* Curl security advisory CVE-2009-2417 [PATCH]
@ 2009-08-12 9:55 Marc Olzheim
2009-08-13 15:25 ` Khem Raj
2009-08-17 13:21 ` Holger Hans Peter Freyther
0 siblings, 2 replies; 6+ messages in thread
From: Marc Olzheim @ 2009-08-12 9:55 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1.1: Type: text/plain, Size: 336 bytes --]
Hi,
I'm not sure what the policy is for patch files of this type, but in
this patch I decided to add them to recipes/curl/files, instead of
including the curl.haxx.se urls in the SRC_URIs. I hope that that is the
way to do it.
The patch for 7.18.1 applies on 7.18.2 fine. Apart from applying
patches, I added 7.19.6.
Marc
[-- Attachment #1.2: curl.patch --]
[-- Type: text/x-diff, Size: 9943 bytes --]
commit aab35ef35648250da1f37e8b60574b9359dff976
Author: Marc Olzheim <marc@iphion.nl>
Date: Wed Aug 12 11:42:50 2009 +0200
Add curl 7.19.6 and fix CVE-2009-2417 for the rest
http://curl.haxx.se/docs/adv_20090812.html
diff --git a/conf/checksums.ini b/conf/checksums.ini
index 60d9729..f277e29 100644
--- a/conf/checksums.ini
+++ b/conf/checksums.ini
@@ -4390,6 +4390,10 @@ sha256=fb3436280dedbc8f8141d3841a5964c4491dd6457bc5b7123854aed0b794be86
md5=426d161661dce70c8ea9ad8f553363a3
sha256=05ad84a9c8d340917370f357ad9fdce5ea595deb11f4cb70f946fa48c7b02cd0
+[http://curl.haxx.se/download/curl-7.19.6.tar.bz2]
+md5=8402c1f654c51ad7287aad57c3aa79be
+sha256=ea88f48c8415f7d3af482e4d241277b2bdbfaffaf285e8001c88c1376cbc1021
+
[http://downloads.sourceforge.net/curlftpfs/curlftpfs-0.9.2.tar.gz]
md5=b452123f755114cd4461d56c648d9f12
sha256=4eb44739c7078ba0edde177bdd266c4cfb7c621075f47f64c85a06b12b3c6958
diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
index c95591b..00c6215 100644
--- a/recipes/curl/curl-native_7.18.2.bb
+++ b/recipes/curl/curl-native_7.18.2.bb
@@ -1,7 +1,9 @@
require curl-common.inc
inherit native
DEPENDS = "zlib-native"
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
do_stage () {
autotools_stage_all
diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
index 35b0d88..8c667fa 100644
--- a/recipes/curl/curl-sdk_7.18.2.bb
+++ b/recipes/curl/curl-sdk_7.18.2.bb
@@ -1,7 +1,9 @@
require curl-common.inc
inherit sdk
DEPENDS = "zlib-sdk"
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
do_stage () {
install -d ${STAGING_INCDIR}/curl
diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
index 3de6da4..2d32f6b 100644
--- a/recipes/curl/curl_7.18.2.bb
+++ b/recipes/curl/curl_7.18.2.bb
@@ -1,4 +1,6 @@
require curl-common.inc
require curl-target.inc
-PR = "r1"
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "r2"
diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
index b5b6182..61914e1 100644
--- a/recipes/curl/curl_7.19.5.bb
+++ b/recipes/curl/curl_7.19.5.bb
@@ -2,5 +2,6 @@ require curl-common.inc
require curl-target.inc
SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
- file://curl-add_all_algorithms.patch;patch=1"
-PR = "r1"
+ file://curl-add_all_algorithms.patch;patch=1 \
+ file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
+PR = "r2"
diff --git a/recipes/curl/curl_7.19.6.bb b/recipes/curl/curl_7.19.6.bb
new file mode 100644
index 0000000..df83fe8
--- /dev/null
+++ b/recipes/curl/curl_7.19.6.bb
@@ -0,0 +1,5 @@
+require curl-common.inc
+require curl-target.inc
+
+SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0"
+PR = "r0"
diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
new file mode 100644
index 0000000..e7c24c0
--- /dev/null
+++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
@@ -0,0 +1,83 @@
+---
+ lib/ssluse.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- lib/ssluse.c.orig
++++ lib/ssluse.c
+@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
+ if(check->type == target) {
+ /* get data and length */
+ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+- int altlen;
++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+
+ switch(target) {
+ case GEN_DNS: /* name/pattern comparison */
+@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
+ "I checked the 0.9.6 and 0.9.8 sources before my patch and
+ it always 0-terminates an IA5String."
+ */
+- if(cert_hostcheck(altptr, conn->host.name))
++ if((altlen == strlen(altptr)) &&
++ /* if this isn't true, there was an embedded zero in the name
++ string and we cannot match it. */
++ cert_hostcheck(altptr, conn->host.name))
+ matched = TRUE;
+ break;
+
+ case GEN_IPADD: /* IP address comparison */
+ /* compare alternative IP address if the data chunk is the same size
+ our server IP address is */
+- altlen = ASN1_STRING_length(check->d.ia5);
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+ matched = TRUE;
+ break;
+@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
+ string manually to avoid the problem. This code can be made
+ conditional in the future when OpenSSL has been fixed. Work-around
+ brought by Alexis S. L. Carvalho. */
+- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+- j = ASN1_STRING_length(tmp);
+- if(j >= 0) {
+- peer_CN = OPENSSL_malloc(j+1);
+- if(peer_CN) {
+- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+- peer_CN[j] = '\0';
++ if(tmp) {
++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++ j = ASN1_STRING_length(tmp);
++ if(j >= 0) {
++ peer_CN = OPENSSL_malloc(j+1);
++ if(peer_CN) {
++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++ peer_CN[j] = '\0';
++ }
+ }
+ }
++ else /* not a UTF8 name */
++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++ /* there was a terminating zero before the end of string, this
++ cannot match and we return failure! */
++ failf(data, "SSL: illegal cert name field");
++ res = CURLE_PEER_FAILED_VERIFICATION;
++ }
+ }
+- else /* not a UTF8 name */
+- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+ }
+
+ if(peer_CN == nulstr)
+@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
+ }
+ #endif /* CURL_DOES_CONVERSIONS */
+
+- if(!peer_CN) {
++ if(res)
++ /* error already detected, pass through */
++ ;
++ else if(!peer_CN) {
+ failf(data,
+ "SSL: unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
new file mode 100644
index 0000000..f64232c
--- /dev/null
+++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
@@ -0,0 +1,80 @@
+--- lib/ssluse.c-7.19.5 2009-08-03 16:01:58.000000000 +0200
++++ lib/ssluse.c 2009-08-03 16:07:17.000000000 +0200
+@@ -1092,7 +1092,8 @@
+ if(check->type == target) {
+ /* get data and length */
+ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+- size_t altlen;
++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
++
+
+ switch(target) {
+ case GEN_DNS: /* name/pattern comparison */
+@@ -1106,14 +1107,16 @@
+ "I checked the 0.9.6 and 0.9.8 sources before my patch and
+ it always 0-terminates an IA5String."
+ */
+- if(cert_hostcheck(altptr, conn->host.name))
++ if((altlen == strlen(altptr)) &&
++ /* if this isn't true, there was an embedded zero in the name
++ string and we cannot match it. */
++ cert_hostcheck(altptr, conn->host.name))
+ matched = TRUE;
+ break;
+
+ case GEN_IPADD: /* IP address comparison */
+ /* compare alternative IP address if the data chunk is the same size
+ our server IP address is */
+- altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+ matched = TRUE;
+ break;
+@@ -1153,18 +1156,27 @@
+ string manually to avoid the problem. This code can be made
+ conditional in the future when OpenSSL has been fixed. Work-around
+ brought by Alexis S. L. Carvalho. */
+- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+- j = ASN1_STRING_length(tmp);
+- if(j >= 0) {
+- peer_CN = OPENSSL_malloc(j+1);
+- if(peer_CN) {
+- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+- peer_CN[j] = '\0';
++ if(tmp) {
++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++ j = ASN1_STRING_length(tmp);
++ if(j >= 0) {
++ peer_CN = OPENSSL_malloc(j+1);
++ if(peer_CN) {
++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++ peer_CN[j] = '\0';
++ }
+ }
+ }
++ else /* not a UTF8 name */
++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++ /* there was a terminating zero before the end of string, this
++ cannot match and we return failure! */
++ failf(data, "SSL: illegal cert name field");
++ res = CURLE_PEER_FAILED_VERIFICATION;
++ }
+ }
+- else /* not a UTF8 name */
+- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+ }
+
+ if(peer_CN == nulstr)
+@@ -1182,7 +1194,10 @@
+ }
+ #endif /* CURL_DOES_CONVERSIONS */
+
+- if(!peer_CN) {
++ if(res)
++ /* error already detected, pass through */
++ ;
++ else if(!peer_CN) {
+ failf(data,
+ "SSL: unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 204 bytes --]
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: Curl security advisory CVE-2009-2417 [PATCH]
2009-08-12 9:55 Curl security advisory CVE-2009-2417 [PATCH] Marc Olzheim
@ 2009-08-13 15:25 ` Khem Raj
2009-08-17 13:21 ` Holger Hans Peter Freyther
1 sibling, 0 replies; 6+ messages in thread
From: Khem Raj @ 2009-08-13 15:25 UTC (permalink / raw)
To: openembedded-devel
On (12/08/09 11:55), Marc Olzheim wrote:
> Hi,
>
> I'm not sure what the policy is for patch files of this type, but in
> this patch I decided to add them to recipes/curl/files, instead of
> including the curl.haxx.se urls in the SRC_URIs. I hope that that is the
> way to do it.
>
> The patch for 7.18.1 applies on 7.18.2 fine. Apart from applying
> patches, I added 7.19.6.
You dont need to specify PR="r0" in new recipe.
You could also switch to use INC_PR
Thx
-Khem
>
> Marc
> commit aab35ef35648250da1f37e8b60574b9359dff976
> Author: Marc Olzheim <marc@iphion.nl>
> Date: Wed Aug 12 11:42:50 2009 +0200
>
> Add curl 7.19.6 and fix CVE-2009-2417 for the rest
> http://curl.haxx.se/docs/adv_20090812.html
>
> diff --git a/conf/checksums.ini b/conf/checksums.ini
> index 60d9729..f277e29 100644
> --- a/conf/checksums.ini
> +++ b/conf/checksums.ini
> @@ -4390,6 +4390,10 @@ sha256=fb3436280dedbc8f8141d3841a5964c4491dd6457bc5b7123854aed0b794be86
> md5=426d161661dce70c8ea9ad8f553363a3
> sha256=05ad84a9c8d340917370f357ad9fdce5ea595deb11f4cb70f946fa48c7b02cd0
>
> +[http://curl.haxx.se/download/curl-7.19.6.tar.bz2]
> +md5=8402c1f654c51ad7287aad57c3aa79be
> +sha256=ea88f48c8415f7d3af482e4d241277b2bdbfaffaf285e8001c88c1376cbc1021
> +
> [http://downloads.sourceforge.net/curlftpfs/curlftpfs-0.9.2.tar.gz]
> md5=b452123f755114cd4461d56c648d9f12
> sha256=4eb44739c7078ba0edde177bdd266c4cfb7c621075f47f64c85a06b12b3c6958
> diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
> index c95591b..00c6215 100644
> --- a/recipes/curl/curl-native_7.18.2.bb
> +++ b/recipes/curl/curl-native_7.18.2.bb
> @@ -1,7 +1,9 @@
> require curl-common.inc
> inherit native
> DEPENDS = "zlib-native"
> -PR = "r1"
> +PR = "r2"
> +
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
>
> do_stage () {
> autotools_stage_all
> diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
> index 35b0d88..8c667fa 100644
> --- a/recipes/curl/curl-sdk_7.18.2.bb
> +++ b/recipes/curl/curl-sdk_7.18.2.bb
> @@ -1,7 +1,9 @@
> require curl-common.inc
> inherit sdk
> DEPENDS = "zlib-sdk"
> -PR = "r1"
> +PR = "r2"
> +
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
>
> do_stage () {
> install -d ${STAGING_INCDIR}/curl
> diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
> index 3de6da4..2d32f6b 100644
> --- a/recipes/curl/curl_7.18.2.bb
> +++ b/recipes/curl/curl_7.18.2.bb
> @@ -1,4 +1,6 @@
> require curl-common.inc
> require curl-target.inc
>
> -PR = "r1"
> +SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
> +
> +PR = "r2"
> diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
> index b5b6182..61914e1 100644
> --- a/recipes/curl/curl_7.19.5.bb
> +++ b/recipes/curl/curl_7.19.5.bb
> @@ -2,5 +2,6 @@ require curl-common.inc
> require curl-target.inc
>
> SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
> - file://curl-add_all_algorithms.patch;patch=1"
> -PR = "r1"
> + file://curl-add_all_algorithms.patch;patch=1 \
> + file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
> +PR = "r2"
> diff --git a/recipes/curl/curl_7.19.6.bb b/recipes/curl/curl_7.19.6.bb
> new file mode 100644
> index 0000000..df83fe8
> --- /dev/null
> +++ b/recipes/curl/curl_7.19.6.bb
> @@ -0,0 +1,5 @@
> +require curl-common.inc
> +require curl-target.inc
> +
> +SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0"
> +PR = "r0"
> diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
> new file mode 100644
> index 0000000..e7c24c0
> --- /dev/null
> +++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
> @@ -0,0 +1,83 @@
> +---
> + lib/ssluse.c | 40 +++++++++++++++++++++++++++-------------
> + 1 file changed, 27 insertions(+), 13 deletions(-)
> +
> +--- lib/ssluse.c.orig
> ++++ lib/ssluse.c
> +@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
> + if(check->type == target) {
> + /* get data and length */
> + const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
> +- int altlen;
> ++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> +
> + switch(target) {
> + case GEN_DNS: /* name/pattern comparison */
> +@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
> + "I checked the 0.9.6 and 0.9.8 sources before my patch and
> + it always 0-terminates an IA5String."
> + */
> +- if(cert_hostcheck(altptr, conn->host.name))
> ++ if((altlen == strlen(altptr)) &&
> ++ /* if this isn't true, there was an embedded zero in the name
> ++ string and we cannot match it. */
> ++ cert_hostcheck(altptr, conn->host.name))
> + matched = TRUE;
> + break;
> +
> + case GEN_IPADD: /* IP address comparison */
> + /* compare alternative IP address if the data chunk is the same size
> + our server IP address is */
> +- altlen = ASN1_STRING_length(check->d.ia5);
> + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
> + matched = TRUE;
> + break;
> +@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
> + string manually to avoid the problem. This code can be made
> + conditional in the future when OpenSSL has been fixed. Work-around
> + brought by Alexis S. L. Carvalho. */
> +- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> +- j = ASN1_STRING_length(tmp);
> +- if(j >= 0) {
> +- peer_CN = OPENSSL_malloc(j+1);
> +- if(peer_CN) {
> +- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> +- peer_CN[j] = '\0';
> ++ if(tmp) {
> ++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> ++ j = ASN1_STRING_length(tmp);
> ++ if(j >= 0) {
> ++ peer_CN = OPENSSL_malloc(j+1);
> ++ if(peer_CN) {
> ++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> ++ peer_CN[j] = '\0';
> ++ }
> + }
> + }
> ++ else /* not a UTF8 name */
> ++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> ++
> ++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
> ++ /* there was a terminating zero before the end of string, this
> ++ cannot match and we return failure! */
> ++ failf(data, "SSL: illegal cert name field");
> ++ res = CURLE_PEER_FAILED_VERIFICATION;
> ++ }
> + }
> +- else /* not a UTF8 name */
> +- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> + }
> +
> + if(peer_CN == nulstr)
> +@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
> + }
> + #endif /* CURL_DOES_CONVERSIONS */
> +
> +- if(!peer_CN) {
> ++ if(res)
> ++ /* error already detected, pass through */
> ++ ;
> ++ else if(!peer_CN) {
> + failf(data,
> + "SSL: unable to obtain common name from peer certificate");
> + return CURLE_PEER_FAILED_VERIFICATION;
> diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
> new file mode 100644
> index 0000000..f64232c
> --- /dev/null
> +++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
> @@ -0,0 +1,80 @@
> +--- lib/ssluse.c-7.19.5 2009-08-03 16:01:58.000000000 +0200
> ++++ lib/ssluse.c 2009-08-03 16:07:17.000000000 +0200
> +@@ -1092,7 +1092,8 @@
> + if(check->type == target) {
> + /* get data and length */
> + const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
> +- size_t altlen;
> ++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> ++
> +
> + switch(target) {
> + case GEN_DNS: /* name/pattern comparison */
> +@@ -1106,14 +1107,16 @@
> + "I checked the 0.9.6 and 0.9.8 sources before my patch and
> + it always 0-terminates an IA5String."
