From: "akuster" <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Armin Kuster <akuster@mvista.com>
Subject: [dunfell][PATCH 2/2] curl: Security fix for CVE-2020-8231
Date: Fri, 15 Jan 2021 10:02:46 -0800 [thread overview]
Message-ID: <20210115180246.503-2-akuster808@gmail.com> (raw)
In-Reply-To: <20210115180246.503-1-akuster808@gmail.com>
From: Armin Kuster <akuster@mvista.com>
Source: https://curl.se/
MR: 105190
Type: Security Fix
Disposition: Backport from https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
ChangeID: 7cb4278f48b0da2009b5b7cf2b2383b12a5660ab
Description:
Fixes CVE-2020-8231
Affects 7.29.0 to 7.71.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../curl/curl/CVE-2020-8231.patch | 143 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 144 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2020-8231.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8231.patch b/meta/recipes-support/curl/curl/CVE-2020-8231.patch
new file mode 100644
index 00000000000..f01e225e754
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8231.patch
@@ -0,0 +1,143 @@
+From 3c9e021f86872baae412a427e807fbfa2f3e8a22 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8]
+CVE: CVE-2020-8231
+Affects: 7.20.0 to 7.71.1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c | 3 +--
+ lib/multi.c | 9 +++++----
+ lib/url.c | 2 +-
+ lib/urldata.h | 2 +-
+ 5 files changed, 18 insertions(+), 17 deletions(-)
+
+Index: curl-7.69.1/lib/connect.c
+===================================================================
+--- curl-7.69.1.orig/lib/connect.c
++++ curl-7.69.1/lib/connect.c
+@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connect
+ }
+
+ struct connfind {
+- struct connectdata *tofind;
+- bool found;
++ long id_tofind;
++ struct connectdata *found;
+ };
+
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+ struct connfind *f = (struct connfind *)param;
+- if(conn == f->tofind) {
+- f->found = TRUE;
++ if(conn->connection_id == f->id_tofind) {
++ f->found = conn;
+ return 1;
+ }
+ return 0;
+@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct
+ * - that is associated with a multi handle, and whose connection
+ * was detached with CURLOPT_CONNECT_ONLY
+ */
+- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+- struct connectdata *c = data->state.lastconnect;
++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++ struct connectdata *c;
+ struct connfind find;
+- find.tofind = data->state.lastconnect;
+- find.found = FALSE;
++ find.id_tofind = data->state.lastconnect_id;
++ find.found = NULL;
+
+ Curl_conncache_foreach(data, data->multi_easy?
+ &data->multi_easy->conn_cache:
+ &data->multi->conn_cache, &find, conn_is_conn);
+
+ if(!find.found) {
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ return CURL_SOCKET_BAD;
+ }
+
++ c = find.found;
+ if(connp) {
+ /* only store this if the caller cares for it */
+ *connp = c;
+Index: curl-7.69.1/lib/easy.c
+===================================================================
+--- curl-7.69.1.orig/lib/easy.c
++++ curl-7.69.1/lib/easy.c
+@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(st
+
+ /* the connection cache is setup on demand */
+ outcurl->state.conn_cache = NULL;
+-
+- outcurl->state.lastconnect = NULL;
++ outcurl->state.lastconnect_id = -1;
+
+ outcurl->progress.flags = data->progress.flags;
+ outcurl->progress.callback = data->progress.callback;
+Index: curl-7.69.1/lib/multi.c
+===================================================================
+--- curl-7.69.1.orig/lib/multi.c
++++ curl-7.69.1/lib/multi.c
+@@ -454,6 +454,7 @@ CURLMcode curl_multi_add_handle(struct C
+ data->state.conn_cache = &data->share->conn_cache;
+ else
+ data->state.conn_cache = &multi->conn_cache;
++ data->state.lastconnect_id = -1;
+
+ #ifdef USE_LIBPSL
+ /* Do the same for PSL. */
+@@ -669,11 +670,11 @@ static CURLcode multi_done(struct Curl_e
+ CONN_UNLOCK(data);
+ if(Curl_conncache_return_conn(data, conn)) {
+ /* remember the most recently used connection */
+- data->state.lastconnect = conn;
++ data->state.lastconnect_id = conn->connection_id;
+ infof(data, "%s\n", buffer);
+ }
+ else
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ }
+
+ Curl_free_request_state(data);
+Index: curl-7.69.1/lib/url.c
+===================================================================
+--- curl-7.69.1.orig/lib/url.c
++++ curl-7.69.1/lib/url.c
+@@ -618,7 +618,7 @@ CURLcode Curl_open(struct Curl_easy **cu
+ Curl_initinfo(data);
+
+ /* most recent connection is not yet defined */
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+
+ data->progress.flags |= PGRS_HIDE;
+ data->state.current_speed = -1; /* init to negative == impossible */
+Index: curl-7.69.1/lib/urldata.h
+===================================================================
+--- curl-7.69.1.orig/lib/urldata.h
++++ curl-7.69.1/lib/urldata.h
+@@ -1332,7 +1332,7 @@ struct UrlState {
+ /* buffers to store authentication data in, as parsed from input options */
+ struct curltime keeps_speed; /* for the progress meter really */
+
+- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++ long lastconnect_id; /* The last connection, -1 if undefined */
+
+ char *headerbuff; /* allocated buffer to store headers in */
+ size_t headersize; /* size of the allocation */
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index c0db01ac5d0..6dc2e4132e4 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2020-8284.patch \
file://CVE-2020-8285.patch \
file://CVE-2020-8286.patch \
+ file://CVE-2020-8231.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.17.1
next prev parent reply other threads:[~2021-01-15 18:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 18:02 [dunfell][PATCH 1/2] curl: Fix CVE-2020-8284, CVE-2020-8285, CVE-2020-8286 akuster
2021-01-15 18:02 ` akuster [this message]
2021-01-15 18:16 ` [OE-core] " Steve Sakoman
2021-01-15 18:25 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115180246.503-2-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox