[PATCH 0/4][jethro] Jethro security fix pull request

[PATCH 0/4][jethro] Jethro security fix pull request

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

please consider these changes for the next next jethro-next

The following changes since commit 9cfb259d1bfe2d66801e0f15e7bb36a162f757ad:

  socat: Security fix CVE-2016-2217 (2016-02-05 06:32:56 -0800)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib akuster/jethro_cve_fixes
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/jethro_cve_fixes

Armin Kuster (4):
  nettle: Security fix CVE-2015-8803 and CVE-2015-8805
  nettle: Security fix CVE-2015-8804
  curl: Security fix CVE-2016-0754
  curl: Secuirty fix CVE-2016-0755

 meta/recipes-support/curl/curl/CVE-2016-0754.patch | 417 +++++++++++++++++++++
 meta/recipes-support/curl/curl/CVE-2016-0755.patch | 138 +++++++
 meta/recipes-support/curl/curl_7.44.0.bb           |   4 +-
 .../nettle/nettle-3.1.1/CVE-2015-8803_8805.patch   |  71 ++++
 .../nettle/nettle-3.1.1/CVE-2015-8804.patch        | 281 ++++++++++++++
 meta/recipes-support/nettle/nettle_3.1.1.bb        |   5 +
 6 files changed, 915 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-0754.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-0755.patch
 create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch
 create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch

-- 
2.3.5

[PATCH 1/4] nettle: Security fix CVE-2015-8803 and CVE-2015-8805

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../nettle/nettle-3.1.1/CVE-2015-8803_8805.patch   | 71 ++++++++++++++++++++++
 meta/recipes-support/nettle/nettle_3.1.1.bb        |  4 ++
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch

diff --git a/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch
new file mode 100644
index 0000000..b4ff228
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch
@@ -0,0 +1,71 @@
+Upstream-Status: Backport
+https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
+
+CVE: CVE-2015-8803
+CVE: CVE-2015-8805
+
+Same fix for both.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nettle-3.1.1/ecc-256.c
+===================================================================
+--- nettle-3.1.1.orig/ecc-256.c
++++ nettle-3.1.1/ecc-256.c
+@@ -113,8 +113,19 @@ ecc_256_modp (const struct ecc_modulo *p
+ 
+       assert (q2 < 2);
+ 
+-      /* We multiply by two low limbs of p, 2^96 - 1, so we could use
+-	 shifts rather than mul. */
++      /*
++	 n-1 n-2 n-3 n-4
++        +---+---+---+---+
++        | u1| u0| u low |
++        +---+---+---+---+
++          - | q1(2^96-1)|
++            +-------+---+
++            |q2(2^.)|
++            +-------+
++
++	 We multiply by two low limbs of p, 2^96 - 1, so we could use
++	 shifts rather than mul.
++      */
+       t = mpn_submul_1 (rp + n - 4, p->m, 2, q1);
+       t += cnd_sub_n (q2, rp + n - 3, p->m, 1);
+       t += (-q2) & 0xffffffff;
+@@ -124,7 +135,10 @@ ecc_256_modp (const struct ecc_modulo *p
+       u0 -= t;
+       t = (u1 < cy);
+       u1 -= cy;
+-      u1 += cnd_add_n (t, rp + n - 4, p->m, 3);
++
++      cy = cnd_add_n (t, rp + n - 4, p->m, 2);
++      u0 += cy;
++      u1 += (u0 < cy);
+       u1 -= (-t) & 0xffffffff;
+     }
+   rp[2] = u0;
+@@ -211,7 +225,7 @@ ecc_256_modq (const struct ecc_modulo *q
+ 
+       /* Conditional add of p */
+       u1 += t;
+-      u2 += (t<<32) + (u0 < t);
++      u2 += (t<<32) + (u1 < t);
+ 
+       t = cnd_add_n (t, rp + n - 4, q->m, 2);
+       u1 += t;
+Index: nettle-3.1.1/ChangeLog
+===================================================================
+--- nettle-3.1.1.orig/ChangeLog
++++ nettle-3.1.1/ChangeLog
+@@ -1,3 +1,9 @@
++2015-12-10  Niels Möller  <nisse@lysator.liu.se>
++
++   * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem
++   reported by Hanno Böck.
++   (ecc_256_modq): Fixed another carry propagation bug.
++
+ 2015-04-24  Niels Möller  <nisse@lysator.liu.se>
+ 
+ 	* Released nettle-3.1.1.
diff --git a/meta/recipes-support/nettle/nettle_3.1.1.bb b/meta/recipes-support/nettle/nettle_3.1.1.bb
index 7d7134f..1fe3461 100644
--- a/meta/recipes-support/nettle/nettle_3.1.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.1.1.bb
@@ -7,5 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6
                     file://serpent-decrypt.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e \
                     file://serpent-set-key.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e"
 
+SRC_URI += "\
+            file://CVE-2015-8803_8805.patch \
+            "
+
 SRC_URI[md5sum] = "b40fa88dc32f37a182b6b42092ebb144"
 SRC_URI[sha256sum] = "5fd4d25d64d8ddcb85d0d897572af73b05b4d163c6cc49438a5bfbb8ff293d4c"
-- 
2.3.5

[PATCH 2/4] nettle: Security fix CVE-2015-8804

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../nettle/nettle-3.1.1/CVE-2015-8804.patch        | 281 +++++++++++++++++++++
 meta/recipes-support/nettle/nettle_3.1.1.bb        |   1 +
 2 files changed, 282 insertions(+)
 create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch

diff --git a/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch
new file mode 100644
index 0000000..1d34db7
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch
@@ -0,0 +1,281 @@
+Upstream-Status: Backport
+ https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
+
+CVE: CVE-2015-8804
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nettle-3.1.1/ChangeLog
+===================================================================
+--- nettle-3.1.1.orig/ChangeLog
++++ nettle-3.1.1/ChangeLog
+@@ -1,3 +1,11 @@
++2015-12-15  Niels Möller  <nisse@lysator.liu.se>
++
++	* x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem
++	reported by Hanno Böck. Simplified the folding to always use
++	non-negative carry, the old code attempted to add in a carry which
++	could be either positive or negative, but didn't get that case
++	right.
++
+ 2015-12-10  Niels Möller  <nisse@lysator.liu.se>
+ 
+    * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem
+Index: nettle-3.1.1/x86_64/ecc-384-modp.asm
+===================================================================
+--- nettle-3.1.1.orig/x86_64/ecc-384-modp.asm
++++ nettle-3.1.1/x86_64/ecc-384-modp.asm
+@@ -1,7 +1,7 @@
+ C x86_64/ecc-384-modp.asm
+ 
+ ifelse(<
+-   Copyright (C) 2013 Niels Möller
++   Copyright (C) 2013, 2015 Niels Möller
+ 
+    This file is part of GNU Nettle.
+ 
+@@ -33,7 +33,7 @@ ifelse(<
+ 	.file "ecc-384-modp.asm"
+ 
+ define(<RP>, <%rsi>)
+-define(<D4>, <%rax>)
++define(<D5>, <%rax>)
+ define(<T0>, <%rbx>)
+ define(<T1>, <%rcx>)
+ define(<T2>, <%rdx>)
+@@ -48,8 +48,8 @@ define(<H4>, <%r13>)
+ define(<H5>, <%r14>)
+ define(<C2>, <%r15>)
+ define(<C0>, H5)	C Overlap
+-define(<D0>, RP)	C Overlap
+-define(<TMP>, H4)	C Overlap
++define(<TMP>, RP)	C Overlap
++
+ 
+ PROLOGUE(nettle_ecc_384_modp)
+ 	W64_ENTRY(2, 0)
+@@ -61,34 +61,38 @@ PROLOGUE(nettle_ecc_384_modp)
+ 	push	%r14
+ 	push	%r15
+ 
+-	C First get top 2 limbs, which need folding twice
++	C First get top 2 limbs, which need folding twice.
++	C B^10 = B^6 + B^4 + 2^32 (B-1)B^4.
++	C We handle the terms as follow:
+ 	C
+-	C   H5 H4
+-	C     -H5
+-	C  ------
+-	C   H0 D4
++	C B^6: Folded immediatly.
+ 	C
+-	C Then shift right, (H1,H0,D4)  <--  (H0,D4) << 32
+-	C and add
++	C B^4: Delayed, added in in the next folding.
+ 	C
+-	C     H5 H4
+-	C     H1 H0
+-	C ----------
+-	C  C2 H1 H0
+-
+-	mov	80(RP), D4
+-	mov	88(RP), H0
+-	mov	D4, H4
+-	mov	H0, H5
+-	sub	H0, D4
+-	sbb	$0, H0
+-
+-	mov	D4, T2
+-	mov	H0, H1
+-	shl	$32, H0
+-	shr	$32, T2
++	C 2^32(B-1) B^4: Low half limb delayed until the next
++	C folding. Top 1.5 limbs subtracted and shifter now, resulting
++	C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added
++	C in.
++
++	mov	80(RP), H4
++	mov	88(RP), H5
++	C Shift right 32 bits, into H1, H0
++	mov	H4, H0
++	mov	H5, H1
++	mov	H5, D5
+ 	shr	$32, H1
+-	or	T2, H0
++	shl	$32, D5
++	shr	$32, H0
++	or	D5, H0
++
++	C	H1 H0
++	C       -  H1 H0
++	C       --------
++	C       H1 H0 D5
++	mov	H0, D5
++	neg	D5
++	sbb	H1, H0
++	sbb	$0, H1
+ 
+ 	xor	C2, C2
+ 	add	H4, H0
+@@ -127,118 +131,95 @@ PROLOGUE(nettle_ecc_384_modp)
+ 	adc	H3, T5
+ 	adc	$0, C0
+ 
+-	C   H3 H2 H1 H0  0
+-	C - H4 H3 H2 H1 H0
+-	C  ---------------
+-	C   H3 H2 H1 H0 D0
+-
+-	mov	XREG(D4), XREG(D4)
+-	mov	H0, D0
+-	neg	D0
+-	sbb	H1, H0
+-	sbb	H2, H1
+-	sbb	H3, H2
+-	sbb	H4, H3
+-	sbb	$0, D4
+-
+-	C Shift right. High bits are sign, to be added to C0.
+-	mov	D4, TMP
+-	sar	$32, TMP
+-	shl	$32, D4
+-	add	TMP, C0
+-
++	C Shift left, including low half of H4
+ 	mov	H3, TMP
++	shl	$32, H4
+ 	shr	$32, TMP
+-	shl	$32, H3
+-	or	TMP, D4
++	or	TMP, H4
+ 
+ 	mov	H2, TMP
++	shl	$32, H3
+ 	shr	$32, TMP
+-	shl	$32, H2
+ 	or	TMP, H3
+ 
+ 	mov	H1, TMP
++	shl	$32, H2
+ 	shr	$32, TMP
+-	shl	$32, H1
+ 	or	TMP, H2
+ 
+ 	mov	H0, TMP
++	shl	$32, H1
+ 	shr	$32, TMP
