* [OE-core][dunfell][PATCHv2] curl: Security fix for CVE-2023-27534
@ 2023-05-11 21:28 Siddharth
2023-05-11 21:40 ` Steve Sakoman
0 siblings, 1 reply; 3+ messages in thread
From: Siddharth @ 2023-05-11 21:28 UTC (permalink / raw)
To: openembedded-core; +Cc: Siddharth, Hitendra Prajapati
Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
.../curl/curl/CVE-2023-27534-pre1.patch | 44 +++++++
.../curl/curl/CVE-2023-27534.patch | 122 +++---------------
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
3 files changed, 61 insertions(+), 106 deletions(-)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644
index 0000000000..98b25a2fe5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,44 @@
+From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
+From: Eric Vigeant <evigeant@gmail.com>
+Date: Wed, 2 Nov 2022 11:47:09 -0400
+Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
+
+When using SFTP and a path relative to the user home, do not add a
+trailing '/' to the user home dir if it already ends with one.
+
+Closes #9844
+
+CVE: CVE-2023-27534
+Note: This patch is needed to backport CVE-2023-27534
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
+
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..40b92ee 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ /* It is referenced to the home directory, so strip the
+ leading '/' */
+ memcpy(real_path, homedir, homelen);
+- real_path[homelen] = '/';
+- real_path[homelen + 1] = '\0';
++ /* Only add a trailing '/' if homedir does not end with one */
++ if(homelen == 0 || real_path[homelen - 1] != '/') {
++ real_path[homelen] = '/';
++ homelen++;
++ real_path[homelen] = '\0';
++ }
+ if(working_path_len > 3) {
+- memcpy(real_path + homelen + 1, working_path + 3,
++ memcpy(real_path + homelen, working_path + 3,
+ 1 + working_path_len -3);
+ }
+ }
+--
+2.24.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
index aeeffd5fea..3ecd181290 100644
--- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Mar 2023 16:22:11 +0100
Subject: [PATCH] curl_path: create the new path with dynbuf
+Closes #10729
+
CVE: CVE-2023-27534
-Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+Note: This patch is needed to backport CVE-2023-27534
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
- lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
- 1 file changed, 35 insertions(+), 36 deletions(-)
+ lib/curl_path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/curl_path.c b/lib/curl_path.c
-index f429634..e17db4b 100644
+index 40b92ee..598c5dd 100644
--- a/lib/curl_path.c
+++ b/lib/curl_path.c
-@@ -30,6 +30,8 @@
- #include "escape.h"
- #include "memdebug.h"
-
-+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
-+
- /* figure out the path to work with in this particular request */
- CURLcode Curl_getworkingpath(struct connectdata *conn,
- char *homedir, /* when SFTP is used */
-@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
- real path to work with */
- {
- struct Curl_easy *data = conn->data;
-- char *real_path = NULL;
- char *working_path;
- size_t working_path_len;
-+ struct dynbuf npath;
- CURLcode result =
- Curl_urldecode(data, data->state.up.path, 0, &working_path,
- &working_path_len, FALSE);
- if(result)
- return result;
-
-+ /* new path to switch to in case we need to */
-+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
-+
- /* Check for /~/, indicating relative to the user's home directory */
-- if(conn->handler->protocol & CURLPROTO_SCP) {
-- real_path = malloc(working_path_len + 1);
-- if(real_path == NULL) {
-+ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
-+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
-+ /* It is referenced to the home directory, so strip the leading '/~/' */
-+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
- free(working_path);
- return CURLE_OUT_OF_MEMORY;
- }
-- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
-- /* It is referenced to the home directory, so strip the leading '/~/' */
-- memcpy(real_path, working_path + 3, working_path_len - 2);
-- else
-- memcpy(real_path, working_path, 1 + working_path_len);
+@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ memcpy(real_path, working_path, 1 + working_path_len);
}
-- else if(conn->handler->protocol & CURLPROTO_SFTP) {
+ else if(conn->handler->protocol & CURLPROTO_SFTP) {
- if((working_path_len > 1) && (working_path[1] == '~')) {
-- size_t homelen = strlen(homedir);
-- real_path = malloc(homelen + working_path_len + 1);
-- if(real_path == NULL) {
-- free(working_path);
-- return CURLE_OUT_OF_MEMORY;
-- }
-- /* It is referenced to the home directory, so strip the
-- leading '/' */
-- memcpy(real_path, homedir, homelen);
-- real_path[homelen] = '/';
-- real_path[homelen + 1] = '\0';
-- if(working_path_len > 3) {
-- memcpy(real_path + homelen + 1, working_path + 3,
-- 1 + working_path_len -3);
-- }
-+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
-+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
-+ size_t len;
-+ const char *p;
-+ int copyfrom = 3;
-+ if(Curl_dyn_add(&npath, homedir)) {
-+ free(working_path);
-+ return CURLE_OUT_OF_MEMORY;
- }
-- else {
-- real_path = malloc(working_path_len + 1);
-- if(real_path == NULL) {
-- free(working_path);
-- return CURLE_OUT_OF_MEMORY;
-- }
-- memcpy(real_path, working_path, 1 + working_path_len);
-+ /* Copy a separating '/' if homedir does not end with one */
-+ len = Curl_dyn_len(&npath);
-+ p = Curl_dyn_ptr(&npath);
-+ if(len && (p[len-1] != '/'))
-+ copyfrom = 2;
-+
-+ if(Curl_dyn_addn(&npath,
-+ &working_path[copyfrom], working_path_len - copyfrom)) {
-+ free(working_path);
-+ return CURLE_OUT_OF_MEMORY;
- }
- }
-
-- free(working_path);
-+ if(Curl_dyn_len(&npath)) {
-+ free(working_path);
-
-- /* store the pointer for the caller to receive */
-- *path = real_path;
-+ /* store the pointer for the caller to receive */
-+ *path = Curl_dyn_ptr(&npath);
-+ }
-+ else
-+ *path = working_path;
-
- return CURLE_OK;
- }
++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+ size_t homelen = strlen(homedir);
+ real_path = malloc(homelen + working_path_len + 1);
+ if(real_path == NULL) {
--
-2.25.1
+2.24.4
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 32d18ddb3a..13ec117099 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-35260.patch \
file://CVE-2022-43552.patch \
file://CVE-2023-23916.patch \
+ file://CVE-2023-27534-pre1.patch \
file://CVE-2023-27534.patch \
file://CVE-2023-27538.patch \
file://CVE-2023-27533.patch \
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core][dunfell][PATCHv2] curl: Security fix for CVE-2023-27534
2023-05-11 21:28 [OE-core][dunfell][PATCHv2] curl: Security fix for CVE-2023-27534 Siddharth
@ 2023-05-11 21:40 ` Steve Sakoman
2023-05-11 22:32 ` [dunfell][PATCHv2] " Siddharth
0 siblings, 1 reply; 3+ messages in thread
From: Steve Sakoman @ 2023-05-11 21:40 UTC (permalink / raw)
To: Siddharth; +Cc: openembedded-core, Hitendra Prajapati
Hi Siddharth,
Thanks for this, but I think we need a better shortlog and commit
message explaining why we need this additional patch.
Could you send a v3?
Thanks!
Steve
On Thu, May 11, 2023 at 11:28 AM Siddharth <sdoshi@mvista.com> wrote:
>
> Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> ---
> .../curl/curl/CVE-2023-27534-pre1.patch | 44 +++++++
> .../curl/curl/CVE-2023-27534.patch | 122 +++---------------
> meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> 3 files changed, 61 insertions(+), 106 deletions(-)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
> new file mode 100644
> index 0000000000..98b25a2fe5
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
> @@ -0,0 +1,44 @@
> +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
> +From: Eric Vigeant <evigeant@gmail.com>
> +Date: Wed, 2 Nov 2022 11:47:09 -0400
> +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
> +
> +When using SFTP and a path relative to the user home, do not add a
> +trailing '/' to the user home dir if it already ends with one.
> +
> +Closes #9844
> +
> +CVE: CVE-2023-27534
> +Note: This patch is needed to backport CVE-2023-27534
> +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
> +
> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> +---
> + lib/curl_path.c | 10 +++++++---
> + 1 file changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/lib/curl_path.c b/lib/curl_path.c
> +index f429634..40b92ee 100644
> +--- a/lib/curl_path.c
> ++++ b/lib/curl_path.c
> +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
> + /* It is referenced to the home directory, so strip the
> + leading '/' */
> + memcpy(real_path, homedir, homelen);
> +- real_path[homelen] = '/';
> +- real_path[homelen + 1] = '\0';
> ++ /* Only add a trailing '/' if homedir does not end with one */
> ++ if(homelen == 0 || real_path[homelen - 1] != '/') {
> ++ real_path[homelen] = '/';
> ++ homelen++;
> ++ real_path[homelen] = '\0';
> ++ }
> + if(working_path_len > 3) {
> +- memcpy(real_path + homelen + 1, working_path + 3,
> ++ memcpy(real_path + homelen, working_path + 3,
> + 1 + working_path_len -3);
> + }
> + }
> +--
> +2.24.4
> +
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
> index aeeffd5fea..3ecd181290 100644
> --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
> @@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se>
> Date: Thu, 9 Mar 2023 16:22:11 +0100
> Subject: [PATCH] curl_path: create the new path with dynbuf
>
> +Closes #10729
> +
> CVE: CVE-2023-27534
> -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
> +Note: This patch is needed to backport CVE-2023-27534
> +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> ---
> - lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
> - 1 file changed, 35 insertions(+), 36 deletions(-)
> + lib/curl_path.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/curl_path.c b/lib/curl_path.c
> -index f429634..e17db4b 100644
> +index 40b92ee..598c5dd 100644
> --- a/lib/curl_path.c
> +++ b/lib/curl_path.c
> -@@ -30,6 +30,8 @@
> - #include "escape.h"
> - #include "memdebug.h"
> -
> -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
> -+
> - /* figure out the path to work with in this particular request */
