From: pawan <badganchipv@gmail.com>
To: openembedded-core@lists.openembedded.org, badganchipv@gmail.com
Cc: ranjitsinh.rathod@kpit.com, Pawan Badganchi <Pawan.Badganchi@kpit.com>
Subject: [meta][kirkstone][PATCH 2/2] curl: Add fix for CVE-2023-23916
Date: Fri, 24 Mar 2023 13:27:00 +0530 [thread overview]
Message-ID: <20230324075700.22155-2-badganchipv@gmail.com> (raw)
In-Reply-To: <20230324075700.22155-1-badganchipv@gmail.com>
From: Pawan Badganchi <badganchipv@gmail.com>
Add below patch to fix CVE-2023-23916
CVE-2023-23916.patch
Link: https://curl.se/docs/CVE-2023-23916.html
Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
Signed-off-by: Pawan Badganchi <badganchipv@gmail.com>
---
.../curl/curl/CVE-2023-23916.patch | 222 ++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 223 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
new file mode 100644
index 0000000000..6a1be173cd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
@@ -0,0 +1,222 @@
+Backport of:
+
+From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH] content_encoding: do not reset stage counter for each header
+
+Test 418 verifies
+
+Closes #10492
+
+CVE: CVE-2023-23916
+Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ lib/content_encoding.c | 7 +-
+ lib/urldata.h | 1 +
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test387 | 2 +-
+ tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 158 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test418
+
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(str
+ const char *enclist, int maybechunked)
+ {
+ struct SingleRequest *k = &data->req;
+- int counter = 0;
+
+ do {
+ const char *name;
+@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(str
+ if(!encoding)
+ encoding = &error_encoding; /* Defer error at stack use. */
+
+- if(++counter >= MAX_ENCODE_STACK) {
+- failf(data, "Reject response due to %u content encodings",
+- counter);
++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++ failf(data, "Reject response due to more than %u content encodings",
++ MAX_ENCODE_STACK);
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
+ /* Stack the unencoding stage. */
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -708,6 +708,7 @@ struct SingleRequest {
+ struct dohdata *doh; /* DoH specific data for this request */
+ #endif
+ unsigned char setcookies;
++ unsigned char writer_stack_depth; /* Unencoding stack depth. */
+ BIT(header); /* incoming data has HTTP header */
+ BIT(content_range); /* set TRUE if Content-Range: was found */
+ BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -66,7 +66,7 @@ test370 test371 \
+ test392 test393 test394 test395 test396 test397 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+-test409 test410 \
++test409 test410 test418 \
+ \
+ test430 test431 test432 test433 test434 test435 test446 \
+ \
+--- /dev/null
++++ b/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index b583060889..945745cdde 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-23914_5-3.patch \
file://CVE-2023-23914_5-4.patch \
file://CVE-2023-23914_5-5.patch \
+ file://CVE-2023-23916.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.38.1
next prev parent reply other threads:[~2023-03-24 7:57 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-24 7:56 [meta][kirkstone][PATCH 1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915 pawan
2023-03-24 7:57 ` pawan [this message]
2023-03-24 15:39 ` [OE-core] [meta][kirkstone][PATCH 2/2] curl: Add fix for CVE-2023-23916 Steve Sakoman
2023-03-24 15:45 ` Pawan Badganchi
2023-03-29 7:38 ` Pawan Badganchi
2023-03-29 14:18 ` [OE-core] " Steve Sakoman
2023-04-03 10:34 ` Pawan Badganchi
2023-04-03 10:41 ` Pawan Badganchi
2023-04-03 15:17 ` [OE-core] " Steve Sakoman
2023-04-03 15:22 ` Pawan Badganchi
2023-04-03 15:27 ` [OE-core] " Steve Sakoman
2023-04-03 15:44 ` Pawan Badganchi
2023-04-03 16:20 ` [OE-core] " Steve Sakoman
2023-04-03 17:00 ` Pawan Badganchi
2023-04-03 17:45 ` [OE-core] " Steve Sakoman
2023-04-03 23:01 ` Martin Jansa
2023-04-04 8:33 ` Pawan Badganchi
2023-05-02 9:14 ` [meta][kirkstone][PATCH 1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915 Pawan Badganchi
-- strict thread matches above, loose matches on Subject: below --
2023-03-15 9:35 pawan
2023-03-15 9:35 ` [meta][kirkstone][PATCH 2/2] curl: Add fix for CVE-2023-23916 pawan
2023-03-20 13:07 ` Pawan Badganchi
2023-03-14 15:39 [OE-core] " Steve Sakoman
2023-03-15 9:59 ` Pawan Badganchi
2023-03-03 7:50 [meta][kirkstone][PATCH 1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915 pawan
2023-03-03 7:50 ` [meta][kirkstone][PATCH 2/2] curl: Add fix for CVE-2023-23916 pawan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230324075700.22155-2-badganchipv@gmail.com \
--to=badganchipv@gmail.com \
--cc=Pawan.Badganchi@kpit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ranjitsinh.rathod@kpit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox