* [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
@ 2023-04-14 10:55 Hitendra Prajapati
2023-05-11 14:45 ` [OE-core] " Steve Sakoman
0 siblings, 1 reply; 7+ messages in thread
From: Hitendra Prajapati @ 2023-04-14 10:55 UTC (permalink / raw)
To: openembedded-core; +Cc: Hitendra Prajapati
Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
.../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 124 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
new file mode 100644
index 0000000000..aeeffd5fea
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,123 @@
+From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 16:22:11 +0100
+Subject: [PATCH] curl_path: create the new path with dynbuf
+
+CVE: CVE-2023-27534
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 36 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..e17db4b 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -30,6 +30,8 @@
+ #include "escape.h"
+ #include "memdebug.h"
+
++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
++
+ /* figure out the path to work with in this particular request */
+ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ char *homedir, /* when SFTP is used */
+@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ real path to work with */
+ {
+ struct Curl_easy *data = conn->data;
+- char *real_path = NULL;
+ char *working_path;
+ size_t working_path_len;
++ struct dynbuf npath;
+ CURLcode result =
+ Curl_urldecode(data, data->state.up.path, 0, &working_path,
+ &working_path_len, FALSE);
+ if(result)
+ return result;
+
++ /* new path to switch to in case we need to */
++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
++
+ /* Check for /~/, indicating relative to the user's home directory */
+- if(conn->handler->protocol & CURLPROTO_SCP) {
+- real_path = malloc(working_path_len + 1);
+- if(real_path == NULL) {
++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
++ /* It is referenced to the home directory, so strip the leading '/~/' */
++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
+ free(working_path);
+ return CURLE_OUT_OF_MEMORY;
+ }
+- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
+- /* It is referenced to the home directory, so strip the leading '/~/' */
+- memcpy(real_path, working_path + 3, working_path_len - 2);
+- else
+- memcpy(real_path, working_path, 1 + working_path_len);
+ }
+- else if(conn->handler->protocol & CURLPROTO_SFTP) {
+- if((working_path_len > 1) && (working_path[1] == '~')) {
+- size_t homelen = strlen(homedir);
+- real_path = malloc(homelen + working_path_len + 1);
+- if(real_path == NULL) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
+- }
+- /* It is referenced to the home directory, so strip the
+- leading '/' */
+- memcpy(real_path, homedir, homelen);
+- real_path[homelen] = '/';
+- real_path[homelen + 1] = '\0';
+- if(working_path_len > 3) {
+- memcpy(real_path + homelen + 1, working_path + 3,
+- 1 + working_path_len -3);
+- }
++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
++ size_t len;
++ const char *p;
++ int copyfrom = 3;
++ if(Curl_dyn_add(&npath, homedir)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
+ }
+- else {
+- real_path = malloc(working_path_len + 1);
+- if(real_path == NULL) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
+- }
+- memcpy(real_path, working_path, 1 + working_path_len);
++ /* Copy a separating '/' if homedir does not end with one */
++ len = Curl_dyn_len(&npath);
++ p = Curl_dyn_ptr(&npath);
++ if(len && (p[len-1] != '/'))
++ copyfrom = 2;
++
++ if(Curl_dyn_addn(&npath,
++ &working_path[copyfrom], working_path_len - copyfrom)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
+ }
+ }
+
+- free(working_path);
++ if(Curl_dyn_len(&npath)) {
++ free(working_path);
+
+- /* store the pointer for the caller to receive */
+- *path = real_path;
++ /* store the pointer for the caller to receive */
++ *path = Curl_dyn_ptr(&npath);
++ }
++ else
++ *path = working_path;
+
+ return CURLE_OK;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..fddf15e3ff 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-32221.patch \
file://CVE-2022-35260.patch \
file://CVE-2022-43552.patch \
+ file://CVE-2023-27534.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
2023-04-14 10:55 [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy Hitendra Prajapati
@ 2023-05-11 14:45 ` Steve Sakoman
2023-05-11 21:34 ` Siddharth
2023-05-12 11:26 ` [OE-core] " Hitendra Prajapati
0 siblings, 2 replies; 7+ messages in thread
From: Steve Sakoman @ 2023-05-11 14:45 UTC (permalink / raw)
To: Hitendra Prajapati; +Cc: openembedded-core
Hi Hitendra,
There's been a bug filed against this patch (build failure when when
curl is configured with `libssh2` i.e. PACKAGECONFIG_append = "
libssh2"):
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114
Could you investigate and advise whether there is an easy fix or
whether we should revert?
Thanks,
Steve
On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati
<hprajapati@mvista.com> wrote:
>
> Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
> meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> 2 files changed, 124 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
> new file mode 100644
> index 0000000000..aeeffd5fea
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
> @@ -0,0 +1,123 @@
> +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Thu, 9 Mar 2023 16:22:11 +0100
> +Subject: [PATCH] curl_path: create the new path with dynbuf
> +
> +CVE: CVE-2023-27534
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
> +
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
> + 1 file changed, 35 insertions(+), 36 deletions(-)
> +
> +diff --git a/lib/curl_path.c b/lib/curl_path.c
> +index f429634..e17db4b 100644
> +--- a/lib/curl_path.c
> ++++ b/lib/curl_path.c
> +@@ -30,6 +30,8 @@
> + #include "escape.h"
> + #include "memdebug.h"
> +
> ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
> ++
> + /* figure out the path to work with in this particular request */
> + CURLcode Curl_getworkingpath(struct connectdata *conn,
> + char *homedir, /* when SFTP is used */
> +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
> + real path to work with */
> + {
> + struct Curl_easy *data = conn->data;
> +- char *real_path = NULL;
> + char *working_path;
> + size_t working_path_len;
> ++ struct dynbuf npath;
> + CURLcode result =
> + Curl_urldecode(data, data->state.up.path, 0, &working_path,
> + &working_path_len, FALSE);
> + if(result)
> + return result;
> +
> ++ /* new path to switch to in case we need to */
> ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
> ++
> + /* Check for /~/, indicating relative to the user's home directory */
> +- if(conn->handler->protocol & CURLPROTO_SCP) {
> +- real_path = malloc(working_path_len + 1);
> +- if(real_path == NULL) {
> ++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
> ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
> ++ /* It is referenced to the home directory, so strip the leading '/~/' */
> ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
> + free(working_path);
> + return CURLE_OUT_OF_MEMORY;
> + }
> +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
> +- /* It is referenced to the home directory, so strip the leading '/~/' */
> +- memcpy(real_path, working_path + 3, working_path_len - 2);
> +- else
> +- memcpy(real_path, working_path, 1 + working_path_len);
> + }
> +- else if(conn->handler->protocol & CURLPROTO_SFTP) {
> +- if((working_path_len > 1) && (working_path[1] == '~')) {
> +- size_t homelen = strlen(homedir);
> +- real_path = malloc(homelen + working_path_len + 1);
> +- if(real_path == NULL) {
> +- free(working_path);
> +- return CURLE_OUT_OF_MEMORY;
> +- }
> +- /* It is referenced to the home directory, so strip the
> +- leading '/' */
> +- memcpy(real_path, homedir, homelen);
> +- real_path[homelen] = '/';
> +- real_path[homelen + 1] = '\0';
> +- if(working_path_len > 3) {
> +- memcpy(real_path + homelen + 1, working_path + 3,
> +- 1 + working_path_len -3);
> +- }
> ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
> ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
> ++ size_t len;
> ++ const char *p;
> ++ int copyfrom = 3;
> ++ if(Curl_dyn_add(&npath, homedir)) {
> ++ free(working_path);
> ++ return CURLE_OUT_OF_MEMORY;
> + }
> +- else {
> +- real_path = malloc(working_path_len + 1);
> +- if(real_path == NULL) {
> +- free(working_path);
> +- return CURLE_OUT_OF_MEMORY;
> +- }
> +- memcpy(real_path, working_path, 1 + working_path_len);
> ++ /* Copy a separating '/' if homedir does not end with one */
> ++ len = Curl_dyn_len(&npath);
> ++ p = Curl_dyn_ptr(&npath);
> ++ if(len && (p[len-1] != '/'))
> ++ copyfrom = 2;
> ++
> ++ if(Curl_dyn_addn(&npath,
> ++ &working_path[copyfrom], working_path_len - copyfrom)) {
> ++ free(working_path);
> ++ return CURLE_OUT_OF_MEMORY;
> + }
> + }
> +
> +- free(working_path);
> ++ if(Curl_dyn_len(&npath)) {
> ++ free(working_path);
> +
> +- /* store the pointer for the caller to receive */
> +- *path = real_path;
> ++ /* store the pointer for the caller to receive */
> ++ *path = Curl_dyn_ptr(&npath);
> ++ }
> ++ else
> ++ *path = working_path;
> +
> + return CURLE_OK;
> + }
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
> index 899daf8eac..fddf15e3ff 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> file://CVE-2022-32221.patch \
> file://CVE-2022-35260.patch \
> file://CVE-2022-43552.patch \
> + file://CVE-2023-27534.patch \
> "
>
> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179997): https://lists.openembedded.org/g/openembedded-core/message/179997
> Mute This Topic: https://lists.openembedded.org/mt/98259554/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
2023-05-11 14:45 ` [OE-core] " Steve Sakoman
@ 2023-05-11 21:34 ` Siddharth
2023-05-12 11:26 ` [OE-core] " Hitendra Prajapati
1 sibling, 0 replies; 7+ messages in thread
From: Siddharth @ 2023-05-11 21:34 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 296 bytes --]
Hi Steve,
I have committed modified patch on behalf of Hitendra as he is away for few days. please find the patch at -> https://lists.openembedded.org/g/openembedded-core/message/181154
I have verified that this builds fine with adding "--with-libssh2" option also.
Regards,
Siddharth
[-- Attachment #2: Type: text/html, Size: 465 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
2023-05-11 14:45 ` [OE-core] " Steve Sakoman
2023-05-11 21:34 ` Siddharth
@ 2023-05-12 11:26 ` Hitendra Prajapati
2023-05-16 18:38 ` Abdurrahman Hussain (fib)
1 sibling, 1 reply; 7+ messages in thread
From: Hitendra Prajapati @ 2023-05-12 11:26 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 7068 bytes --]
Hi Steve,
I'll look into this issue by enabling the package at my end and send the
possible solution if any.
Regards,
Hitendra
On 11/05/23 20:15, Steve Sakoman wrote:
> Hi Hitendra,
>
> There's been a bug filed against this patch (build failure when when
> curl is configured with `libssh2` i.e. PACKAGECONFIG_append = "
> libssh2"):
>
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114
>
> Could you investigate and advise whether there is an easy fix or
> whether we should revert?
>
> Thanks,
>
> Steve
>
> On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati
> <hprajapati@mvista.com> wrote:
>> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
>>
>> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> ---
>> .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
>> meta/recipes-support/curl/curl_7.69.1.bb | 1 +
>> 2 files changed, 124 insertions(+)
>> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
>> new file mode 100644
>> index 0000000000..aeeffd5fea
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
>> @@ -0,0 +1,123 @@
>> +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg<daniel@haxx.se>
>> +Date: Thu, 9 Mar 2023 16:22:11 +0100
>> +Subject: [PATCH] curl_path: create the new path with dynbuf
>> +
>> +CVE: CVE-2023-27534
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
>> +
>> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> +---
>> + lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
>> + 1 file changed, 35 insertions(+), 36 deletions(-)
>> +
>> +diff --git a/lib/curl_path.c b/lib/curl_path.c
>> +index f429634..e17db4b 100644
>> +--- a/lib/curl_path.c
>> ++++ b/lib/curl_path.c
>> +@@ -30,6 +30,8 @@
>> + #include "escape.h"
>> + #include "memdebug.h"
>> +
>> ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
>> ++
>> + /* figure out the path to work with in this particular request */
>> + CURLcode Curl_getworkingpath(struct connectdata *conn,
>> + char *homedir, /* when SFTP is used */
>> +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
>> + real path to work with */
>> + {
>> + struct Curl_easy *data = conn->data;
>> +- char *real_path = NULL;
>> + char *working_path;
>> + size_t working_path_len;
>> ++ struct dynbuf npath;
>> + CURLcode result =
>> + Curl_urldecode(data, data->state.up.path, 0, &working_path,
>> + &working_path_len, FALSE);
>> + if(result)
>> + return result;
>> +
>> ++ /* new path to switch to in case we need to */
>> ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
>> ++
>> + /* Check for /~/, indicating relative to the user's home directory */
>> +- if(conn->handler->protocol & CURLPROTO_SCP) {
>> +- real_path = malloc(working_path_len + 1);
>> +- if(real_path == NULL) {
>> ++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
>> ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
>> ++ /* It is referenced to the home directory, so strip the leading '/~/' */
>> ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
>> + free(working_path);
>> + return CURLE_OUT_OF_MEMORY;
>> + }
>> +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
>> +- /* It is referenced to the home directory, so strip the leading '/~/' */
>> +- memcpy(real_path, working_path + 3, working_path_len - 2);
>> +- else
>> +- memcpy(real_path, working_path, 1 + working_path_len);
>> + }
>> +- else if(conn->handler->protocol & CURLPROTO_SFTP) {