+-	shl	$32, H0
+ 	or	TMP, H1
+ 
+-	mov	D0, TMP
+-	shr	$32, TMP
+-	shl	$32, D0
+-	or	TMP, H0
++	shl	$32, H0
++
++	C   H4 H3 H2 H1 H0  0
++	C  -   H4 H3 H2 H1 H0
++	C  ---------------
++	C   H4 H3 H2 H1 H0 TMP
+ 
+-	add	D0, T0
++	mov	H0, TMP
++	neg	TMP
++	sbb	H1, H0
++	sbb	H2, H1
++	sbb	H3, H2
++	sbb	H4, H3
++	sbb	$0, H4
++
++	add	TMP, T0
+ 	adc	H0, T1
+ 	adc	H1, T2
+ 	adc	H2, T3
+ 	adc	H3, T4
+-	adc	D4, T5
++	adc	H4, T5
+ 	adc	$0, C0
+ 
+ 	C Remains to add in C2 and C0
+-	C                         C0  C0<<32  (-2^32+1)C0
+-	C    C2  C2<<32  (-2^32+1)C2
+-	C where C2 is always positive, while C0 may be -1.
++	C Set H1, H0 = (2^96 - 2^32 + 1) C0
+ 	mov	C0, H0
+ 	mov	C0, H1
+-	mov	C0, H2
+-	sar	$63, C0		C Get sign
+ 	shl	$32, H1
+-	sub	H1, H0		C Gives borrow iff C0 > 0
++	sub	H1, H0
+ 	sbb	$0, H1
+-	add	C0, H2
+ 
++	C Set H3, H2 = (2^96 - 2^32 + 1) C2
++	mov	C2, H2
++	mov	C2, H3
++	shl	$32, H3
++	sub	H3, H2
++	sbb	$0, H3
++	add	C0, H2		C No carry. Could use lea trick
++
++	xor	C0, C0
+ 	add	H0, T0
+ 	adc	H1, T1
+-	adc	$0, H2
+-	adc	$0, C0
+-
+-	C Set (H1 H0)  <-- C2 << 96 - C2 << 32 + 1
+-	mov	C2, H0
+-	mov	C2, H1
+-	shl	$32, H1
+-	sub	H1, H0
+-	sbb	$0, H1
+-
+-	add	H2, H0
+-	adc	C0, H1
+-	adc	C2, C0
+-	mov	C0, H2
+-	sar	$63, C0
+-	add	H0, T2
+-	adc	H1, T3
+-	adc	H2, T4
+-	adc	C0, T5
+-	sbb	C0, C0
++	adc	H2, T2
++	adc	H3, T3
++	adc	C2, T4
++	adc	D5, T5		C Value delayed from initial folding
++	adc	$0, C0		C Use sbb and switch sign?
+ 
+ 	C Final unlikely carry
+ 	mov	C0, H0
+ 	mov	C0, H1
+-	mov	C0, H2
+-	sar	$63, C0
+ 	shl	$32, H1
+ 	sub	H1, H0
+ 	sbb	$0, H1
+-	add	C0, H2
+ 
+ 	pop	RP
+ 
+-	sub	H0, T0
++	add	H0, T0
+ 	mov	T0, (RP)
+-	sbb	H1, T1
++	adc	H1, T1
+ 	mov	T1, 8(RP)
+-	sbb	H2, T2
++	adc	C0, T2
+ 	mov	T2, 16(RP)
+-	sbb	C0, T3
++	adc	$0, T3
+ 	mov	T3, 24(RP)
+-	sbb	C0, T4
++	adc	$0, T4
+ 	mov	T4, 32(RP)
+-	sbb	C0, T5
++	adc	$0, T5
+ 	mov	T5, 40(RP)
+ 
+ 	pop	%r15
diff --git a/meta/recipes-support/nettle/nettle_3.1.1.bb b/meta/recipes-support/nettle/nettle_3.1.1.bb
index 1fe3461..4a40e9a 100644
--- a/meta/recipes-support/nettle/nettle_3.1.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.1.1.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6
 
