diff mbox series

[kirkstone,1/4] curl: Fix CVE-2023-28319

Message ID 20230529113246.1353022-1-bindudaniel1996@gmail.com
State Accepted, archived
Commit f7d6751828683ac2adbf140e77dbf7454cfa8eb1
Headers show
Series [kirkstone,1/4] curl: Fix CVE-2023-28319 | expand

Commit Message

Bhabu Bindu May 29, 2023, 11:32 a.m. UTC 
From: Bhabu Bindu <bhabu.bindu@kpit.com>

Add patch to fix CVE-2023-28319

UAF in SSH sha256 fingerprint check

libcurl offers a feature to verify an SSH server's public key using
a SHA 256hash. When this check fails, libcurl would free the memory
for the fingerprintbefore it returns an error message containing the
(now freed) hash.

This flaw risks inserting sensitive heap-based data into the error
message that might be shown to users or otherwise get
leaked and revealed.

Link: https://curl.se/docs/CVE-2023-28319.html

Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
---
 .../curl/curl/CVE-2023-28319.patch            | 33 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28319.patch
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-28319.patch b/meta/recipes-support/curl/curl/CVE-2023-28319.patch
new file mode 100644
index 0000000000..c0bca9a56e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28319.patch
@@ -0,0 +1,33 @@ 
+From 8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 8 May 2023 14:33:54 +0200
+Subject: [PATCH] libssh2: free fingerprint better
+
+Reported-by: Wei Chong Tan
+Closes #11088
+
+CVE: CVE-2023-28319
+Upstream-Status: Backport [https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c]
+Comments: Hunks Refreshed
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/vssh/libssh2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
+index bfcc94e160178..dd39a844c646b 100644
+--- a/lib/vssh/libssh2.c
++++ b/lib/vssh/libssh2.c
+@@ -695,11 +695,10 @@
+      */
+     if((pub_pos != b64_pos) ||
+         Curl_strncasecompare(fingerprint_b64, pubkey_sha256, pub_pos) != 1) {
+-      free(fingerprint_b64);
+-
+       failf(data,
+           "Denied establishing ssh session: mismatch sha256 fingerprint. "
+           "Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256);
++      free(fingerprint_b64);
+       state(data, SSH_SESSION_FREE);
+       sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
+       return sshc->actualcode;
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 70ceb9f370..e38bf14cc4 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -45,6 +45,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-27535-pre1.patch \
            file://CVE-2023-27535_and_CVE-2023-27538.patch \
            file://CVE-2023-27536.patch \
+           file://CVE-2023-28319.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"