> + */
> +- if(cert_hostcheck(altptr, conn->host.name))
> ++ if((altlen == strlen(altptr)) &&
> ++ /* if this isn't true, there was an embedded zero in the name
> ++ string and we cannot match it. */
> ++ cert_hostcheck(altptr, conn->host.name))
> + matched = TRUE;
> + break;
> +
> + case GEN_IPADD: /* IP address comparison */
> + /* compare alternative IP address if the data chunk is the same size
> + our server IP address is */
> +- altlen = (size_t) ASN1_STRING_length(check->d.ia5);
> + if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
> + matched = TRUE;
> + break;
> +@@ -1153,18 +1156,27 @@
> + string manually to avoid the problem. This code can be made
> + conditional in the future when OpenSSL has been fixed. Work-around
> + brought by Alexis S. L. Carvalho. */
> +- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> +- j = ASN1_STRING_length(tmp);
> +- if(j >= 0) {
> +- peer_CN = OPENSSL_malloc(j+1);
> +- if(peer_CN) {
> +- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> +- peer_CN[j] = '\0';
> ++ if(tmp) {
> ++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
> ++ j = ASN1_STRING_length(tmp);
> ++ if(j >= 0) {
> ++ peer_CN = OPENSSL_malloc(j+1);
> ++ if(peer_CN) {
> ++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
> ++ peer_CN[j] = '\0';
> ++ }
> + }
> + }
> ++ else /* not a UTF8 name */
> ++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> ++
> ++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
> ++ /* there was a terminating zero before the end of string, this
> ++ cannot match and we return failure! */
> ++ failf(data, "SSL: illegal cert name field");
> ++ res = CURLE_PEER_FAILED_VERIFICATION;
> ++ }
> + }
> +- else /* not a UTF8 name */
> +- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
> + }
> +
> + if(peer_CN == nulstr)
> +@@ -1182,7 +1194,10 @@
> + }
> + #endif /* CURL_DOES_CONVERSIONS */
> +
> +- if(!peer_CN) {
> ++ if(res)
> ++ /* error already detected, pass through */
> ++ ;
> ++ else if(!peer_CN) {
> + failf(data,
> + "SSL: unable to obtain common name from peer certificate");
> + return CURLE_PEER_FAILED_VERIFICATION;
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Curl security advisory CVE-2009-2417 [PATCH]
2009-08-12 9:55 Curl security advisory CVE-2009-2417 [PATCH] Marc Olzheim
2009-08-13 15:25 ` Khem Raj
@ 2009-08-17 13:21 ` Holger Hans Peter Freyther
2009-11-17 10:13 ` [PATCH] curl: Fix CVE-2009-2417 Marc Olzheim
1 sibling, 1 reply; 6+ messages in thread
From: Holger Hans Peter Freyther @ 2009-08-17 13:21 UTC (permalink / raw)
To: openembedded-devel
On Wednesday 12 August 2009 11:55:18 Marc Olzheim wrote:
> Hi,
>
> I'm not sure what the policy is for patch files of this type, but in
> this patch I decided to add them to recipes/curl/files, instead of
> including the curl.haxx.se urls in the SRC_URIs. I hope that that is the
> way to do it.
>
> The patch for 7.18.1 applies on 7.18.2 fine. Apart from applying
> patches, I added 7.19.6.
>
> Marc
Signed-off-by: Holger Freyther <zecke@selfish.org>
(I will take Khem's comment into account when landing)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] curl: Fix CVE-2009-2417.
2009-08-17 13:21 ` Holger Hans Peter Freyther
@ 2009-11-17 10:13 ` Marc Olzheim
2009-11-17 14:39 ` Holger Hans Peter Freyther
2009-11-18 10:51 ` Phil Blundell
0 siblings, 2 replies; 6+ messages in thread
From: Marc Olzheim @ 2009-11-17 10:13 UTC (permalink / raw)
To: openembedded-devel
For some reason, my patch never landed and 7.19.6 was added in the mean time,
which fixed this problem, but we still need the patches for previous versions.
The 7.18.1 patch applies cleanly on 7.18.2.
See http://curl.haxx.se/docs/adv_20090812.html for more information.
---
recipes/curl/curl-native_7.18.2.bb | 4 +-
recipes/curl/curl-sdk_7.18.2.bb | 4 +-
recipes/curl/curl_7.18.2.bb | 4 +-
recipes/curl/curl_7.19.5.bb | 6 +-
recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch | 83 ++++++++++++++++++++
recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch | 80 +++++++++++++++++++
6 files changed, 176 insertions(+), 5 deletions(-)
create mode 100644 recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
create mode 100644 recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
index 1eef23b..e2e3a48 100644
--- a/recipes/curl/curl-native_7.18.2.bb
+++ b/recipes/curl/curl-native_7.18.2.bb
@@ -1,4 +1,6 @@
require curl-common.inc
inherit native
DEPENDS = "zlib-native"
-PR = "${INC_PR}.1"
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "${INC_PR}.2"
diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
index f1fd34f..e26c532 100644
--- a/recipes/curl/curl-sdk_7.18.2.bb
+++ b/recipes/curl/curl-sdk_7.18.2.bb
@@ -1,4 +1,6 @@
require curl-common.inc
inherit sdk
DEPENDS = "zlib-sdk"
-PR = "${INC_PR}.1"
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "${INC_PR}.2"
diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
index 84c0d07..21eaedc 100644
--- a/recipes/curl/curl_7.18.2.bb
+++ b/recipes/curl/curl_7.18.2.bb
@@ -1,4 +1,6 @@
require curl-common.inc
require curl-target.inc
-PR = "${INC_PR}.1"
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "${INC_PR}.2"
diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
index d0577b0..e447610 100644
--- a/recipes/curl/curl_7.19.5.bb
+++ b/recipes/curl/curl_7.19.5.bb
@@ -2,5 +2,7 @@ require curl-common.inc
require curl-target.inc
SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
- file://curl-add_all_algorithms.patch;patch=1"
-PR = "${INC_PR}.1"
+ file://curl-add_all_algorithms.patch;patch=1 \
+ file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "${INC_PR}.2"
diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
new file mode 100644
index 0000000..e7c24c0
--- /dev/null
+++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
@@ -0,0 +1,83 @@
+---
+ lib/ssluse.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- lib/ssluse.c.orig
++++ lib/ssluse.c
+@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
+ if(check->type == target) {
+ /* get data and length */
+ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+- int altlen;
++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+
+ switch(target) {
+ case GEN_DNS: /* name/pattern comparison */
+@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
+ "I checked the 0.9.6 and 0.9.8 sources before my patch and
+ it always 0-terminates an IA5String."
+ */
+- if(cert_hostcheck(altptr, conn->host.name))
++ if((altlen == strlen(altptr)) &&
++ /* if this isn't true, there was an embedded zero in the name
++ string and we cannot match it. */
++ cert_hostcheck(altptr, conn->host.name))
+ matched = TRUE;
+ break;
+
+ case GEN_IPADD: /* IP address comparison */
+ /* compare alternative IP address if the data chunk is the same size
+ our server IP address is */
+- altlen = ASN1_STRING_length(check->d.ia5);
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+ matched = TRUE;
+ break;
+@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
+ string manually to avoid the problem. This code can be made
+ conditional in the future when OpenSSL has been fixed. Work-around
+ brought by Alexis S. L. Carvalho. */
+- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+- j = ASN1_STRING_length(tmp);
+- if(j >= 0) {
+- peer_CN = OPENSSL_malloc(j+1);
+- if(peer_CN) {
+- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+- peer_CN[j] = '\0';
++ if(tmp) {
++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++ j = ASN1_STRING_length(tmp);
++ if(j >= 0) {
++ peer_CN = OPENSSL_malloc(j+1);
++ if(peer_CN) {
++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++ peer_CN[j] = '\0';
++ }
+ }
+ }
++ else /* not a UTF8 name */
++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++ /* there was a terminating zero before the end of string, this
++ cannot match and we return failure! */
++ failf(data, "SSL: illegal cert name field");
++ res = CURLE_PEER_FAILED_VERIFICATION;
++ }
+ }
+- else /* not a UTF8 name */
+- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+ }
+
+ if(peer_CN == nulstr)
+@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
+ }
+ #endif /* CURL_DOES_CONVERSIONS */
+
+- if(!peer_CN) {
++ if(res)
++ /* error already detected, pass through */
++ ;
++ else if(!peer_CN) {
+ failf(data,
+ "SSL: unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
new file mode 100644
index 0000000..f64232c
--- /dev/null
+++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
@@ -0,0 +1,80 @@
+--- lib/ssluse.c-7.19.5 2009-08-03 16:01:58.000000000 +0200
++++ lib/ssluse.c 2009-08-03 16:07:17.000000000 +0200
+@@ -1092,7 +1092,8 @@
+ if(check->type == target) {
+ /* get data and length */
+ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+- size_t altlen;
++ size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
++
+
+ switch(target) {
+ case GEN_DNS: /* name/pattern comparison */
+@@ -1106,14 +1107,16 @@
+ "I checked the 0.9.6 and 0.9.8 sources before my patch and
+ it always 0-terminates an IA5String."
