From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/24] curl: Backport patch for CVE-2022-35252
Date: Wed, 7 Sep 2022 04:20:03 -1000 [thread overview]
Message-ID: <40bbdb43b247ffc5dd1990f51fb824a089c0987f.1662559557.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1662559557.git.steve@sakoman.com>
From: Robert Joslyn <robert.joslyn@redrectangle.org>
https://curl.se/docs/CVE-2022-35252.html
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2022-35252.patch | 72 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35252.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
new file mode 100644
index 0000000000..7b6f81bd02
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
@@ -0,0 +1,72 @@
+From 62c09239ac4e08239c8e363b06901fc80637d8c7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb]
+
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index cb0c03b..e0470a1 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain)
+ return TRUE;
+ }
+
++/*
++ RFC 6265 section 4.1.1 says a server should accept this range:
++
++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++ fine. The prime reason for filtering out control bytes is that some HTTP
++ servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++ static const char badoctets[] = {
++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++ };
++ size_t vlen, len;
++ /* scan for all the octets that are *not* in cookie-octet */
++ len = strcspn(p, badoctets);
++ vlen = strlen(p);
++ return (len != vlen);
++}
++
+ /*
+ * Curl_cookie_add
+ *
+@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data,
+ badcookie = TRUE;
+ break;
+ }
++ if(invalid_octets(whatptr) || invalid_octets(name)) {
++ infof(data, "invalid octets in name/value, cookie dropped");
++ badcookie = TRUE;
++ break;
++ }
+ }
+ else if(!len) {
+ /*
+--
+2.35.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 67de0220c6..5368c91f5c 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2022-32206.patch \
file://CVE-2022-32207.patch \
file://CVE-2022-32208.patch \
+ file://CVE-2022-35252.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
next prev parent reply other threads:[~2022-09-07 14:20 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 14:20 [OE-core][kirkstone 00/24] Patch review Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 01/24] sqlite: add CVE-2022-35737 patch to SRC_URI Steve Sakoman
2022-09-07 14:20 ` Steve Sakoman [this message]
2022-09-07 14:20 ` [OE-core][kirkstone 03/24] binutils : CVE-2022-38533 Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 04/24] classes: cve-check: Get shared database lock Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 05/24] cve-check: close cursors as soon as possible Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 06/24] vim: Upgrade 9.0.0242 -> 9.0.0341 Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 07/24] libtasn1: upgrade 4.18.0 -> 4.19.0 Steve Sakoman
2022-09-14 0:37 ` Randy MacLeod
2022-09-14 2:19 ` Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 08/24] liburcu: upgrade 0.13.1 -> 0.13.2 Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 09/24] libwpe: upgrade 1.12.2 -> 1.12.3 Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 10/24] libatomic-ops: upgrade 7.6.12 -> 7.6.14 Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 11/24] lz4: upgrade 1.9.3 -> 1.9.4 Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 12/24] insane.bbclass: Skip patches not in oe-core by full path Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 13/24] maintainers: update opkg maintainer Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 14/24] apr: Cache configure tests which use AC_TRY_RUN Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 15/24] bitbake.conf: set BB_DEFAULT_UMASK using ??= Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 16/24] pseudo: Update to include recent upstream minor fixes Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 17/24] scripts/runqemu.README: fix typos and trailing whitespaces Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 18/24] meta: introduce UBOOT_MKIMAGE_KERNEL_TYPE Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 19/24] kernel-fitimage.bbclass: add padding algorithm property in config nodes Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 20/24] npm: replace 'npm pack' call by 'tar czf' Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 21/24] npm: return content of 'package.json' in 'npm_pack' Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 22/24] npm: take 'version' directly from 'package.json' Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 23/24] lib:npm_registry: initial checkin Steve Sakoman
2022-09-07 14:20 ` [OE-core][kirkstone 24/24] npm: use npm_registry to cache package Steve Sakoman
2022-09-13 15:40 ` Martin Jansa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40bbdb43b247ffc5dd1990f51fb824a089c0987f.1662559557.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox