diff mbox series

[meta,kirkstone,2/2] curl: Add fix for CVE-2023-23916

Message ID 20230324075700.22155-2-badganchipv@gmail.com
State New, archived
Headers show
Series [meta,kirkstone,1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915 | expand

Commit Message

Pawan Badganchi March 24, 2023, 7:57 a.m. UTC 
From: Pawan Badganchi <badganchipv@gmail.com>

Add below patch to fix CVE-2023-23916

CVE-2023-23916.patch

Link: https://curl.se/docs/CVE-2023-23916.html

Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
Signed-off-by: Pawan Badganchi <badganchipv@gmail.com>
---
 .../curl/curl/CVE-2023-23916.patch            | 222 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 2 files changed, 223 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch

Comments

Steve Sakoman March 24, 2023, 3:39 p.m. UTC | #1 
On Thu, Mar 23, 2023 at 9:57 PM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> From: Pawan Badganchi <badganchipv@gmail.com>
>
> Add below patch to fix CVE-2023-23916
>
> CVE-2023-23916.patch

I'm getting fuzz errors with this patch:

Applying patch CVE-2023-23916.patch
patching file lib/content_encoding.c
patching file lib/urldata.h
patching file tests/data/Makefile.inc
Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
patching file tests/data/test418

Please send v2 which corrects this.

Thanks!

Steve
>
> Link: https://curl.se/docs/CVE-2023-23916.html
>
> Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> Signed-off-by: Pawan Badganchi <badganchipv@gmail.com>
> ---
>  .../curl/curl/CVE-2023-23916.patch            | 222 ++++++++++++++++++
>  meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
>  2 files changed, 223 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> new file mode 100644
> index 0000000000..6a1be173cd
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> @@ -0,0 +1,222 @@
> +Backport of:
> +
> +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
> +From: Patrick Monnerat <patrick@monnerat.net>
> +Date: Mon, 13 Feb 2023 08:33:09 +0100
> +Subject: [PATCH] content_encoding: do not reset stage counter for each header
> +
> +Test 418 verifies
> +
> +Closes #10492
> +
> +CVE: CVE-2023-23916
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch]
> +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> +---
> + lib/content_encoding.c  |   7 +-
> + lib/urldata.h           |   1 +
> + tests/data/Makefile.inc |   2 +-
> + tests/data/test387      |   2 +-
> + tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
> + 5 files changed, 158 insertions(+), 6 deletions(-)
> + create mode 100644 tests/data/test418
> +
> +--- a/lib/content_encoding.c
> ++++ b/lib/content_encoding.c
> +@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str
> +                                      const char *enclist, int maybechunked)
> + {
> +   struct SingleRequest *k = &data->req;
> +-  int counter = 0;
> +
> +   do {
> +     const char *name;
> +@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str
> +       if(!encoding)
> +         encoding = &error_encoding;  /* Defer error at stack use. */
> +
> +-      if(++counter >= MAX_ENCODE_STACK) {
> +-        failf(data, "Reject response due to %u content encodings",
> +-              counter);
> ++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
> ++        failf(data, "Reject response due to more than %u content encodings",
> ++              MAX_ENCODE_STACK);
> +         return CURLE_BAD_CONTENT_ENCODING;
> +       }
> +       /* Stack the unencoding stage. */
> +--- a/lib/urldata.h
> ++++ b/lib/urldata.h
> +@@ -708,6 +708,7 @@ struct SingleRequest {
> +   struct dohdata *doh; /* DoH specific data for this request */
> + #endif
> +   unsigned char setcookies;
> ++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
> +   BIT(header);        /* incoming data has HTTP header */
> +   BIT(content_range); /* set TRUE if Content-Range: was found */
> +   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
> +--- a/tests/data/Makefile.inc
> ++++ b/tests/data/Makefile.inc
> +@@ -66,7 +66,7 @@ test370 test371 \
> + test392 test393 test394 test395 test396 test397 \
> + \
> + test400 test401 test402 test403 test404 test405 test406 test407 test408 \
> +-test409 test410 \
> ++test409 test410 test418 \
> + \
> + test430 test431 test432 test433 test434 test435 test446 \
> + \
> +--- /dev/null
> ++++ b/tests/data/test418
> +@@ -0,0 +1,152 @@
> ++<testcase>
> ++<info>
> ++<keywords>
> ++HTTP
> ++gzip
> ++</keywords>
> ++</info>
> ++
> ++#
> ++# Server-side
> ++<reply>
> ++<data nocheck="yes">
> ++HTTP/1.1 200 OK
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++
> ++-foo-
> ++</data>
> ++</reply>
> ++
> ++#
> ++# Client-side
> ++<client>
> ++<server>
> ++http
> ++</server>
> ++ <name>
> ++Response with multiple Transfer-Encoding headers
> ++ </name>
> ++ <command>
> ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
> ++</command>
> ++</client>
> ++
> ++#
> ++# Verify data after the test has been "shot"
> ++<verify>
> ++<protocol crlf="yes">
> ++GET /%TESTNUMBER HTTP/1.1
> ++Host: %HOSTIP:%HTTPPORT
> ++User-Agent: curl/%VERSION
> ++Accept: */*
> ++
> ++</protocol>
> ++
> ++# CURLE_BAD_CONTENT_ENCODING is 61
> ++<errorcode>
> ++61
> ++</errorcode>
> ++<stderr mode="text">
> ++curl: (61) Reject response due to more than 5 content encodings
> ++</stderr>
> ++</verify>
> ++</testcase>
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index b583060889..945745cdde 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>             file://CVE-2023-23914_5-3.patch \
>             file://CVE-2023-23914_5-4.patch \
>             file://CVE-2023-23914_5-5.patch \
> +           file://CVE-2023-23916.patch \
>             "
>  SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>
> --
> 2.38.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179016): https://lists.openembedded.org/g/openembedded-core/message/179016
> Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Pawan Badganchi March 24, 2023, 3:45 p.m. UTC | #2 
Hello Steve,
Could you please build again including CVE-2023-23914 And CVE-2023-23195.

On Fri, 24 Mar, 2023, 9:10 pm Steve Sakoman, <steve@sakoman.com> wrote:

> On Thu, Mar 23, 2023 at 9:57 PM Pawan Badganchi <badganchipv@gmail.com>
> wrote:
> >
> > From: Pawan Badganchi <badganchipv@gmail.com>
> >
> > Add below patch to fix CVE-2023-23916
> >
> > CVE-2023-23916.patch
>
> I'm getting fuzz errors with this patch:
>
> Applying patch CVE-2023-23916.patch
> patching file lib/content_encoding.c
> patching file lib/urldata.h
> patching file tests/data/Makefile.inc
> Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
> patching file tests/data/test418
>
> Please send v2 which corrects this.
>
> Thanks!
>
> Steve
> >
> > Link: https://curl.se/docs/CVE-2023-23916.html
> >
> > Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> > Signed-off-by: Pawan Badganchi <badganchipv@gmail.com>
> > ---
> >  .../curl/curl/CVE-2023-23916.patch            | 222 ++++++++++++++++++
> >  meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
> >  2 files changed, 223 insertions(+)
> >  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch
> >
> > diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> > new file mode 100644
> > index 0000000000..6a1be173cd
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> > @@ -0,0 +1,222 @@
> > +Backport of:
> > +
> > +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
> > +From: Patrick Monnerat <patrick@monnerat.net>
> > +Date: Mon, 13 Feb 2023 08:33:09 +0100
> > +Subject: [PATCH] content_encoding: do not reset stage counter for each
> header
> > +
> > +Test 418 verifies
> > +
> > +Closes #10492
> > +
> > +CVE: CVE-2023-23916
> > +Upstream-Status: Backport [
> https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch]
> > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> > +---
> > + lib/content_encoding.c  |   7 +-
> > + lib/urldata.h           |   1 +
> > + tests/data/Makefile.inc |   2 +-
> > + tests/data/test387      |   2 +-
> > + tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
> > + 5 files changed, 158 insertions(+), 6 deletions(-)
> > + create mode 100644 tests/data/test418
> > +
> > +--- a/lib/content_encoding.c
> > ++++ b/lib/content_encoding.c
> > +@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str
> > +                                      const char *enclist, int
> maybechunked)
> > + {
> > +   struct SingleRequest *k = &data->req;
> > +-  int counter = 0;
> > +
> > +   do {
> > +     const char *name;
> > +@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str
> > +       if(!encoding)
> > +         encoding = &error_encoding;  /* Defer error at stack use. */
> > +
> > +-      if(++counter >= MAX_ENCODE_STACK) {
> > +-        failf(data, "Reject response due to %u content encodings",
> > +-              counter);
> > ++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
> > ++        failf(data, "Reject response due to more than %u content
> encodings",
> > ++              MAX_ENCODE_STACK);
> > +         return CURLE_BAD_CONTENT_ENCODING;
> > +       }
> > +       /* Stack the unencoding stage. */
> > +--- a/lib/urldata.h
> > ++++ b/lib/urldata.h
> > +@@ -708,6 +708,7 @@ struct SingleRequest {
> > +   struct dohdata *doh; /* DoH specific data for this request */
> > + #endif
> > +   unsigned char setcookies;
> > ++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
> > +   BIT(header);        /* incoming data has HTTP header */
> > +   BIT(content_range); /* set TRUE if Content-Range: was found */
> > +   BIT(upload_done);   /* set to TRUE when doing chunked
> transfer-encoding
> > +--- a/tests/data/Makefile.inc
> > ++++ b/tests/data/Makefile.inc
> > +@@ -66,7 +66,7 @@ test370 test371 \
> > + test392 test393 test394 test395 test396 test397 \
> > + \
> > + test400 test401 test402 test403 test404 test405 test406 test407
> test408 \
> > +-test409 test410 \
> > ++test409 test410 test418 \
> > + \
> > + test430 test431 test432 test433 test434 test435 test446 \
> > + \
> > +--- /dev/null
> > ++++ b/tests/data/test418
> > +@@ -0,0 +1,152 @@
> > ++<testcase>
> > ++<info>
> > ++<keywords>
> > ++HTTP
> > ++gzip
> > ++</keywords>
> > ++</info>
> > ++
> > ++#
> > ++# Server-side
> > ++<reply>
> > ++<data nocheck="yes">
> > ++HTTP/1.1 200 OK
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++Transfer-Encoding: gzip
> > ++
> > ++-foo-
> > ++</data>
> > ++</reply>
> > ++
> > ++#
> > ++# Client-side
> > ++<client>
> > ++<server>
> > ++http
> > ++</server>
> > ++ <name>
> > ++Response with multiple Transfer-Encoding headers
> > ++ </name>
> > ++ <command>
> > ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
> > ++</command>
> > ++</client>
> > ++
> > ++#
> > ++# Verify data after the test has been "shot"
> > ++<verify>
> > ++<protocol crlf="yes">
> > ++GET /%TESTNUMBER HTTP/1.1
> > ++Host: %HOSTIP:%HTTPPORT
> > ++User-Agent: curl/%VERSION
> > ++Accept: */*
> > ++
> > ++</protocol>
> > ++
> > ++# CURLE_BAD_CONTENT_ENCODING is 61
> > ++<errorcode>
> > ++61
> > ++</errorcode>
> > ++<stderr mode="text">
> > ++curl: (61) Reject response due to more than 5 content encodings
> > ++</stderr>
> > ++</verify>
> > ++</testcase>
> > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb
> b/meta/recipes-support/curl/curl_7.82.0.bb
> > index b583060889..945745cdde 100644
> > --- a/meta/recipes-support/curl/curl_7.82.0.bb
> > +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> > @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
> >             file://CVE-2023-23914_5-3.patch \
> >             file://CVE-2023-23914_5-4.patch \
> >             file://CVE-2023-23914_5-5.patch \
> > +           file://CVE-2023-23916.patch \
> >             "
> >  SRC_URI[sha256sum] =
> "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
> >
> > --
> > 2.38.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#179016):
> https://lists.openembedded.org/g/openembedded-core/message/179016
> > Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
Pawan Badganchi March 29, 2023, 7:38 a.m. UTC | #3 
Hello steve,
Could you please build this patch with below patch. This is the latest version and please ignore previous sent patches.

https://lists.openembedded.org/g/openembedded-core/message/179015
Steve Sakoman March 29, 2023, 2:18 p.m. UTC | #4 
On Tue, Mar 28, 2023 at 9:38 PM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> Hello steve,
> Could you please build this patch with below patch. This is the latest version and please ignore previous sent patches.
>
> https://lists.openembedded.org/g/openembedded-core/message/179015

We have the following patch in kirkstone already:

https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=64eba948a9794c4f37d2473ad2bc3a17db2c3766

Once a patch has been merged it is too late to send a new version.  At
this point your options are:

1. Send a correction to the above patch with an explanation in the
commit message as to why it is necessary.
2. Send a series which includes a revert of the above patch (again
with explanation as to why it is necessary) along with the revised
patch.

Steve

> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179265): https://lists.openembedded.org/g/openembedded-core/message/179265
> Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Pawan Badganchi April 3, 2023, 10:34 a.m. UTC | #5 
Hi steve,
I am talking about this cve *CVE-2023-23916*.

Could you please build this patch with below patch.
https://lists.openembedded.org/g/openembedded-core/message/179015
Pawan Badganchi April 3, 2023, 10:41 a.m. UTC | #6 
On Mon, Apr 3, 2023 at 03:34 AM, Pawan Badganchi wrote:

> 
> Hi steve,
> I am talking about this cve *CVE-2023-23916*.
> 
> Could you please build this patch

Hi steve,
I am talking about this cve CVE-2023-23916.

Could you please build this patch as CVE-2023-23914, CVE-2023-23915 patches are already present on upstream kirkstone branch.
Steve Sakoman April 3, 2023, 3:17 p.m. UTC | #7 
On Mon, Apr 3, 2023 at 12:41 AM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> On Mon, Apr 3, 2023 at 03:34 AM, Pawan Badganchi wrote:
>
> Hi steve,
> I am talking about this cve CVE-2023-23916.
>
> Could you please build this patch
>
> Hi steve,
> I am talking about this cve CVE-2023-23916.
>
> Could you please build this patch as CVE-2023-23914, CVE-2023-23915 patches are already present on upstream kirkstone branch.

As I mentioned in:

https://lists.openembedded.org/g/openembedded-core/message/179016

the reason I have not taken this patch is that it has fuzz errors:

WARNING: curl-native-7.82.0-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23916.patch
patching file lib/content_encoding.c
patching file lib/urldata.h
patching file tests/data/Makefile.inc
Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
patching file tests/data/test418

Please submit a v2 with this fixed and I can then take the patch.

Thanks!

Steve
Pawan Badganchi April 3, 2023, 3:22 p.m. UTC | #8 
Hi steve,
This patch is depends on below patch, if u build with this patch  it will not give fuzz error.
You no need to take this patch also now because in kirkstone it is already available.
Could you please build once again, i think fuz error will not get.

https://lists.openembedded.org/g/openembedded-core/message/179015
Steve Sakoman April 3, 2023, 3:27 p.m. UTC | #9 
Hi Pawan,

Please do a fresh clone of kirkstone.

Note that "curl: Add fix for CVE-2023-23914, CVE-2023-23915" is present.

Apply this patch.

Note the fuzz error.

Steve

On Mon, Apr 3, 2023 at 5:22 AM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> Hi steve,
> This patch is depends on below patch, if u build with this patch  it will not give fuzz error.
> You no need to take this patch also now because in kirkstone it is already available.
> Could you please build once again, i think fuz error will not get.
>
> https://lists.openembedded.org/g/openembedded-core/message/179015
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179639): https://lists.openembedded.org/g/openembedded-core/message/179639
> Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Pawan Badganchi April 3, 2023, 3:44 p.m. UTC | #10 
Hi Steve,
I have cloned kirkstone and applied this patch. Please find the attached screenshots below.
Could you please build again, it will get build for sure.
Steve Sakoman April 3, 2023, 4:20 p.m. UTC | #11 
On Mon, Apr 3, 2023 at 5:45 AM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> Hi Steve,
> I have cloned kirkstone and applied this patch. Please find the attached screenshots below.
> Could you please build again, it will get build for sure.

