diff mbox series

[dunfell,1/2] curl: Fix CVE CVE-2022-43552

Message ID 20230310095402.85948-1-andrej.valek@siemens.com
State New, archived
Headers show
Series [dunfell,1/2] curl: Fix CVE CVE-2022-43552 | expand

Commit Message

Andrej Valek March 10, 2023, 9:54 a.m. UTC
https://curl.se/docs/CVE-2022-43552.html

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../curl/curl/CVE-2022-43552.patch            | 79 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-43552.patch
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
new file mode 100644
index 0000000000..7dc7dfa5ae
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,79 @@ 
+From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+CVE: CVE-2022-43552
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 2cfe041dff072..48d5a2fe006d5 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct conne
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
+ static CURLcode smb_parse_url_path(struct connectdata *conn);
+@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_s
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_s
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(conn->data->req.protop);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+diff -Naurp curl-7.69.1.orig/lib/telnet.c curl-7.69.1/lib/telnet.c
+--- curl-7.69.1.orig/lib/telnet.c	2020-03-09 16:31:01.000000000 +0100
++++ curl-7.69.1/lib/telnet.c	2023-03-10 10:35:27.978378949 +0100
+@@ -1290,8 +1290,6 @@ static CURLcode telnet_done(struct conne
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+ 
+-  Curl_safefree(conn->data->req.protop);
+-
+   return CURLE_OK;
+ }
+ 
\ No newline at end of file
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 63faae6296..899daf8eac 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -41,6 +41,7 @@  SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-35252.patch \
            file://CVE-2022-32221.patch \
            file://CVE-2022-35260.patch \
+           file://CVE-2022-43552.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"