From: Marc Olzheim <zlo@zlo.nu>
To: openembedded-devel@lists.openembedded.org
Subject: Curl security advisory CVE-2009-2417 [PATCH]
Date: Wed, 12 Aug 2009 11:55:18 +0200 [thread overview]
Message-ID: <20090812095518.GA21131@zlo.nu> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 336 bytes --]
Hi,
I'm not sure what the policy is for patch files of this type, but in
this patch I decided to add them to recipes/curl/files, instead of
including the curl.haxx.se urls in the SRC_URIs. I hope that that is the
way to do it.
The patch for 7.18.1 applies on 7.18.2 fine. Apart from applying
patches, I added 7.19.6.
Marc
[-- Attachment #1.2: curl.patch --]
[-- Type: text/x-diff, Size: 9943 bytes --]
commit aab35ef35648250da1f37e8b60574b9359dff976
Author: Marc Olzheim <marc@iphion.nl>
Date: Wed Aug 12 11:42:50 2009 +0200
Add curl 7.19.6 and fix CVE-2009-2417 for the rest
http://curl.haxx.se/docs/adv_20090812.html
diff --git a/conf/checksums.ini b/conf/checksums.ini
index 60d9729..f277e29 100644
--- a/conf/checksums.ini
+++ b/conf/checksums.ini
@@ -4390,6 +4390,10 @@ sha256=fb3436280dedbc8f8141d3841a5964c4491dd6457bc5b7123854aed0b794be86
md5=426d161661dce70c8ea9ad8f553363a3
sha256=05ad84a9c8d340917370f357ad9fdce5ea595deb11f4cb70f946fa48c7b02cd0
+[http://curl.haxx.se/download/curl-7.19.6.tar.bz2]
+md5=8402c1f654c51ad7287aad57c3aa79be
+sha256=ea88f48c8415f7d3af482e4d241277b2bdbfaffaf285e8001c88c1376cbc1021
+
[http://downloads.sourceforge.net/curlftpfs/curlftpfs-0.9.2.tar.gz]
md5=b452123f755114cd4461d56c648d9f12
sha256=4eb44739c7078ba0edde177bdd266c4cfb7c621075f47f64c85a06b12b3c6958
diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
index c95591b..00c6215 100644
--- a/recipes/curl/curl-native_7.18.2.bb
+++ b/recipes/curl/curl-native_7.18.2.bb
@@ -1,7 +1,9 @@
require curl-common.inc
inherit native
DEPENDS = "zlib-native"
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
do_stage () {
autotools_stage_all
diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
index 35b0d88..8c667fa 100644
--- a/recipes/curl/curl-sdk_7.18.2.bb
+++ b/recipes/curl/curl-sdk_7.18.2.bb
@@ -1,7 +1,9 @@
require curl-common.inc
inherit sdk
DEPENDS = "zlib-sdk"
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
do_stage () {
install -d ${STAGING_INCDIR}/curl
diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
index 3de6da4..2d32f6b 100644
--- a/recipes/curl/curl_7.18.2.bb
+++ b/recipes/curl/curl_7.18.2.bb
@@ -1,4 +1,6 @@
require curl-common.inc
require curl-target.inc
-PR = "r1"
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "r2"
diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
index b5b6182..61914e1 100644
--- a/recipes/curl/curl_7.19.5.bb
+++ b/recipes/curl/curl_7.19.5.bb
@@ -2,5 +2,6 @@ require curl-common.inc
require curl-target.inc
SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
- file://curl-add_all_algorithms.patch;patch=1"
-PR = "r1"
+ file://curl-add_all_algorithms.patch;patch=1 \
+ file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
+PR = "r2"
diff --git a/recipes/curl/curl_7.19.6.bb b/recipes/curl/curl_7.19.6.bb
new file mode 100644
index 0000000..df83fe8
--- /dev/null
+++ b/recipes/curl/curl_7.19.6.bb
@@ -0,0 +1,5 @@
+require curl-common.inc
+require curl-target.inc
+
+SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0"
+PR = "r0"
diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
new file mode 100644
index 0000000..e7c24c0
--- /dev/null
+++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
@@ -0,0 +1,83 @@
+---
+ lib/ssluse.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- lib/ssluse.c.orig
++++ lib/ssluse.c
+@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
+ if(check->type == target) {
+ /* get data and length */
+ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+- int altlen;
++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+
+ switch(target) {
+ case GEN_DNS: /* name/pattern comparison */
+@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
+ "I checked the 0.9.6 and 0.9.8 sources before my patch and
+ it always 0-terminates an IA5String."
+ */
+- if(cert_hostcheck(altptr, conn->host.name))
++ if((altlen == strlen(altptr)) &&
++ /* if this isn't true, there was an embedded zero in the name
++ string and we cannot match it. */
++ cert_hostcheck(altptr, conn->host.name))
+ matched = TRUE;
+ break;
+
+ case GEN_IPADD: /* IP address comparison */
+ /* compare alternative IP address if the data chunk is the same size
+ our server IP address is */
+- altlen = ASN1_STRING_length(check->d.ia5);
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+ matched = TRUE;
+ break;
+@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
+ string manually to avoid the problem. This code can be made
+ conditional in the future when OpenSSL has been fixed. Work-around
+ brought by Alexis S. L. Carvalho. */
+- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+- j = ASN1_STRING_length(tmp);
+- if(j >= 0) {
+- peer_CN = OPENSSL_malloc(j+1);
+- if(peer_CN) {
+- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+- peer_CN[j] = '\0';
++ if(tmp) {
++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++ j = ASN1_STRING_length(tmp);
++ if(j >= 0) {
++ peer_CN = OPENSSL_malloc(j+1);
++ if(peer_CN) {
++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++ peer_CN[j] = '\0';
++ }
+ }
+ }
++ else /* not a UTF8 name */
++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++ /* there was a terminating zero before the end of string, this
++ cannot match and we return failure! */
++ failf(data, "SSL: illegal cert name field");
++ res = CURLE_PEER_FAILED_VERIFICATION;
++ }
+ }
+- else /* not a UTF8 name */
+- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+ }
+
+ if(peer_CN == nulstr)
+@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
+ }
+ #endif /* CURL_DOES_CONVERSIONS */
+
+- if(!peer_CN) {
++ if(res)
++ /* error already detected, pass through */
++ ;
++ else if(!peer_CN) {
+ failf(data,
+ "SSL: unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
new file mode 100644
index 0000000..f64232c
--- /dev/null
+++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
@@ -0,0 +1,80 @@
+--- lib/ssluse.c-7.19.5 2009-08-03 16:01:58.000000000 +0200
++++ lib/ssluse.c 2009-08-03 16:07:17.000000000 +0200
+@@ -1092,7 +1092,8 @@
+ if(check->type == target) {
+ /* get data and length */
+ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+- size_t altlen;
++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
++
+
+ switch(target) {
+ case GEN_DNS: /* name/pattern comparison */
+@@ -1106,14 +1107,16 @@
+ "I checked the 0.9.6 and 0.9.8 sources before my patch and
+ it always 0-terminates an IA5String."
+ */
+- if(cert_hostcheck(altptr, conn->host.name))
++ if((altlen == strlen(altptr)) &&
++ /* if this isn't true, there was an embedded zero in the name
++ string and we cannot match it. */
++ cert_hostcheck(altptr, conn->host.name))
+ matched = TRUE;
+ break;
+
+ case GEN_IPADD: /* IP address comparison */
+ /* compare alternative IP address if the data chunk is the same size
+ our server IP address is */
+- altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+ matched = TRUE;
+ break;
+@@ -1153,18 +1156,27 @@
+ string manually to avoid the problem. This code can be made
+ conditional in the future when OpenSSL has been fixed. Work-around
+ brought by Alexis S. L. Carvalho. */
+- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+- j = ASN1_STRING_length(tmp);
+- if(j >= 0) {
+- peer_CN = OPENSSL_malloc(j+1);
+- if(peer_CN) {
+- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+- peer_CN[j] = '\0';
++ if(tmp) {
++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++ j = ASN1_STRING_length(tmp);
++ if(j >= 0) {
++ peer_CN = OPENSSL_malloc(j+1);
++ if(peer_CN) {
++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++ peer_CN[j] = '\0';
++ }
+ }
+ }
++ else /* not a UTF8 name */
++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++ /* there was a terminating zero before the end of string, this
++ cannot match and we return failure! */
++ failf(data, "SSL: illegal cert name field");
++ res = CURLE_PEER_FAILED_VERIFICATION;
++ }
+ }
+- else /* not a UTF8 name */
+- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+ }
+
+ if(peer_CN == nulstr)
+@@ -1182,7 +1194,10 @@
+ }
+ #endif /* CURL_DOES_CONVERSIONS */
+
+- if(!peer_CN) {
++ if(res)
++ /* error already detected, pass through */
++ ;
++ else if(!peer_CN) {
+ failf(data,
+ "SSL: unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 204 bytes --]
next reply other threads:[~2009-08-12 10:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-12 9:55 Marc Olzheim [this message]
2009-08-13 15:25 ` Curl security advisory CVE-2009-2417 [PATCH] Khem Raj
2009-08-17 13:21 ` Holger Hans Peter Freyther
2009-11-17 10:13 ` [PATCH] curl: Fix CVE-2009-2417 Marc Olzheim
2009-11-17 14:39 ` Holger Hans Peter Freyther
2009-11-18 10:51 ` Phil Blundell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090812095518.GA21131@zlo.nu \
--to=zlo@zlo.nu \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.