>> +- if((working_path_len > 1) && (working_path[1] == '~')) {
>> +- size_t homelen = strlen(homedir);
>> +- real_path = malloc(homelen + working_path_len + 1);
>> +- if(real_path == NULL) {
>> +- free(working_path);
>> +- return CURLE_OUT_OF_MEMORY;
>> +- }
>> +- /* It is referenced to the home directory, so strip the
>> +- leading '/' */
>> +- memcpy(real_path, homedir, homelen);
>> +- real_path[homelen] = '/';
>> +- real_path[homelen + 1] = '\0';
>> +- if(working_path_len > 3) {
>> +- memcpy(real_path + homelen + 1, working_path + 3,
>> +- 1 + working_path_len -3);
>> +- }
>> ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
>> ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
>> ++ size_t len;
>> ++ const char *p;
>> ++ int copyfrom = 3;
>> ++ if(Curl_dyn_add(&npath, homedir)) {
>> ++ free(working_path);
>> ++ return CURLE_OUT_OF_MEMORY;
>> + }
>> +- else {
>> +- real_path = malloc(working_path_len + 1);
>> +- if(real_path == NULL) {
>> +- free(working_path);
>> +- return CURLE_OUT_OF_MEMORY;
>> +- }
>> +- memcpy(real_path, working_path, 1 + working_path_len);
>> ++ /* Copy a separating '/' if homedir does not end with one */
>> ++ len = Curl_dyn_len(&npath);
>> ++ p = Curl_dyn_ptr(&npath);
>> ++ if(len && (p[len-1] != '/'))
>> ++ copyfrom = 2;
>> ++
>> ++ if(Curl_dyn_addn(&npath,
>> ++ &working_path[copyfrom], working_path_len - copyfrom)) {
>> ++ free(working_path);
>> ++ return CURLE_OUT_OF_MEMORY;
>> + }
>> + }
>> +
>> +- free(working_path);
>> ++ if(Curl_dyn_len(&npath)) {
>> ++ free(working_path);
>> +
>> +- /* store the pointer for the caller to receive */
>> +- *path = real_path;
>> ++ /* store the pointer for the caller to receive */
>> ++ *path = Curl_dyn_ptr(&npath);
>> ++ }
>> ++ else
>> ++ *path = working_path;
>> +
>> + return CURLE_OK;
>> + }
>> +--
>> +2.25.1
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
>> index 899daf8eac..fddf15e3ff 100644
>> --- a/meta/recipes-support/curl/curl_7.69.1.bb
>> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
>> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
>> file://CVE-2022-32221.patch \ file://CVE-2022-35260.patch \
>> file://CVE-2022-43552.patch \ + file://CVE-2023-27534.patch \ "
>>
>> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#179997):https://lists.openembedded.org/g/openembedded-core/message/179997
>> Mute This Topic:https://lists.openembedded.org/mt/98259554/3620601
>> Group Owner:openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 8747 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
2023-05-12 11:26 ` [OE-core] " Hitendra Prajapati
@ 2023-05-16 18:38 ` Abdurrahman Hussain (fib)
2023-05-17 6:04 ` Hitendra Prajapati
2023-05-17 6:12 ` Hitendra Prajapati
0 siblings, 2 replies; 7+ messages in thread
From: Abdurrahman Hussain (fib) @ 2023-05-16 18:38 UTC (permalink / raw)
To: Hitendra Prajapati, Steve Sakoman
Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 8320 bytes --]
Hi Hitendra,
Any update on this? This should be reverted since the dynbuf APIs are not available in curl 7.69.
Regards,
Abdurrahman
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Hitendra Prajapati
Sent: Friday, May 12, 2023 4:26 AM
To: Steve Sakoman <steve@sakoman.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
Hi Steve,
I'll look into this issue by enabling the package at my end and send the possible solution if any.
Regards,
Hitendra
On 11/05/23 20:15, Steve Sakoman wrote:
Hi Hitendra,
There's been a bug filed against this patch (build failure when when
curl is configured with `libssh2` i.e. PACKAGECONFIG_append = "
libssh2"):
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114
Could you investigate and advise whether there is an easy fix or
whether we should revert?