 SRC_URI += "\
             file://CVE-2015-8803_8805.patch \
+            file://CVE-2015-8804.patch \
             "
 
 SRC_URI[md5sum] = "b40fa88dc32f37a182b6b42092ebb144"
-- 
2.3.5

[PATCH 3/4] curl: Security fix CVE-2016-0754

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/curl/curl/CVE-2016-0754.patch | 417 +++++++++++++++++++++
 meta/recipes-support/curl/curl_7.44.0.bb           |   3 +-
 2 files changed, 419 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-0754.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-0754.patch b/meta/recipes-support/curl/curl/CVE-2016-0754.patch
new file mode 100644
index 0000000..f0402de
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-0754.patch
@@ -0,0 +1,417 @@
+From b1bb4ca6d8777683b6a549fb61dba36759da26f4 Mon Sep 17 00:00:00 2001
+From: Ray Satiro <raysatiro@yahoo.com>
+Date: Tue, 26 Jan 2016 23:23:15 +0100
+Subject: [PATCH] curl: avoid local drive traversal when saving file (Windows)
+
+curl does not sanitize colons in a remote file name that is used as the
+local file name. This may lead to a vulnerability on systems where the
+colon is a special path character. Currently Windows/DOS is the only OS
+where this vulnerability applies.
+
+CVE-2016-0754
+
+Bug: http://curl.haxx.se/docs/adv_20160127B.html
+
+Upstream-Status: Backport
+http://curl.haxx.se/CVE-2016-0754.patch
+
+CVE: CVE-2016-0754
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/tool_cb_hdr.c  |  40 ++++++------
+ src/tool_doswin.c  | 174 ++++++++++++++++++++++++++++++++++++++++++++---------
+ src/tool_doswin.h  |   2 +-
+ src/tool_operate.c |  29 ++++++---
+ 4 files changed, 187 insertions(+), 58 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index fd208e8..0fca39f 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -26,10 +26,11 @@
+ #define ENABLE_CURLX_PRINTF
+ /* use our own printf() functions */
+ #include "curlx.h"
+ 
+ #include "tool_cfgable.h"
++#include "tool_doswin.h"
+ #include "tool_msgs.h"
+ #include "tool_cb_hdr.h"
+ 
+ #include "memdebug.h" /* keep this as LAST include */
+ 
+@@ -112,22 +113,28 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
+       /* this expression below typecasts 'cb' only to avoid
+          warning: signed and unsigned type in conditional expression
+       */
+       len = (ssize_t)cb - (p - str);
+       filename = parse_filename(p, len);
+-      if(filename) {
+-        outs->filename = filename;
+-        outs->alloc_filename = TRUE;
+-        outs->is_cd_filename = TRUE;
+-        outs->s_isreg = TRUE;
+-        outs->fopened = FALSE;
+-        outs->stream = NULL;
+-        hdrcbdata->honor_cd_filename = FALSE;
+-        break;
+-      }
+-      else
++      if(!filename)
++        return failure;
++
++#if defined(MSDOS) || defined(WIN32)
++      if(sanitize_file_name(&filename)) {
++        free(filename);
+         return failure;
++      }
++#endif /* MSDOS || WIN32 */
++
++      outs->filename = filename;
++      outs->alloc_filename = TRUE;
++      outs->is_cd_filename = TRUE;
++      outs->s_isreg = TRUE;
++      outs->fopened = FALSE;
++      outs->stream = NULL;
++      hdrcbdata->honor_cd_filename = FALSE;
++      break;
+     }
+   }
+ 
+   return cb;
+ }
+@@ -179,19 +186,16 @@ static char *parse_filename(const char *ptr, size_t len)
+       return NULL;
+     }
+   }
+ 
+   /* scan for the end letter and stop there */
+-  q = p;
+-  while(*q) {
+-    if(q[1] && (q[0] == '\\'))
+-      q++;
+-    else if(q[0] == stop)
++  for(q = p; *q; ++q) {
++    if(*q == stop) {
++      *q = '\0';
+       break;
+-    q++;
++    }
+   }
+-  *q = '\0';
+ 
