From: Khem Raj <raj.khem@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: Re: Curl security advisory CVE-2009-2417 [PATCH]
Date: Thu, 13 Aug 2009 08:25:07 -0700 [thread overview]
Message-ID: <20090813152507.GA8906@gmail.com> (raw)
In-Reply-To: <20090812095518.GA21131@zlo.nu>
On (12/08/09 11:55), Marc Olzheim wrote:
> Hi,
>
> I'm not sure what the policy is for patch files of this type, but in
> this patch I decided to add them to recipes/curl/files, instead of
> including the curl.haxx.se urls in the SRC_URIs. I hope that that is the
> way to do it.
>
> The patch for 7.18.1 applies on 7.18.2 fine. Apart from applying
> patches, I added 7.19.6.
You dont need to specify PR="r0" in new recipe.
You could also switch to use INC_PR
Thx
-Khem
>
> Marc
> commit aab35ef35648250da1f37e8b60574b9359dff976
> Author: Marc Olzheim <marc@iphion.nl>
> Date: Wed Aug 12 11:42:50 2009 +0200
>
> Add curl 7.19.6 and fix CVE-2009-2417 for the rest
> http://curl.haxx.se/docs/adv_20090812.html
>
> diff --git a/conf/checksums.ini b/conf/checksums.ini
> index 60d9729..f277e29 100644
> --- a/conf/checksums.ini
> +++ b/conf/checksums.ini
> @@ -4390,6 +4390,10 @@ sha256=fb3436280dedbc8f8141d3841a5964c4491dd6457bc5b7123854aed0b794be86
> md5=426d161661dce70c8ea9ad8f553363a3
> sha256=05ad84a9c8d340917370f357ad9fdce5ea595deb11f4cb70f946fa48c7b02cd0
>
> +[http://curl.haxx.se/download/curl-7.19.6.tar.bz2]
> +md5=8402c1f654c51ad7287aad57c3aa79be
> +sha256=ea88f48c8415f7d3af482e4d241277b2bdbfaffaf285e8001c88c1376cbc1021
> +
> [http://downloads.sourceforge.net/curlftpfs/curlftpfs-0.9.2.tar.gz]
> md5=b452123f755114cd4461d56c648d9f12
> sha256=4eb44739c7078ba0edde177bdd266c4cfb7c621075f47f64c85a06b12b3c6958
> diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
> index c95591b..00c6215 100644
> --- a/recipes/curl/curl-native_7.18.2.bb
> +++ b/recipes/curl/curl-native_7.18.2.bb
> @@ -1,7 +1,9 @@
> require curl-common.inc
> inherit native
> DEPENDS = "zlib-native"
> -PR = "r1"
> +PR = "r2"
> +
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
>
> do_stage () {
> autotools_stage_all
> diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
> index 35b0d88..8c667fa 100644
> --- a/recipes/curl/curl-sdk_7.18.2.bb
> +++ b/recipes/curl/curl-sdk_7.18.2.bb
> @@ -1,7 +1,9 @@
> require curl-common.inc
> inherit sdk
> DEPENDS = "zlib-sdk"
> -PR = "r1"
> +PR = "r2"
> +
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
>
> do_stage () {
> install -d ${STAGING_INCDIR}/curl
> diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
> index 3de6da4..2d32f6b 100644
> --- a/recipes/curl/curl_7.18.2.bb
> +++ b/recipes/curl/curl_7.18.2.bb
> @@ -1,4 +1,6 @@
> require curl-common.inc
> require curl-target.inc
>
> -PR = "r1"
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
> +
> +PR = "r2"
> diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
> index b5b6182..61914e1 100644
> --- a/recipes/curl/curl_7.19.5.bb
> +++ b/recipes/curl/curl_7.19.5.bb
> @@ -2,5 +2,6 @@ require curl-common.inc
> require curl-target.inc
>
> SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
> - file://curl-add_all_algorithms.patch;patch=1"
> -PR = "r1"
> + file://curl-add_all_algorithms.patch;patch=1 \
> + file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
> +PR = "r2"
> diff --git a/recipes/curl/curl_7.19.6.bb b/recipes/curl/curl_7.19.6.bb
> new file mode 100644
> index 0000000..df83fe8
> --- /dev/null
> +++ b/recipes/curl/curl_7.19.6.bb
> @@ -0,0 +1,5 @@
> +require curl-common.inc
> +require curl-target.inc
> +
> +SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0"
> +PR = "r0"
> diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
> new file mode 100644
> index 0000000..e7c24c0
> --- /dev/null
> +++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
> @@ -0,0 +1,83 @@
> +---
> + lib/ssluse.c | 40 +++++++++++++++++++++++++++-------------
> + 1 file changed, 27 insertions(+), 13 deletions(-)
> +
> +--- lib/ssluse.c.orig
> ++++ lib/ssluse.c
> +@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
> + if(check->type == target) {
> + /* get data and length */
> + const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
> +- int altlen;
> ++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> +
> + switch(target) {
> + case GEN_DNS: /* name/pattern comparison */
> +@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
> + "I checked the 0.9.6 and 0.9.8 sources before my patch and
> + it always 0-terminates an IA5String."
> + */
> +- if(cert_hostcheck(altptr, conn->host.name))
> ++ if((altlen == strlen(altptr)) &&
> ++ /* if this isn't true, there was an embedded zero in the name
> ++ string and we cannot match it. */
> ++ cert_hostcheck(altptr, conn->host.name))
> + matched = TRUE;
> + break;
> +
> + case GEN_IPADD: /* IP address comparison */
> + /* compare alternative IP address if the data chunk is the same size
> + our server IP address is */
> +- altlen = ASN1_STRING_length(check->d.ia5);
> + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
> + matched = TRUE;
> + break;
> +@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
> + string manually to avoid the problem. This code can be made
> + conditional in the future when OpenSSL has been fixed. Work-around
> + brought by Alexis S. L. Carvalho. */
> +- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> +- j = ASN1_STRING_length(tmp);
> +- if(j >= 0) {
> +- peer_CN = OPENSSL_malloc(j+1);
> +- if(peer_CN) {
> +- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> +- peer_CN[j] = '\0';
> ++ if(tmp) {
> ++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> ++ j = ASN1_STRING_length(tmp);
> ++ if(j >= 0) {
> ++ peer_CN = OPENSSL_malloc(j+1);
> ++ if(peer_CN) {
> ++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> ++ peer_CN[j] = '\0';
> ++ }
> + }
> + }
> ++ else /* not a UTF8 name */
> ++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> ++
> ++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
> ++ /* there was a terminating zero before the end of string, this
> ++ cannot match and we return failure! */
> ++ failf(data, "SSL: illegal cert name field");
> ++ res = CURLE_PEER_FAILED_VERIFICATION;
> ++ }
> + }
> +- else /* not a UTF8 name */
> +- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> + }
> +
> + if(peer_CN == nulstr)
> +@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
> + }
> + #endif /* CURL_DOES_CONVERSIONS */
> +
> +- if(!peer_CN) {
> ++ if(res)
> ++ /* error already detected, pass through */
> ++ ;
> ++ else if(!peer_CN) {
> + failf(data,
> + "SSL: unable to obtain common name from peer certificate");
> + return CURLE_PEER_FAILED_VERIFICATION;
> diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
> new file mode 100644
> index 0000000..f64232c
> --- /dev/null
> +++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
> @@ -0,0 +1,80 @@
> +--- lib/ssluse.c-7.19.5 2009-08-03 16:01:58.000000000 +0200
> ++++ lib/ssluse.c 2009-08-03 16:07:17.000000000 +0200
> +@@ -1092,7 +1092,8 @@
> + if(check->type == target) {
> + /* get data and length */
> + const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
> +- size_t altlen;
> ++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> ++
> +
> + switch(target) {
> + case GEN_DNS: /* name/pattern comparison */
> +@@ -1106,14 +1107,16 @@
> + "I checked the 0.9.6 and 0.9.8 sources before my patch and
> + it always 0-terminates an IA5String."
> + */
> +- if(cert_hostcheck(altptr, conn->host.name))
> ++ if((altlen == strlen(altptr)) &&
> ++ /* if this isn't true, there was an embedded zero in the name
> ++ string and we cannot match it. */
> ++ cert_hostcheck(altptr, conn->host.name))
> + matched = TRUE;
> + break;
> +
> + case GEN_IPADD: /* IP address comparison */
> + /* compare alternative IP address if the data chunk is the same size
> + our server IP address is */
> +- altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
> + matched = TRUE;
> + break;
> +@@ -1153,18 +1156,27 @@
> + string manually to avoid the problem. This code can be made
> + conditional in the future when OpenSSL has been fixed. Work-around
> + brought by Alexis S. L. Carvalho. */
> +- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> +- j = ASN1_STRING_length(tmp);
> +- if(j >= 0) {
> +- peer_CN = OPENSSL_malloc(j+1);
> +- if(peer_CN) {
> +- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> +- peer_CN[j] = '\0';
> ++ if(tmp) {
> ++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> ++ j = ASN1_STRING_length(tmp);
> ++ if(j >= 0) {
> ++ peer_CN = OPENSSL_malloc(j+1);
> ++ if(peer_CN) {
> ++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> ++ peer_CN[j] = '\0';
> ++ }
> + }
> + }
> ++ else /* not a UTF8 name */
> ++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> ++
> ++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
> ++ /* there was a terminating zero before the end of string, this
> ++ cannot match and we return failure! */
> ++ failf(data, "SSL: illegal cert name field");
> ++ res = CURLE_PEER_FAILED_VERIFICATION;
> ++ }
> + }
> +- else /* not a UTF8 name */
> +- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> + }
> +
> + if(peer_CN == nulstr)
> +@@ -1182,7 +1194,10 @@
> + }
> + #endif /* CURL_DOES_CONVERSIONS */
> +
> +- if(!peer_CN) {
> ++ if(res)
> ++ /* error already detected, pass through */
> ++ ;
> ++ else if(!peer_CN) {
> + failf(data,
> + "SSL: unable to obtain common name from peer certificate");
> + return CURLE_PEER_FAILED_VERIFICATION;
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
next prev parent reply other threads:[~2009-08-13 15:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-12 9:55 Curl security advisory CVE-2009-2417 [PATCH] Marc Olzheim
2009-08-13 15:25 ` Khem Raj [this message]
2009-08-17 13:21 ` Holger Hans Peter Freyther
2009-11-17 10:13 ` [PATCH] curl: Fix CVE-2009-2417 Marc Olzheim
2009-11-17 14:39 ` Holger Hans Peter Freyther
2009-11-18 10:51 ` Phil Blundell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090813152507.GA8906@gmail.com \
--to=raj.khem@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.