You didn't actually try to build curl!  Please do a 'bitbake curl' and
you will see the fuzz error.

Steve



> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179641): https://lists.openembedded.org/g/openembedded-core/message/179641
> Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Pawan Badganchi April 3, 2023, 5 p.m. UTC | #12 
Hi Steve,
I have built with bitbake curl, it got built with no fuzz warnings.
Could you please build again. Please find the attached screenshot  below.
Steve Sakoman April 3, 2023, 5:45 p.m. UTC | #13 
> Could you please build again

OK, but as expected it still fails!

steve@hexa ~/test $ git clone https://git.yoctoproject.org/poky
Cloning into 'poky'...
remote: Enumerating objects: 598292, done.
remote: Counting objects: 100% (607/607), done.
remote: Compressing objects: 100% (329/329), done.
remote: Total 598292 (delta 412), reused 338 (delta 274), pack-reused 597685
Receiving objects: 100% (598292/598292), 190.71 MiB | 11.72 MiB/s, done.
Resolving deltas: 100% (435720/435720), done.

steve@hexa ~/test $ cd poky/

steve@hexa ~/test/poky (master) $ git checkout origin/kirkstone
Note: switching to 'origin/kirkstone'.
<snip>
HEAD is now at 407c3e0237 systemd: fix wrong nobody-group assignment

steve@hexa ~/test/poky ((HEAD detached at origin/kirkstone)) $ git am
-3 ~/Downloads/meta-kirkstone-2-2-curl-Add-fix-for-CVE-2023-23916.patch
Applying: curl: Add fix for CVE-2023-23916

steve@hexa ~/test/poky ((HEAD detached from origin/kirkstone)) $
source oe-init-build-env
<snip>

steve@hexa ~/test/poky/build ((HEAD detached from origin/kirkstone)) $
bitbake curl
Loading cache: 100% |



                  | ETA:  --:--:--
Loaded 0 entries from dependency cache.
Parsing recipes: 100%
|########################################################################################################################################################################################################################################################################################|
Time: 0:00:19
Parsing of 882 .bb files complete (0 cached, 882 parsed). 1642
targets, 44 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION           = "2.0.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "ubuntu-22.04"
TARGET_SYS           = "x86_64-poky-linux"
MACHINE              = "qemux86-64"
DISTRO               = "poky"
DISTRO_VERSION       = "4.0.8"
TUNE_FEATURES        = "m64 core2"
TARGET_FPU           = ""
meta
meta-poky
meta-yocto-bsp       = "HEAD:005e7dbceb28cc9925e5756d8828c898f0761bdc"

NOTE: Fetching uninative binary shim
http://downloads.yoctoproject.org/releases/uninative/3.7/x86_64-nativesdk-libc-3.7.tar.xz;sha256sum=b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570
(will check PREMIRRORS first)
Initialising tasks: 100%
|#####################################################################################################################################################################################################################################################################################|
Time: 0:00:01
Sstate summary: Wanted 186 Local 0 Mirrors 0 Missed 186 Current 0 (0%
match, 0% complete)
NOTE: Executing Tasks
WARNING: curl-native-7.82.0-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23916.patch
patching file lib/content_encoding.c
patching file lib/urldata.h
patching file tests/data/Makefile.inc
Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
patching file tests/data/test418


The context lines in the patches can be updated with devtool:

    devtool modify curl-native
    devtool finish --force-patch-refresh curl-native <layer_path>

Don't forget to review changes done by devtool!

