, done. > Resolving deltas: 100% (435720/435720), done. > > steve@hexa ~/test $ cd poky/ > > steve@hexa ~/test/poky (master) $ git checkout origin/kirkstone > Note: switching to 'origin/kirkstone'. > <snip> > HEAD is now at 407c3e0237 systemd: fix wrong nobody-group assignment > > steve@hexa ~/test/poky ((HEAD detached at origin/kirkstone)) $ git am > -3 ~/Downloads/meta-kirkstone-2-2-curl-Add-fix-for-CVE-2023-23916.patch > Applying: curl: Add fix for CVE-2023-23916 > > steve@hexa ~/test/poky ((HEAD detached from origin/kirkstone)) $ > source oe-init-build-env > <snip> > > steve@hexa ~/test/poky/build ((HEAD detached from origin/kirkstone)) $ > bitbake curl > Loading cache: 100% | > > > > | ETA: --:--:-- > Loaded 0 entries from dependency cache. > Parsing recipes: 100% > > |########################################################################################################################################################################################################################################################################################| > Time: 0:00:19 > Parsing of 882 .bb files complete (0 cached, 882 parsed). 1642 > targets, 44 skipped, 0 masked, 0 errors. > NOTE: Resolving any missing task queue dependencies > > Build Configuration: > BB_VERSION = "2.0.0" > BUILD_SYS = "x86_64-linux" > NATIVELSBSTRING = "ubuntu-22.04" > TARGET_SYS = "x86_64-poky-linux" > MACHINE = "qemux86-64" > DISTRO = "poky" > DISTRO_VERSION = "4.0.8" > TUNE_FEATURES = "m64 core2" > TARGET_FPU = "" > meta > meta-poky > meta-yocto-bsp = "HEAD:005e7dbceb28cc9925e5756d8828c898f0761bdc" > > NOTE: Fetching uninative binary shim > > http://downloads.yoctoproject.org/releases/uninative/3.7/x86_64-nativesdk-libc-3.7.tar.xz;sha256sum=b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570 > (will check PREMIRRORS first) > Initialising tasks: 100% > > |#####################################################################################################################################################################################################################################################################################| > Time: 0:00:01 > Sstate summary: Wanted 186 Local 0 Mirrors 0 Missed 186 Current 0 (0% > match, 0% complete) > NOTE: Executing Tasks > WARNING: curl-native-7.82.0-r0 do_patch: Fuzz detected: > > Applying patch CVE-2023-23916.patch > patching file lib/content_encoding.c > patching file lib/urldata.h > patching file tests/data/Makefile.inc > Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). > patching file tests/data/test418 > > > The context lines in the patches can be updated with devtool: > > devtool modify curl-native > devtool finish --force-patch-refresh curl-native <layer_path> > > Don't forget to review changes done by devtool! > > WARNING: curl-native-7.82.0-r0 do_patch: QA Issue: Patch log indicates > that patches do not apply cleanly. [patch-fuzz] > WARNING: curl-7.82.0-r0 do_patch: Fuzz detected: > > Applying patch CVE-2023-23916.patch > patching file lib/content_encoding.c > patching file lib/urldata.h > patching file tests/data/Makefile.inc > Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines). > patching file tests/data/test418 > > > The context lines in the patches can be updated with devtool: > > devtool modify curl > devtool finish --force-patch-refresh curl <layer_path> > > Don't forget to review changes done by devtool! > > WARNING: curl-7.82.0-r0 do_patch: QA Issue: Patch log indicates that > patches do not apply cleanly. [patch-fuzz] > NOTE: Tasks Summary: Attempted 746 tasks of which 0 didn't need to be > rerun and all succeeded. > > Summary: There were 4 WARNING messages. > > On Mon, Apr 3, 2023 at 7:00 AM Pawan Badganchi <badganchipv@gmail.com> > wrote: > > > > Hi Steve, > > I have built with bitbake curl, it got built with no fuzz warnings. > > Could you please build again. Please find the attached screenshot below. > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179648): > https://lists.openembedded.org/g/openembedded-core/message/179648 > Mute This Topic: https://lists.openembedded.org/mt/97818991/3617156 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi steve, I have reworked on this patch CVE-2023-23916 and submitted. Could you please take below patch. https://lists.openembedded.org/g/openembedded-core/message/179676
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch new file mode 100644 index 0000000000..6a1be173cd --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch @@ -0,0 +1,222 @@ +Backport of: + +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +CVE: CVE-2023-23916 +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test418 + +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -708,6 +708,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -66,7 +66,7 @@ test370 test371 \ + test392 test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +-test409 test410 \ ++test409 test410 test418 \ + \ + test430 test431 test432 test433 test434 test435 test446 \ + \ +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++gzip ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Response with multiple Transfer-Encoding headers ++ </name> ++ <command> ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++<protocol crlf="yes"> ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++</protocol> ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++<errorcode> ++61 ++</errorcode> ++<stderr mode="text"> ++curl: (61) Reject response due to more than 5 content encodings ++</stderr> ++</verify> ++</testcase> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index b583060889..945745cdde 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2023-23914_5-3.patch \ file://CVE-2023-23914_5-4.patch \ file://CVE-2023-23914_5-5.patch \ + file://CVE-2023-23916.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"