diff mbox series

[meta,kirkstone,2/2] curl: Add fix for CVE-2023-23916

Message ID 20230303075027.28236-2-badganchipv@gmail.com
State New, archived
Headers show
Series [meta,kirkstone,1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915 | expand

Commit Message

Pawan Badganchi March 3, 2023, 7:50 a.m. UTC
From: Pawan Badganchi <Pawan.Badganchi@kpit.com>

Add below patch to fix CVE-2023-23916

CVE-2023-23916.patch

Link: https://launchpad.net/ubuntu/+source/curl/7.87.0-2ubuntu2/

Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
Signed-off-by: pawan <badganchipv@gmail.com>
---
 .../curl/curl/CVE-2023-23916.patch            | 223 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 2 files changed, 224 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch

Comments

Steve Sakoman March 14, 2023, 3:39 p.m. UTC | #1
On Thu, Mar 2, 2023 at 9:52 PM Pawan Badganchi <badganchipv@gmail.com> wrote:
>
> From: Pawan Badganchi <Pawan.Badganchi@kpit.com>
>
> Add below patch to fix CVE-2023-23916
>
> CVE-2023-23916.patch
>
> Link: https://launchpad.net/ubuntu/+source/curl/7.87.0-2ubuntu2/
>
> Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> Signed-off-by: pawan <badganchipv@gmail.com>
> ---
>  .../curl/curl/CVE-2023-23916.patch            | 223 ++++++++++++++++++
>  meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
>  2 files changed, 224 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> new file mode 100644
> index 0000000000..4839124d5c
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> @@ -0,0 +1,223 @@
> +Backport of:
> +
> +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
> +From: Patrick Monnerat <patrick@monnerat.net>
> +Date: Mon, 13 Feb 2023 08:33:09 +0100
> +Subject: [PATCH] content_encoding: do not reset stage counter for each header
> +
> +Test 418 verifies
> +
> +Closes #10492
> +
> +CVE: CVE-2023-23916
> +Upstream-Status: Backport [http://launchpadlibrarian.net/652022114/curl_7.87.0-2ubuntu1_7.87.0-2ubuntu2.diff.gz]

Launchpad is not a valid upstream for curl, please reference patches
from the actual upstream: https://github.com/curl/curl

Thanks!

Steve

> +Comment: Refreshed hunk from content_encoding.c and Makefile.inc. Removed test387 from patch as
> +it is not available in the source code.
> +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
> +---
> + lib/content_encoding.c  |   7 +-
> + lib/urldata.h           |   1 +
> + tests/data/Makefile.inc |   2 +-
> + tests/data/test387      |   2 +-
> + tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
> + 5 files changed, 158 insertions(+), 6 deletions(-)
> + create mode 100644 tests/data/test418
> +
> +--- a/lib/content_encoding.c
> ++++ b/lib/content_encoding.c
> +@@ -1035,7 +1035,6 @@
> +                                      const char *enclist, int maybechunked)
> + {
> +   struct SingleRequest *k = &data->req;
> +-  int counter = 0;
> +
> +   do {
> +     const char *name;
> +@@ -1070,9 +1069,9 @@
> +       if(!encoding)
> +         encoding = &error_encoding;  /* Defer error at stack use. */
> +
> +-      if(++counter >= MAX_ENCODE_STACK) {
> +-        failf(data, "Reject response due to %u content encodings",
> +-              counter);
> ++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
> ++        failf(data, "Reject response due to more than %u content encodings",
> ++              MAX_ENCODE_STACK);
> +         return CURLE_BAD_CONTENT_ENCODING;
> +       }
> +       /* Stack the unencoding stage. */
> +--- a/lib/urldata.h
> ++++ b/lib/urldata.h
> +@@ -707,6 +707,7 @@ struct SingleRequest {
> +   struct dohdata *doh; /* DoH specific data for this request */
> + #endif
> +   unsigned char setcookies;
> ++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
> +   BIT(header);        /* incoming data has HTTP header */
> +   BIT(content_range); /* set TRUE if Content-Range: was found */
> +   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
> +--- a/tests/data/Makefile.inc
> ++++ b/tests/data/Makefile.inc
> +@@ -69,6 +69,7 @@
> + \
> + test400 test401 test402 test403 test404 test405 test406 test407 test408 \
> + test409 test410 \
> ++test418 \
> + \
> + test430 test431 test432 test433 test434 test435 test436 \
> + \
> +--- /dev/null
> ++++ b/tests/data/test418
> +@@ -0,0 +1,152 @@
> ++<testcase>
> ++<info>
> ++<keywords>
> ++HTTP
> ++gzip
> ++</keywords>
> ++</info>
> ++
> ++#
> ++# Server-side
> ++<reply>
> ++<data nocheck="yes">
> ++HTTP/1.1 200 OK
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++
> ++-foo-
> ++</data>
> ++</reply>
> ++
> ++#
> ++# Client-side
> ++<client>
> ++<server>
> ++http
> ++</server>
> ++ <name>
> ++Response with multiple Transfer-Encoding headers
> ++ </name>
> ++ <command>
> ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
> ++</command>
> ++</client>
> ++
> ++#
> ++# Verify data after the test has been "shot"
> ++<verify>
> ++<protocol crlf="yes">
> ++GET /%TESTNUMBER HTTP/1.1
> ++Host: %HOSTIP:%HTTPPORT
> ++User-Agent: curl/%VERSION
> ++Accept: */*
> ++
> ++</protocol>
> ++
> ++# CURLE_BAD_CONTENT_ENCODING is 61
> ++<errorcode>
> ++61
> ++</errorcode>
> ++<stderr mode="text">
> ++curl: (61) Reject response due to more than 5 content encodings
> ++</stderr>
> ++</verify>
> ++</testcase>
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index af3c4a6ce4..4600f17feb 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>             file://CVE-2023-23914_5-3.patch \
>             file://CVE-2023-23914_5-4.patch \
>             file://CVE-2023-23914_5-5.patch \
> +           file://CVE-2023-23916.patch \
>             "
>  SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>
> --
> 2.38.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#177978): https://lists.openembedded.org/g/openembedded-core/message/177978
> Mute This Topic: https://lists.openembedded.org/mt/97357910/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Pawan Badganchi March 15, 2023, 9:59 a.m. UTC | #2
Hello steve,
We have not taken patch from actual upstream because we have curl version 7.82 and in the actual upstream curl version is 7.88. So in our source code one variable is absent. Hence i had taken from launchpad. Now i have taken backport patch curl(7.81) from ubuntu trusted upstream.

https://lists.openembedded.org/g/openembedded-core/message/178529

https://lists.openembedded.org/g/openembedded-core/message/178530
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
new file mode 100644
index 0000000000..4839124d5c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
@@ -0,0 +1,223 @@ 
+Backport of:
+
+From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH] content_encoding: do not reset stage counter for each header
+
+Test 418 verifies
+
+Closes #10492
+
+CVE: CVE-2023-23916
+Upstream-Status: Backport [http://launchpadlibrarian.net/652022114/curl_7.87.0-2ubuntu1_7.87.0-2ubuntu2.diff.gz]
+Comment: Refreshed hunk from content_encoding.c and Makefile.inc. Removed test387 from patch as
+it is not available in the source code.
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ lib/content_encoding.c  |   7 +-
+ lib/urldata.h           |   1 +
+ tests/data/Makefile.inc |   2 +-
+ tests/data/test387      |   2 +-
+ tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 158 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test418
+
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1035,7 +1035,6 @@
+                                      const char *enclist, int maybechunked)
+ {
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1070,9 +1069,9 @@
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+       /* Stack the unencoding stage. */
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -707,6 +707,7 @@ struct SingleRequest {
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
+   unsigned char setcookies;
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);        /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -69,6 +69,7 @@
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+ test409 test410 \
++test418 \
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+--- /dev/null
++++ b/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index af3c4a6ce4..4600f17feb 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -39,6 +39,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-23914_5-3.patch \
            file://CVE-2023-23914_5-4.patch \
            file://CVE-2023-23914_5-5.patch \
+           file://CVE-2023-23916.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"