WARNING: curl-native-7.82.0-r0 do_patch: QA Issue: Patch log indicates
that patches do not apply cleanly. [patch-fuzz]
WARNING: curl-7.82.0-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23916.patch
patching file lib/content_encoding.c
patching file lib/urldata.h
patching file tests/data/Makefile.inc
Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
patching file tests/data/test418


The context lines in the patches can be updated with devtool:

    devtool modify curl
    devtool finish --force-patch-refresh curl <layer_path>

Don't forget to review changes done by devtool!

WARNING: curl-7.82.0-r0 do_patch: QA Issue: Patch log indicates that
patches do not apply cleanly. [patch-fuzz]
NOTE: Tasks Summary: Attempted 746 tasks of which 0 didn't need to be
rerun and all succeeded.

Summary: There were 4 WARNING messages.

On Mon, Apr 3, 2023 at 7:00 AM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> Hi Steve,
> I have built with bitbake curl, it got built with no fuzz warnings.
> Could you please build again. Please find the attached screenshot  below.
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179647): https://lists.openembedded.org/g/openembedded-core/message/179647
> Mute This Topic: https://lists.openembedded.org/mt/97818991/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Martin Jansa April 3, 2023, 11:01 p.m. UTC | #14 
FWIW: I was building from contrib/stable/kirkstone-nut today and I'm seeing
the same as Steve:

meta                 =
"stable/kirkstone-nut:14a050c06f25ac643582223ea29abee744cf74ea"
...
ERROR: curl-native-7.82.0-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23916.patch
patching file lib/content_encoding.c
patching file lib/urldata.h
patching file tests/data/Makefile.inc
Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
patching file tests/data/test418


The context lines in the patches can be updated with devtool:

    devtool modify curl-native
    devtool finish --force-patch-refresh curl-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: curl-native-7.82.0-r0 do_patch: QA Issue: Patch log indicates that
patches do not apply cleanly. [patch-fuzz]

It might be useful if you compare your local MyTopic14
with 14a050c06f25ac643582223ea29abee744cf74ea in oe-core-contrib to see the
diff.

On Mon, Apr 3, 2023 at 7:45 PM Steve Sakoman <steve@sakoman.com> wrote:

> > Could you please build again
>
> OK, but as expected it still fails!
>
> steve@hexa ~/test $ git clone https://git.yoctoproject.org/poky
> Cloning into 'poky'...
> remote: Enumerating objects: 598292, done.
> remote: Counting objects: 100% (607/607), done.
> remote: Compressing objects: 100% (329/329), done.
> remote: Total 598292 (delta 412), reused 338 (delta 274), pack-reused
> 597685
> Receiving objects: 100% (598292/598292), 190.71 MiB | 11.72 MiB/s, done.
> Resolving deltas: 100% (435720/435720), done.
>
> steve@hexa ~/test $ cd poky/
>
> steve@hexa ~/test/poky (master) $ git checkout origin/kirkstone
> Note: switching to 'origin/kirkstone'.
> <snip>
> HEAD is now at 407c3e0237 systemd: fix wrong nobody-group assignment
>
> steve@hexa ~/test/poky ((HEAD detached at origin/kirkstone)) $ git am
> -3 ~/Downloads/meta-kirkstone-2-2-curl-Add-fix-for-CVE-2023-23916.patch
> Applying: curl: Add fix for CVE-2023-23916
>
> steve@hexa ~/test/poky ((HEAD detached from origin/kirkstone)) $
> source oe-init-build-env
> <snip>
>
> steve@hexa ~/test/poky/build ((HEAD detached from origin/kirkstone)) $
> bitbake curl
> Loading cache: 100% |
>
>
>
>                   | ETA:  --:--:--
> Loaded 0 entries from dependency cache.
> Parsing recipes: 100%
>
> |########################################################################################################################################################################################################################################################################################|
> Time: 0:00:19
> Parsing of 882 .bb files complete (0 cached, 882 parsed). 1642
> targets, 44 skipped, 0 masked, 0 errors.
> NOTE: Resolving any missing task queue dependencies
>
> Build Configuration:
> BB_VERSION           = "2.0.0"
> BUILD_SYS            = "x86_64-linux"
> NATIVELSBSTRING      = "ubuntu-22.04"
> TARGET_SYS           = "x86_64-poky-linux"
> MACHINE              = "qemux86-64"
> DISTRO               = "poky"
> DISTRO_VERSION       = "4.0.8"
> TUNE_FEATURES        = "m64 core2"
> TARGET_FPU           = ""
> meta
> meta-poky
> meta-yocto-bsp       = "HEAD:005e7dbceb28cc9925e5756d8828c898f0761bdc"
>
> NOTE: Fetching uninative binary shim
>
> http://downloads.yoctoproject.org/releases/uninative/3.7/x86_64-nativesdk-libc-3.7.tar.xz;sha256sum=b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570
> (will check PREMIRRORS first)
> Initialising tasks: 100%
>
> |#####################################################################################################################################################################################################################################################################################|
> Time: 0:00:01
> Sstate summary: Wanted 186 Local 0 Mirrors 0 Missed 186 Current 0 (0%
> match, 0% complete)
> NOTE: Executing Tasks
> WARNING: curl-native-7.82.0-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2023-23916.patch
> patching file lib/content_encoding.c
> patching file lib/urldata.h
> patching file tests/data/Makefile.inc
> Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
> patching file tests/data/test418
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify curl-native
>     devtool finish --force-patch-refresh curl-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> WARNING: curl-native-7.82.0-r0 do_patch: QA Issue: Patch log indicates
> that patches do not apply cleanly. [patch-fuzz]
> WARNING: curl-7.82.0-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2023-23916.patch
> patching file lib/content_encoding.c
> patching file lib/urldata.h
> patching file tests/data/Makefile.inc
> Hunk #1 succeeded at 68 with fuzz 2 (offset 2 lines).
> patching file tests/data/test418
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify curl
>     devtool finish --force-patch-refresh curl <layer_path>
>
> Don't forget to review changes done by devtool!
>
> WARNING: curl-7.82.0-r0 do_patch: QA Issue: Patch log indicates that
> patches do not apply cleanly. [patch-fuzz]
> NOTE: Tasks Summary: Attempted 746 tasks of which 0 didn't need to be
> rerun and all succeeded.
>
> Summary: There were 4 WARNING messages.
>
> On Mon, Apr 3, 2023 at 7:00 AM Pawan Badganchi <badganchipv@gmail.com>
> wrote:
> >
> > Hi Steve,
> > I have built with bitbake curl, it got built with no fuzz warnings.
> > Could you please build again. Please find the attached screenshot  below.
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179648):
> https://lists.openembedded.org/g/openembedded-core/message/179648
> Mute This Topic: https://lists.openembedded.org/mt/97818991/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Pawan Badganchi April 4, 2023, 8:33 a.m. UTC | #15 
Hi steve,
I have reworked on this patch CVE-2023-23916 and submitted. Could you please take below patch.

https://lists.openembedded.org/g/openembedded-core/message/179676
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
new file mode 100644
index 0000000000..6a1be173cd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
@@ -0,0 +1,222 @@ 
+Backport of:
+
+From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH] content_encoding: do not reset stage counter for each header
+
+Test 418 verifies
+
+Closes #10492
+
+CVE: CVE-2023-23916
+Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ lib/content_encoding.c  |   7 +-
+ lib/urldata.h           |   1 +
+ tests/data/Makefile.inc |   2 +-
+ tests/data/test387      |   2 +-
+ tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 158 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test418
+
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+       /* Stack the unencoding stage. */
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -708,6 +708,7 @@ struct SingleRequest {
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
+   unsigned char setcookies;
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);        /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -66,7 +66,7 @@ test370 test371 \
+ test392 test393 test394 test395 test396 test397 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+-test409 test410 \
++test409 test410 test418 \
+ \
+ test430 test431 test432 test433 test434 test435 test446 \
+ \
+--- /dev/null
++++ b/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index b583060889..945745cdde 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -39,6 +39,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-23914_5-3.patch \
            file://CVE-2023-23914_5-4.patch \
            file://CVE-2023-23914_5-5.patch \
+           file://CVE-2023-23916.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"