+ */
+- if(cert_hostcheck(altptr, conn->host.name))
++ if((altlen == strlen(altptr)) &&
++ /* if this isn't true, there was an embedded zero in the name
++ string and we cannot match it. */
++ cert_hostcheck(altptr, conn->host.name))
+ matched = TRUE;
+ break;
+
+ case GEN_IPADD: /* IP address comparison */
+ /* compare alternative IP address if the data chunk is the same size
+ our server IP address is */
+- altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+ if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+ matched = TRUE;
+ break;
+@@ -1153,18 +1156,27 @@
+ string manually to avoid the problem. This code can be made
+ conditional in the future when OpenSSL has been fixed. Work-around
+ brought by Alexis S. L. Carvalho. */
+- if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+- j = ASN1_STRING_length(tmp);
+- if(j >= 0) {
+- peer_CN = OPENSSL_malloc(j+1);
+- if(peer_CN) {
+- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+- peer_CN[j] = '\0';
++ if(tmp) {
++ if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++ j = ASN1_STRING_length(tmp);
++ if(j >= 0) {
++ peer_CN = OPENSSL_malloc(j+1);
++ if(peer_CN) {
++ memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++ peer_CN[j] = '\0';
++ }
+ }
+ }
++ else /* not a UTF8 name */
++ j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++ if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++ /* there was a terminating zero before the end of string, this
++ cannot match and we return failure! */
++ failf(data, "SSL: illegal cert name field");
++ res = CURLE_PEER_FAILED_VERIFICATION;
++ }
+ }
+- else /* not a UTF8 name */
+- j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+ }
+
+ if(peer_CN == nulstr)
+@@ -1182,7 +1194,10 @@
+ }
+ #endif /* CURL_DOES_CONVERSIONS */
+
+- if(!peer_CN) {
++ if(res)
++ /* error already detected, pass through */
++ ;
++ else if(!peer_CN) {
+ failf(data,
+ "SSL: unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
--
1.6.3.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] curl: Fix CVE-2009-2417.
2009-11-17 10:13 ` [PATCH] curl: Fix CVE-2009-2417 Marc Olzheim
@ 2009-11-17 14:39 ` Holger Hans Peter Freyther
2009-11-18 10:51 ` Phil Blundell
1 sibling, 0 replies; 6+ messages in thread
From: Holger Hans Peter Freyther @ 2009-11-17 14:39 UTC (permalink / raw)
To: openembedded-devel
On Tuesday 17 November 2009 11:13:54 Marc Olzheim wrote:
> For some reason, my patch never landed and 7.19.6 was added in the mean
> time, which fixed this problem, but we still need the patches for previous
> versions.
>
> The 7.18.1 patch applies cleanly on 7.18.2.
>
> See http://curl.haxx.se/docs/adv_20090812.html for more information.
Oops... I will try to land this one...
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] curl: Fix CVE-2009-2417.
2009-11-17 10:13 ` [PATCH] curl: Fix CVE-2009-2417 Marc Olzheim
2009-11-17 14:39 ` Holger Hans Peter Freyther
@ 2009-11-18 10:51 ` Phil Blundell
1 sibling, 0 replies; 6+ messages in thread
From: Phil Blundell @ 2009-11-18 10:51 UTC (permalink / raw)
To: openembedded-devel
On Tue, 2009-11-17 at 11:13 +0100, Marc Olzheim wrote:
> For some reason, my patch never landed and 7.19.6 was added in the mean time,
> which fixed this problem, but we still need the patches for previous versions.
>
> The 7.18.1 patch applies cleanly on 7.18.2.
>
> See http://curl.haxx.se/docs/adv_20090812.html for more information.
Thanks for the patch. I checked this in.
p.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-11-18 10:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-12 9:55 Curl security advisory CVE-2009-2417 [PATCH] Marc Olzheim
2009-08-13 15:25 ` Khem Raj
2009-08-17 13:21 ` Holger Hans Peter Freyther
2009-11-17 10:13 ` [PATCH] curl: Fix CVE-2009-2417 Marc Olzheim
2009-11-17 14:39 ` Holger Hans Peter Freyther
2009-11-18 10:51 ` Phil Blundell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.