Thanks,
Steve
On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati
<hprajapati@mvista.com><mailto:hprajapati@mvista.com> wrote:
Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com><mailto:hprajapati@mvista.com>
---
.../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 124 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
new file mode 100644
index 0000000000..aeeffd5fea
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,123 @@
+From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se><mailto:daniel@haxx.se>
+Date: Thu, 9 Mar 2023 16:22:11 +0100
+Subject: [PATCH] curl_path: create the new path with dynbuf
+
+CVE: CVE-2023-27534
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com><mailto:hprajapati@mvista.com>
+---
+ lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 36 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..e17db4b 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -30,6 +30,8 @@
+ #include "escape.h"
+ #include "memdebug.h"
+
++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
++
+ /* figure out the path to work with in this particular request */
+ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ char *homedir, /* when SFTP is used */
+@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ real path to work with */
+ {
+ struct Curl_easy *data = conn->data;
+- char *real_path = NULL;
+ char *working_path;
+ size_t working_path_len;
++ struct dynbuf npath;
+ CURLcode result =
+ Curl_urldecode(data, data->state.up.path, 0, &working_path,
+ &working_path_len, FALSE);
+ if(result)
+ return result;
+
++ /* new path to switch to in case we need to */
++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
++
+ /* Check for /~/, indicating relative to the user's home directory */
+- if(conn->handler->protocol & CURLPROTO_SCP) {
+- real_path = malloc(working_path_len + 1);
+- if(real_path == NULL) {
++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
++ /* It is referenced to the home directory, so strip the leading '/~/' */
++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
+ free(working_path);
+ return CURLE_OUT_OF_MEMORY;
+ }
+- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
+- /* It is referenced to the home directory, so strip the leading '/~/' */
+- memcpy(real_path, working_path + 3, working_path_len - 2);
+- else
+- memcpy(real_path, working_path, 1 + working_path_len);
+ }
+- else if(conn->handler->protocol & CURLPROTO_SFTP) {
+- if((working_path_len > 1) && (working_path[1] == '~')) {
+- size_t homelen = strlen(homedir);
+- real_path = malloc(homelen + working_path_len + 1);
+- if(real_path == NULL) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
+- }
+- /* It is referenced to the home directory, so strip the
+- leading '/' */
+- memcpy(real_path, homedir, homelen);
+- real_path[homelen] = '/';
+- real_path[homelen + 1] = '\0';
+- if(working_path_len > 3) {
+- memcpy(real_path + homelen + 1, working_path + 3,
+- 1 + working_path_len -3);
+- }
++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
++ size_t len;
++ const char *p;
++ int copyfrom = 3;
++ if(Curl_dyn_add(&npath, homedir)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
+ }
+- else {
+- real_path = malloc(working_path_len + 1);
+- if(real_path == NULL) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
+- }
+- memcpy(real_path, working_path, 1 + working_path_len);
++ /* Copy a separating '/' if homedir does not end with one */
++ len = Curl_dyn_len(&npath);
++ p = Curl_dyn_ptr(&npath);
++ if(len && (p[len-1] != '/'))
++ copyfrom = 2;
++
++ if(Curl_dyn_addn(&npath,
++ &working_path[copyfrom], working_path_len - copyfrom)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
+ }
+ }
+
+- free(working_path);
++ if(Curl_dyn_len(&npath)) {
++ free(working_path);
+
+- /* store the pointer for the caller to receive */
+- *path = real_path;
++ /* store the pointer for the caller to receive */
++ *path = Curl_dyn_ptr(&npath);
++ }
++ else
++ *path = working_path;
+
+ return CURLE_OK;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..fddf15e3ff 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
file://CVE-2022-32221.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
file://CVE-2022-35260.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
file://CVE-2022-43552.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
+ file://CVE-2023-27534.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
"<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.25.1
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 18183 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
2023-05-16 18:38 ` Abdurrahman Hussain (fib)
@ 2023-05-17 6:04 ` Hitendra Prajapati
2023-05-17 6:12 ` Hitendra Prajapati
1 sibling, 0 replies; 7+ messages in thread
From: Hitendra Prajapati @ 2023-05-17 6:04 UTC (permalink / raw)
To: Abdurrahman Hussain (fib), Steve Sakoman
Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 10529 bytes --]
Hi Team,
Please revert the changes of curl: CVE-2023-27534 SFTP path ~ resolving
discrepancy as of now.
My apologies for the delay in reply.
Regards,
Hitendra
On 17/05/23 00:08, Abdurrahman Hussain (fib) wrote:
>
> Hi Hitendra,
>
> Any update on this? This should be reverted since the dynbuf APIs are
> not available in curl 7.69.
>
> Regards,
>
> Abdurrahman
>
> *From:* openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> *On Behalf Of *Hitendra
> Prajapati
> *Sent:* Friday, May 12, 2023 4:26 AM
> *To:* Steve Sakoman <steve@sakoman.com>
> *Cc:* openembedded-core@lists.openembedded.org
> *Subject:* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP
> path ~ resolving discrepancy
>
> Hi Steve,
>
> I'll look into this issue by enabling the package at my end and send
> the possible solution if any.
>
> Regards,
>
> Hitendra
>
> On 11/05/23 20:15, Steve Sakoman wrote:
>
> Hi Hitendra,
>
> There's been a bug filed against this patch (build failure when when
>
> curl is configured with `libssh2` i.e. PACKAGECONFIG_append = "
>
> libssh2"):
>
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114
>
> Could you investigate and advise whether there is an easy fix or
>
> whether we should revert?
>
> Thanks,
>
> Steve
>
> On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati
>
> <hprajapati@mvista.com> <mailto:hprajapati@mvista.com> wrote:
>
> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
>
> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com>
>
> ---
>
> .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
>
> meta/recipes-support/curl/curl_7.69.1.bb | 1 +
>
> 2 files changed, 124 insertions(+)
>
> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> new file mode 100644
>
> index 0000000000..aeeffd5fea
>
> --- /dev/null
>
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> @@ -0,0 +1,123 @@
>
> +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
>
> +From: Daniel Stenberg<daniel@haxx.se> <mailto:daniel@haxx.se>
>
> +Date: Thu, 9 Mar 2023 16:22:11 +0100
>
> +Subject: [PATCH] curl_path: create the new path with dynbuf
>
> +
>
> +CVE: CVE-2023-27534
>
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
>
> +
>
> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com>
>
> +---
>
> + lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
>
> + 1 file changed, 35 insertions(+), 36 deletions(-)
>
> +
>
> +diff --git a/lib/curl_path.c b/lib/curl_path.c
>
> +index f429634..e17db4b 100644
>
> +--- a/lib/curl_path.c
>
> ++++ b/lib/curl_path.c
>
> +@@ -30,6 +30,8 @@
>
> + #include "escape.h"
>
> + #include "memdebug.h"
>
> +
>
> ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
>
> ++
>
> + /* figure out the path to work with in this particular request */
>
> + CURLcode Curl_getworkingpath(struct connectdata *conn,
>
> + char *homedir, /* when SFTP is used */
>
> +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
>
> + real path to work with */
>
> + {
>
> + struct Curl_easy *data = conn->data;
>
> +- char *real_path = NULL;
>
> + char *working_path;
>
> + size_t working_path_len;
>
> ++ struct dynbuf npath;
>
> + CURLcode result =
>
> + Curl_urldecode(data, data->state.up.path, 0, &working_path,
>
> + &working_path_len, FALSE);
>
> + if(result)
>
> + return result;
>
> +
>
> ++ /* new path to switch to in case we need to */
>
> ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
>
> ++
>
> + /* Check for /~/, indicating relative to the user's home directory */
>
> +- if(conn->handler->protocol & CURLPROTO_SCP) {
>
> +- real_path = malloc(working_path_len + 1);
>
> +- if(real_path == NULL) {
>
> ++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
>
> ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
>
> ++ /* It is referenced to the home directory, so strip the leading '/~/' */
>
> ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
>
> + free(working_path);
>
> + return CURLE_OUT_OF_MEMORY;
>
> + }
>
> +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
>
> +- /* It is referenced to the home directory, so strip the leading '/~/' */
>
> +- memcpy(real_path, working_path + 3, working_path_len - 2);
>
> +- else
>
> +- memcpy(real_path, working_path, 1 + working_path_len);
>
> + }
>
> +- else if(conn->handler->protocol & CURLPROTO_SFTP) {
>
> +- if((working_path_len > 1) && (working_path[1] == '~')) {
>
> +- size_t homelen = strlen(homedir);
>
> +- real_path = malloc(homelen + working_path_len + 1);
>
> +- if(real_path == NULL) {
>
> +- free(working_path);
>
> +- return CURLE_OUT_OF_MEMORY;
>
> +- }
>
> +- /* It is referenced to the home directory, so strip the
>
> +- leading '/' */
>
> +- memcpy(real_path, homedir, homelen);
>
> +- real_path[homelen] = '/';
>
> +- real_path[homelen + 1] = '\0';
>
> +- if(working_path_len > 3) {
>
> +- memcpy(real_path + homelen + 1, working_path + 3,
>
> +- 1 + working_path_len -3);
>
> +- }
>
> ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
>
> ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
>
> ++ size_t len;
>
> ++ const char *p;
>
> ++ int copyfrom = 3;
>
> ++ if(Curl_dyn_add(&npath, homedir)) {
>
> ++ free(working_path);
>
> ++ return CURLE_OUT_OF_MEMORY;
>
> + }
>
> +- else {
>
> +- real_path = malloc(working_path_len + 1);
>
> +- if(real_path == NULL) {
>
> +- free(working_path);
>
> +- return CURLE_OUT_OF_MEMORY;
>
> +- }
>
> +- memcpy(real_path, working_path, 1 + working_path_len);
>
> ++ /* Copy a separating '/' if homedir does not end with one */
>
> ++ len = Curl_dyn_len(&npath);
>
> ++ p = Curl_dyn_ptr(&npath);
>
> ++ if(len && (p[len-1] != '/'))
>
> ++ copyfrom = 2;
>
> ++
>
> ++ if(Curl_dyn_addn(&npath,
>
> ++ &working_path[copyfrom], working_path_len - copyfrom)) {
>
> ++ free(working_path);
>
> ++ return CURLE_OUT_OF_MEMORY;
>
> + }
>
> + }
>
> +
>
> +- free(working_path);
>
> ++ if(Curl_dyn_len(&npath)) {
>
> ++ free(working_path);
>
> +
>
> +- /* store the pointer for the caller to receive */
>
> +- *path = real_path;
>
> ++ /* store the pointer for the caller to receive */
>
> ++ *path = Curl_dyn_ptr(&npath);
>
> ++ }
>
> ++ else
>
> ++ *path = working_path;
>
> +
>
> + return CURLE_OK;
>
> + }
>
> +--
>
> +2.25.1
>
> +
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
>
> index 899daf8eac..fddf15e3ff 100644
>
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
>
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
>
> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> file://CVE-2022-32221.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> file://CVE-2022-35260.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> file://CVE-2022-43552.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> + file://CVE-2023-27534.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> "
> <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
>
> --
>
> 2.25.1
>
> --
> Regards,
> Hitendra Prajapati
> MontaVista Software LLC
>
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 19383 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
2023-05-16 18:38 ` Abdurrahman Hussain (fib)
2023-05-17 6:04 ` Hitendra Prajapati
@ 2023-05-17 6:12 ` Hitendra Prajapati
1 sibling, 0 replies; 7+ messages in thread
From: Hitendra Prajapati @ 2023-05-17 6:12 UTC (permalink / raw)
To: Abdurrahman Hussain (fib), Steve Sakoman
Cc: openembedded-core@lists.openembedded.org, Siddharth Doshi
[-- Attachment #1: Type: text/plain, Size: 10728 bytes --]
Hi Team,
As my Team member Siddharth Doshi already send the revised patch for that.
Commit :
*https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/dunfell-nut&id=3e4520554cf8bd441f021f46f2e68eace5ca42e6
*
Please look into that patch once and for any issue revert me or Siddharth.
Thank you Siddharth.
Regards,
Hitendra Prajapati//
On 17/05/23 00:08, Abdurrahman Hussain (fib) wrote:
>
> Hi Hitendra,
>
> Any update on this? This should be reverted since the dynbuf APIs are
> not available in curl 7.69.
>
> Regards,
>
> Abdurrahman
>
> *From:* openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> *On Behalf Of *Hitendra
> Prajapati
> *Sent:* Friday, May 12, 2023 4:26 AM
> *To:* Steve Sakoman <steve@sakoman.com>
> *Cc:* openembedded-core@lists.openembedded.org
> *Subject:* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP
> path ~ resolving discrepancy
>
> Hi Steve,
>
> I'll look into this issue by enabling the package at my end and send
> the possible solution if any.
>
> Regards,
>
> Hitendra
>
> On 11/05/23 20:15, Steve Sakoman wrote:
>
> Hi Hitendra,
>
> There's been a bug filed against this patch (build failure when when
>
> curl is configured with `libssh2` i.e. PACKAGECONFIG_append = "
>
> libssh2"):
>
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114
>
> Could you investigate and advise whether there is an easy fix or
>
> whether we should revert?
>
> Thanks,
>
> Steve
>
> On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati
>
> <hprajapati@mvista.com> <mailto:hprajapati@mvista.com> wrote:
>
> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
>
> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com>
>
> ---
>
> .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
>
> meta/recipes-support/curl/curl_7.69.1.bb | 1 +
>
> 2 files changed, 124 insertions(+)
>
> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> new file mode 100644
>
> index 0000000000..aeeffd5fea
>
> --- /dev/null
>
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
>
> @@ -0,0 +1,123 @@
>
> +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
>
> +From: Daniel Stenberg<daniel@haxx.se> <mailto:daniel@haxx.se>
>
> +Date: Thu, 9 Mar 2023 16:22:11 +0100
>
> +Subject: [PATCH] curl_path: create the new path with dynbuf
>
> +
>
> +CVE: CVE-2023-27534
>
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
>
> +
>
> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com>
>
> +---
>
> + lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
>
> + 1 file changed, 35 insertions(+), 36 deletions(-)
>
> +
>
> +diff --git a/lib/curl_path.c b/lib/curl_path.c
>
> +index f429634..e17db4b 100644
>
> +--- a/lib/curl_path.c
>
> ++++ b/lib/curl_path.c
>
> +@@ -30,6 +30,8 @@
>
> + #include "escape.h"
>
> + #include "memdebug.h"
>
> +
>
> ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
>
> ++
>
> + /* figure out the path to work with in this particular request */
>
> + CURLcode Curl_getworkingpath(struct connectdata *conn,
>
> + char *homedir, /* when SFTP is used */
>
> +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
>
> + real path to work with */
>
> + {
>
> + struct Curl_easy *data = conn->data;
>
> +- char *real_path = NULL;
>
> + char *working_path;
>
> + size_t working_path_len;
>
> ++ struct dynbuf npath;
>
> + CURLcode result =
>
> + Curl_urldecode(data, data->state.up.path, 0, &working_path,
>
> + &working_path_len, FALSE);
>
> + if(result)
>
> + return result;
>
> +
>
> ++ /* new path to switch to in case we need to */
>
> ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
>
> ++
>
> + /* Check for /~/, indicating relative to the user's home directory */
>
> +- if(conn->handler->protocol & CURLPROTO_SCP) {
>
> +- real_path = malloc(working_path_len + 1);
>
> +- if(real_path == NULL) {
>
> ++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
>
> ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
>
> ++ /* It is referenced to the home directory, so strip the leading '/~/' */
>
> ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
>
> + free(working_path);
>
> + return CURLE_OUT_OF_MEMORY;
>
> + }
>
> +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
>
> +- /* It is referenced to the home directory, so strip the leading '/~/' */
>
> +- memcpy(real_path, working_path + 3, working_path_len - 2);
>
> +- else
>
> +- memcpy(real_path, working_path, 1 + working_path_len);
>
> + }
>
> +- else if(conn->handler->protocol & CURLPROTO_SFTP) {
>
> +- if((working_path_len > 1) && (working_path[1] == '~')) {
>
> +- size_t homelen = strlen(homedir);
>
> +- real_path = malloc(homelen + working_path_len + 1);
>
> +- if(real_path == NULL) {
>
> +- free(working_path);
>
> +- return CURLE_OUT_OF_MEMORY;
>
> +- }
>
> +- /* It is referenced to the home directory, so strip the
>
> +- leading '/' */
>
> +- memcpy(real_path, homedir, homelen);
>
> +- real_path[homelen] = '/';
>
> +- real_path[homelen + 1] = '\0';
>
> +- if(working_path_len > 3) {
>
> +- memcpy(real_path + homelen + 1, working_path + 3,
>
> +- 1 + working_path_len -3);
>
> +- }
>
> ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
>
> ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
>
> ++ size_t len;
>
> ++ const char *p;
>
> ++ int copyfrom = 3;
>
> ++ if(Curl_dyn_add(&npath, homedir)) {
>
> ++ free(working_path);
>
> ++ return CURLE_OUT_OF_MEMORY;
>
> + }
>
> +- else {
>
> +- real_path = malloc(working_path_len + 1);
>
> +- if(real_path == NULL) {
>
> +- free(working_path);
>
> +- return CURLE_OUT_OF_MEMORY;
>
> +- }
>
> +- memcpy(real_path, working_path, 1 + working_path_len);
>
> ++ /* Copy a separating '/' if homedir does not end with one */
>
> ++ len = Curl_dyn_len(&npath);
>
> ++ p = Curl_dyn_ptr(&npath);
>
> ++ if(len && (p[len-1] != '/'))
>
> ++ copyfrom = 2;
>
> ++
>
> ++ if(Curl_dyn_addn(&npath,
>
> ++ &working_path[copyfrom], working_path_len - copyfrom)) {
>
> ++ free(working_path);
>
> ++ return CURLE_OUT_OF_MEMORY;
>
> + }
>
> + }
>
> +
>
> +- free(working_path);
>
> ++ if(Curl_dyn_len(&npath)) {
>
> ++ free(working_path);
>
> +
>
> +- /* store the pointer for the caller to receive */
>
> +- *path = real_path;
>
> ++ /* store the pointer for the caller to receive */
>
> ++ *path = Curl_dyn_ptr(&npath);
>
> ++ }
>
> ++ else
>
> ++ *path = working_path;
>
> +
>
> + return CURLE_OK;
>
> + }
>
> +--
>
> +2.25.1
>
> +
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
>
> index 899daf8eac..fddf15e3ff 100644
>
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
>
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
>
> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> file://CVE-2022-32221.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> file://CVE-2022-35260.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> file://CVE-2022-43552.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> + file://CVE-2023-27534.patch
> \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> "
> <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
>
> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
>
> --
>
> 2.25.1
>
> --
> Regards,
> Hitendra Prajapati
> MontaVista Software LLC
>
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 19825 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-05-17 6:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-14 10:55 [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy Hitendra Prajapati
2023-05-11 14:45 ` [OE-core] " Steve Sakoman
2023-05-11 21:34 ` Siddharth
2023-05-12 11:26 ` [OE-core] " Hitendra Prajapati
2023-05-16 18:38 ` Abdurrahman Hussain (fib)
2023-05-17 6:04 ` Hitendra Prajapati
2023-05-17 6:12 ` Hitendra Prajapati
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.