> - CURLcode Curl_getworkingpath(struct connectdata *conn,
> - char *homedir, /* when SFTP is used */
> -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
> - real path to work with */
> - {
> - struct Curl_easy *data = conn->data;
> -- char *real_path = NULL;
> - char *working_path;
> - size_t working_path_len;
> -+ struct dynbuf npath;
> - CURLcode result =
> - Curl_urldecode(data, data->state.up.path, 0, &working_path,
> - &working_path_len, FALSE);
> - if(result)
> - return result;
> -
> -+ /* new path to switch to in case we need to */
> -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
> -+
> - /* Check for /~/, indicating relative to the user's home directory */
> -- if(conn->handler->protocol & CURLPROTO_SCP) {
> -- real_path = malloc(working_path_len + 1);
> -- if(real_path == NULL) {
> -+ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
> -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
> -+ /* It is referenced to the home directory, so strip the leading '/~/' */
> -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
> - free(working_path);
> - return CURLE_OUT_OF_MEMORY;
> - }
> -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
> -- /* It is referenced to the home directory, so strip the leading '/~/' */
> -- memcpy(real_path, working_path + 3, working_path_len - 2);
> -- else
> -- memcpy(real_path, working_path, 1 + working_path_len);
> +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
> + memcpy(real_path, working_path, 1 + working_path_len);
> }
> -- else if(conn->handler->protocol & CURLPROTO_SFTP) {
> + else if(conn->handler->protocol & CURLPROTO_SFTP) {
> - if((working_path_len > 1) && (working_path[1] == '~')) {
> -- size_t homelen = strlen(homedir);
> -- real_path = malloc(homelen + working_path_len + 1);
> -- if(real_path == NULL) {
> -- free(working_path);
> -- return CURLE_OUT_OF_MEMORY;
> -- }
> -- /* It is referenced to the home directory, so strip the
> -- leading '/' */
> -- memcpy(real_path, homedir, homelen);
> -- real_path[homelen] = '/';
> -- real_path[homelen + 1] = '\0';
> -- if(working_path_len > 3) {
> -- memcpy(real_path + homelen + 1, working_path + 3,
> -- 1 + working_path_len -3);
> -- }
> -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
> -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
> -+ size_t len;
> -+ const char *p;
> -+ int copyfrom = 3;
> -+ if(Curl_dyn_add(&npath, homedir)) {
> -+ free(working_path);
> -+ return CURLE_OUT_OF_MEMORY;
> - }
> -- else {
> -- real_path = malloc(working_path_len + 1);
> -- if(real_path == NULL) {
> -- free(working_path);
> -- return CURLE_OUT_OF_MEMORY;
> -- }
> -- memcpy(real_path, working_path, 1 + working_path_len);
> -+ /* Copy a separating '/' if homedir does not end with one */
> -+ len = Curl_dyn_len(&npath);
> -+ p = Curl_dyn_ptr(&npath);
> -+ if(len && (p[len-1] != '/'))
> -+ copyfrom = 2;
> -+
> -+ if(Curl_dyn_addn(&npath,
> -+ &working_path[copyfrom], working_path_len - copyfrom)) {
> -+ free(working_path);
> -+ return CURLE_OUT_OF_MEMORY;
> - }
> - }
> -
> -- free(working_path);
> -+ if(Curl_dyn_len(&npath)) {
> -+ free(working_path);
> -
> -- /* store the pointer for the caller to receive */
> -- *path = real_path;
> -+ /* store the pointer for the caller to receive */
> -+ *path = Curl_dyn_ptr(&npath);
> -+ }
> -+ else
> -+ *path = working_path;
> -
> - return CURLE_OK;
> - }
> ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
> + size_t homelen = strlen(homedir);
> + real_path = malloc(homelen + working_path_len + 1);
> + if(real_path == NULL) {
> --
> -2.25.1
> +2.24.4
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
> index 32d18ddb3a..13ec117099 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> file://CVE-2022-35260.patch \
> file://CVE-2022-43552.patch \
> file://CVE-2023-23916.patch \
> + file://CVE-2023-27534-pre1.patch \
> file://CVE-2023-27534.patch \
> file://CVE-2023-27538.patch \
> file://CVE-2023-27533.patch \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181154): https://lists.openembedded.org/g/openembedded-core/message/181154
> Mute This Topic: https://lists.openembedded.org/mt/98837360/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dunfell][PATCHv2] curl: Security fix for CVE-2023-27534
2023-05-11 21:40 ` Steve Sakoman
@ 2023-05-11 22:32 ` Siddharth
0 siblings, 0 replies; 3+ messages in thread
From: Siddharth @ 2023-05-11 22:32 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 211 bytes --]
Hi Steve,
Thank-you for the feedback.
I have added a better log to explain the reason for this additional patch and have sent v3. Please let me know if it works according to you.
Regards,
Siddharth
[-- Attachment #2: Type: text/html, Size: 253 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-05-11 22:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-11 21:28 [OE-core][dunfell][PATCHv2] curl: Security fix for CVE-2023-27534 Siddharth
2023-05-11 21:40 ` Steve Sakoman
2023-05-11 22:32 ` [dunfell][PATCHv2] " Siddharth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.