* [PATCH] curl: Security Advisory - curl - CVE-2014-3620
@ 2014-11-03 9:31 Chong Lu
2014-11-03 11:59 ` Burton, Ross
0 siblings, 1 reply; 3+ messages in thread
From: Chong Lu @ 2014-11-03 9:31 UTC (permalink / raw)
To: openembedded-core
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated site
or domain.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
---
meta/recipes-support/curl/curl/CVE-2014-3620.patch | 69 ++++++++++++++++++++
meta/recipes-support/curl/curl_7.37.1.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2014-3620.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
new file mode 100644
index 0000000..d11f190
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch
@@ -0,0 +1,69 @@
+From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 19 Aug 2014 21:11:20 +0200
+Subject: [PATCH] cookies: reject incoming cookies set for TLDs
+
+Test 61 was modified to verify this.
+
+CVE-2014-3620
+
+Reported-by: Tim Ruehsen
+URL: http://curl.haxx.se/docs/adv_20140910B.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
+---
+ lib/cookie.c | 6 ++++++
+ tests/data/test61 | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 46904ac..375485f 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data,
+ break;
+ }
+ }
+ else if(Curl_raw_equal("domain", name)) {
+ bool is_ip;
++ const char *dotp;
+
+ /* Now, we make sure that our host is within the given domain,
+ or the given domain is not valid and thus cannot be set. */
+
+ if('.' == whatptr[0])
+ whatptr++; /* ignore preceding dot */
+
+ is_ip = isip(domain ? domain : whatptr);
+
++ /* check for more dots */
++ dotp = strchr(whatptr, '.');
++ if(!dotp)
++ domain=":";
++
+ if(!domain
+ || (is_ip && !strcmp(whatptr, domain))
+ || (!is_ip && tailmatch(whatptr, domain))) {
+ strstore(&co->domain, whatptr);
+ if(!co->domain) {
+diff --git a/tests/data/test61 b/tests/data/test61
+index d2de279..e6dbbb9 100644
+--- a/tests/data/test61
++++ b/tests/data/test61
+@@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2
+ SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
+ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
+ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
+ Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
+ Set-Cookie: fake=fooledyou; domain=..com; path=/;
++Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
+ Content-Length: 4
+
+ boo
+ </data>
+ </reply>
+--
+2.1.0
+
diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb
index 1147675..8b854d7 100644
--- a/meta/recipes-support/curl/curl_7.37.1.bb
+++ b/meta/recipes-support/curl/curl_7.37.1.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e66
SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://pkgconfig_fix.patch \
file://CVE-2014-3613.patch \
+ file://CVE-2014-3620.patch \
"
# curl likes to set -g0 in CFLAGS, so we stop it
--
1.7.9.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] curl: Security Advisory - curl - CVE-2014-3620
2014-11-03 9:31 [PATCH] curl: Security Advisory - curl - CVE-2014-3620 Chong Lu
@ 2014-11-03 11:59 ` Burton, Ross
2014-11-04 1:42 ` Chong Lu
0 siblings, 1 reply; 3+ messages in thread
From: Burton, Ross @ 2014-11-03 11:59 UTC (permalink / raw)
To: Chong Lu; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 446 bytes --]
On 3 November 2014 09:31, Chong Lu <Chong.Lu@windriver.com> wrote:
> meta/recipes-support/curl/curl/CVE-2014-3620.patch | 69
> ++++++++++++++++++++
>
ERROR: Command Error: exit status: 1 Output:
Applying patch CVE-2014-3620.patch
patching file lib/cookie.c
patching file tests/data/test61
Hunk #1 FAILED at 21.
Assuming that this is a line ending problem again, do you have this commit
in a git repository somewhere?
Ross
[-- Attachment #2: Type: text/html, Size: 1165 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] curl: Security Advisory - curl - CVE-2014-3620
2014-11-03 11:59 ` Burton, Ross
@ 2014-11-04 1:42 ` Chong Lu
0 siblings, 0 replies; 3+ messages in thread
From: Chong Lu @ 2014-11-04 1:42 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
On 11/03/2014 07:59 PM, Burton, Ross wrote:
>
> On 3 November 2014 09:31, Chong Lu <Chong.Lu@windriver.com
> <mailto:Chong.Lu@windriver.com>> wrote:
>
> meta/recipes-support/curl/curl/CVE-2014-3620.patch | 69
> ++++++++++++++++++++
>
>
> ERROR: Command Error: exit status: 1 Output:
> Applying patch CVE-2014-3620.patch
> patching file lib/cookie.c
> patching file tests/data/test61
> Hunk #1 FAILED at 21.
>
> Assuming that this is a line ending problem again, do you have this
> commit in a git repository somewhere?
>
> Ross
Hi Ross,
This patch has included in
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=chonglu/curl
Best Regards
Chong
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-04 1:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-03 9:31 [PATCH] curl: Security Advisory - curl - CVE-2014-3620 Chong Lu
2014-11-03 11:59 ` Burton, Ross
2014-11-04 1:42 ` Chong Lu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox