Message ID | 20230511212833.94676-1-sdoshi@mvista.com |
---|---|
State | New, archived |
Headers | show |
Series | [dunfell,PATCHv2] curl: Security fix for CVE-2023-27534 | expand |
Hi Siddharth, Thanks for this, but I think we need a better shortlog and commit message explaining why we need this additional patch. Could you send a v3? Thanks! Steve On Thu, May 11, 2023 at 11:28 AM Siddharth <sdoshi@mvista.com> wrote: > > Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> > --- > .../curl/curl/CVE-2023-27534-pre1.patch | 44 +++++++ > .../curl/curl/CVE-2023-27534.patch | 122 +++--------------- > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 3 files changed, 61 insertions(+), 106 deletions(-) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > new file mode 100644 > index 0000000000..98b25a2fe5 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > @@ -0,0 +1,44 @@ > +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 > +From: Eric Vigeant <evigeant@gmail.com> > +Date: Wed, 2 Nov 2022 11:47:09 -0400 > +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one > + > +When using SFTP and a path relative to the user home, do not add a > +trailing '/' to the user home dir if it already ends with one. > + > +Closes #9844 > + > +CVE: CVE-2023-27534 > +Note: This patch is needed to backport CVE-2023-27534 > +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] > + > +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> > +--- > + lib/curl_path.c | 10 +++++++--- > + 1 file changed, 7 insertions(+), 3 deletions(-) > + > +diff --git a/lib/curl_path.c b/lib/curl_path.c > +index f429634..40b92ee 100644 > +--- a/lib/curl_path.c > ++++ b/lib/curl_path.c > +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > + /* It is referenced to the home directory, so strip the > + leading '/' */ > + memcpy(real_path, homedir, homelen); > +- real_path[homelen] = '/'; > +- real_path[homelen + 1] = '\0'; > ++ /* Only add a trailing '/' if homedir does not end with one */ > ++ if(homelen == 0 || real_path[homelen - 1] != '/') { > ++ real_path[homelen] = '/'; > ++ homelen++; > ++ real_path[homelen] = '\0'; > ++ } > + if(working_path_len > 3) { > +- memcpy(real_path + homelen + 1, working_path + 3, > ++ memcpy(real_path + homelen, working_path + 3, > + 1 + working_path_len -3); > + } > + } > +-- > +2.24.4 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > index aeeffd5fea..3ecd181290 100644 > --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > @@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se> > Date: Thu, 9 Mar 2023 16:22:11 +0100 > Subject: [PATCH] curl_path: create the new path with dynbuf > > +Closes #10729 > + > CVE: CVE-2023-27534 > -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > +Note: This patch is needed to backport CVE-2023-27534 > +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> > --- > - lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- > - 1 file changed, 35 insertions(+), 36 deletions(-) > + lib/curl_path.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/curl_path.c b/lib/curl_path.c > -index f429634..e17db4b 100644 > +index 40b92ee..598c5dd 100644 > --- a/lib/curl_path.c > +++ b/lib/curl_path.c > -@@ -30,6 +30,8 @@ > - #include "escape.h" > - #include "memdebug.h" > - > -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ > -+ > - /* figure out the path to work with in this particular request */ > - CURLcode Curl_getworkingpath(struct connectdata *conn, > - char *homedir, /* when SFTP is used */ > -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > - real path to work with */ > - { > - struct Curl_easy *data = conn->data; > -- char *real_path = NULL; > - char *working_path; > - size_t working_path_len; > -+ struct dynbuf npath; > - CURLcode result = > - Curl_urldecode(data, data->state.up.path, 0, &working_path, > - &working_path_len, FALSE); > - if(result) > - return result; > - > -+ /* new path to switch to in case we need to */ > -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); > -+ > - /* Check for /~/, indicating relative to the user's home directory */ > -- if(conn->handler->protocol & CURLPROTO_SCP) { > -- real_path = malloc(working_path_len + 1); > -- if(real_path == NULL) { > -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && > -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { > -+ /* It is referenced to the home directory, so strip the leading '/~/' */ > -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { > - free(working_path); > - return CURLE_OUT_OF_MEMORY; > - } > -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) > -- /* It is referenced to the home directory, so strip the leading '/~/' */ > -- memcpy(real_path, working_path + 3, working_path_len - 2); > -- else > -- memcpy(real_path, working_path, 1 + working_path_len); > +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > + memcpy(real_path, working_path, 1 + working_path_len); > } > -- else if(conn->handler->protocol & CURLPROTO_SFTP) { > + else if(conn->handler->protocol & CURLPROTO_SFTP) { > - if((working_path_len > 1) && (working_path[1] == '~')) { > -- size_t homelen = strlen(homedir); > -- real_path = malloc(homelen + working_path_len + 1); > -- if(real_path == NULL) { > -- free(working_path); > -- return CURLE_OUT_OF_MEMORY; > -- } > -- /* It is referenced to the home directory, so strip the > -- leading '/' */ > -- memcpy(real_path, homedir, homelen); > -- real_path[homelen] = '/'; > -- real_path[homelen + 1] = '\0'; > -- if(working_path_len > 3) { > -- memcpy(real_path + homelen + 1, working_path + 3, > -- 1 + working_path_len -3); > -- } > -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && > -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > -+ size_t len; > -+ const char *p; > -+ int copyfrom = 3; > -+ if(Curl_dyn_add(&npath, homedir)) { > -+ free(working_path); > -+ return CURLE_OUT_OF_MEMORY; > - } > -- else { > -- real_path = malloc(working_path_len + 1); > -- if(real_path == NULL) { > -- free(working_path); > -- return CURLE_OUT_OF_MEMORY; > -- } > -- memcpy(real_path, working_path, 1 + working_path_len); > -+ /* Copy a separating '/' if homedir does not end with one */ > -+ len = Curl_dyn_len(&npath); > -+ p = Curl_dyn_ptr(&npath); > -+ if(len && (p[len-1] != '/')) > -+ copyfrom = 2; > -+ > -+ if(Curl_dyn_addn(&npath, > -+ &working_path[copyfrom], working_path_len - copyfrom)) { > -+ free(working_path); > -+ return CURLE_OUT_OF_MEMORY; > - } > - } > - > -- free(working_path); > -+ if(Curl_dyn_len(&npath)) { > -+ free(working_path); > - > -- /* store the pointer for the caller to receive */ > -- *path = real_path; > -+ /* store the pointer for the caller to receive */ > -+ *path = Curl_dyn_ptr(&npath); > -+ } > -+ else > -+ *path = working_path; > - > - return CURLE_OK; > - } > ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > + size_t homelen = strlen(homedir); > + real_path = malloc(homelen + working_path_len + 1); > + if(real_path == NULL) { > -- > -2.25.1 > +2.24.4 > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > index 32d18ddb3a..13ec117099 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2022-35260.patch \ > file://CVE-2022-43552.patch \ > file://CVE-2023-23916.patch \ > + file://CVE-2023-27534-pre1.patch \ > file://CVE-2023-27534.patch \ > file://CVE-2023-27538.patch \ > file://CVE-2023-27533.patch \ > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181154): https://lists.openembedded.org/g/openembedded-core/message/181154 > Mute This Topic: https://lists.openembedded.org/mt/98837360/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, Thank-you for the feedback. I have added a better log to explain the reason for this additional patch and have sent v3. Please let me know if it works according to you. Regards, Siddharth
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..98b25a2fe5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch @@ -0,0 +1,44 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant <evigeant@gmail.com> +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +CVE: CVE-2023-27534 +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] + +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..40b92ee 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.24.4 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 9 Mar 2023 16:22:11 +0100 Subject: [PATCH] curl_path: create the new path with dynbuf +Closes #10729 + CVE: CVE-2023-27534 -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> --- - lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- - 1 file changed, 35 insertions(+), 36 deletions(-) + lib/curl_path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/curl_path.c b/lib/curl_path.c -index f429634..e17db4b 100644 +index 40b92ee..598c5dd 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c -@@ -30,6 +30,8 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct connectdata *conn, - char *homedir, /* when SFTP is used */ -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, - real path to work with */ - { - struct Curl_easy *data = conn->data; -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data, data->state.up.path, 0, &working_path, - &working_path_len, FALSE); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); -+ - /* Check for /~/, indicating relative to the user's home directory */ -- if(conn->handler->protocol & CURLPROTO_SCP) { -- real_path = malloc(working_path_len + 1); -- if(real_path == NULL) { -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { -+ /* It is referenced to the home directory, so strip the leading '/~/' */ -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { - free(working_path); - return CURLE_OUT_OF_MEMORY; - } -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) -- /* It is referenced to the home directory, so strip the leading '/~/' */ -- memcpy(real_path, working_path + 3, working_path_len - 2); -- else -- memcpy(real_path, working_path, 1 + working_path_len); +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + memcpy(real_path, working_path, 1 + working_path_len); } -- else if(conn->handler->protocol & CURLPROTO_SFTP) { + else if(conn->handler->protocol & CURLPROTO_SFTP) { - if((working_path_len > 1) && (working_path[1] == '~')) { -- size_t homelen = strlen(homedir); -- real_path = malloc(homelen + working_path_len + 1); -- if(real_path == NULL) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- /* It is referenced to the home directory, so strip the -- leading '/' */ -- memcpy(real_path, homedir, homelen); -- real_path[homelen] = '/'; -- real_path[homelen + 1] = '\0'; -- if(working_path_len > 3) { -- memcpy(real_path + homelen + 1, working_path + 3, -- 1 + working_path_len -3); -- } -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { -+ size_t len; -+ const char *p; -+ int copyfrom = 3; -+ if(Curl_dyn_add(&npath, homedir)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } -- else { -- real_path = malloc(working_path_len + 1); -- if(real_path == NULL) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- memcpy(real_path, working_path, 1 + working_path_len); -+ /* Copy a separating '/' if homedir does not end with one */ -+ len = Curl_dyn_len(&npath); -+ p = Curl_dyn_ptr(&npath); -+ if(len && (p[len-1] != '/')) -+ copyfrom = 2; -+ -+ if(Curl_dyn_addn(&npath, -+ &working_path[copyfrom], working_path_len - copyfrom)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } - } - -- free(working_path); -+ if(Curl_dyn_len(&npath)) { -+ free(working_path); - -- /* store the pointer for the caller to receive */ -- *path = real_path; -+ /* store the pointer for the caller to receive */ -+ *path = Curl_dyn_ptr(&npath); -+ } -+ else -+ *path = working_path; - - return CURLE_OK; - } ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { + size_t homelen = strlen(homedir); + real_path = malloc(homelen + working_path_len + 1); + if(real_path == NULL) { -- -2.25.1 +2.24.4 diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 32d18ddb3a..13ec117099 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-35260.patch \ file://CVE-2022-43552.patch \ file://CVE-2023-23916.patch \ + file://CVE-2023-27534-pre1.patch \ file://CVE-2023-27534.patch \ file://CVE-2023-27538.patch \ file://CVE-2023-27533.patch \