+   /* make sure the file name doesn't end in \r or \n */
+   q = strchr(p, '\r');
+   if(q)
+     *q = '\0';
+diff --git a/src/tool_doswin.c b/src/tool_doswin.c
+index dd6e8bb..9c6a7a3 100644
+--- a/src/tool_doswin.c
++++ b/src/tool_doswin.c
+@@ -83,46 +83,110 @@ __pragma(warning(pop))
+ #  define _use_lfn(f) ALWAYS_FALSE  /* long file names never available */
+ #elif defined(__DJGPP__)
+ #  include <fcntl.h>                /* _use_lfn(f) prototype */
+ #endif
+ 
+-static const char *msdosify (const char *file_name);
+-static char *rename_if_dos_device_name (char *file_name);
++static char *msdosify(const char *file_name);
++static char *rename_if_dos_device_name(const char *file_name);
+ 
+-/*
+- * sanitize_dos_name: returns a newly allocated string holding a
+- * valid file name which will be a transformation of given argument
+- * in case this wasn't already a valid file name.
+- *
+- * This function takes ownership of given argument, free'ing it before
+- * returning. Caller is responsible of free'ing returned string. Upon
+- * out of memory condition function returns NULL.
+- */
+ 
+-char *sanitize_dos_name(char *file_name)
++/*
++Sanitize *file_name.
++Success: (CURLE_OK) *file_name points to a sanitized version of the original.
++         This function takes ownership of the original *file_name and frees it.
++Failure: (!= CURLE_OK) *file_name is unchanged.
++*/
++CURLcode sanitize_file_name(char **file_name)
+ {
+-  char new_name[PATH_MAX];
++  size_t len;
++  char *p, *sanitized;
++
++  /* Calculate the maximum length of a filename.
++     FILENAME_MAX is often the same as PATH_MAX, in other words it does not
++     discount the path information. PATH_MAX size is calculated based on:
++     <drive-letter><colon><path-sep><max-filename-len><NULL> */
++  const size_t max_filename_len = PATH_MAX - 3 - 1;
++
++  if(!file_name || !*file_name)
++    return CURLE_BAD_FUNCTION_ARGUMENT;
++
++  len = strlen(*file_name);
++
++  if(len >= max_filename_len)
++    len = max_filename_len - 1;
+ 
+-  if(!file_name)
+-    return NULL;
++  sanitized = malloc(len + 1);
+ 
+-  if(strlen(file_name) >= PATH_MAX)
+-    file_name[PATH_MAX-1] = '\0'; /* truncate it */
++  if(!sanitized)
++    return CURLE_OUT_OF_MEMORY;
+ 
+-  strcpy(new_name, msdosify(file_name));
++  strncpy(sanitized, *file_name, len);
++  sanitized[len] = '\0';
+ 
+-  Curl_safefree(file_name);
++  for(p = sanitized; *p; ++p ) {
++    const char *banned;
++    if(1 <= *p && *p <= 31) {
++      *p = '_';
++      continue;
++    }
++    for(banned = "|<>/\\\":?*"; *banned; ++banned) {
++      if(*p == *banned) {
++        *p = '_';
++        break;
++      }
++    }
++  }
+ 
+-  return strdup(rename_if_dos_device_name(new_name));
++#ifdef MSDOS
++  /* msdosify checks for more banned characters for MSDOS, however it allows
++     for some path information to pass through. since we are sanitizing only a
++     filename and cannot allow a path it's important this call be done in
++     addition to and not instead of the banned character check above. */
++  p = msdosify(sanitized);
++  if(!p) {
++    free(sanitized);
++    return CURLE_BAD_FUNCTION_ARGUMENT;
++  }
++  sanitized = p;
++  len = strlen(sanitized);
++#endif
++
++  p = rename_if_dos_device_name(sanitized);
++  if(!p) {
++    free(sanitized);
++    return CURLE_BAD_FUNCTION_ARGUMENT;
++  }
++  sanitized = p;
++  len = strlen(sanitized);
++
++  /* dos_device_name rename will rename a device name, possibly changing the
++     length. If the length is too long now we can't truncate it because we
++     could end up with a device name. In practice this shouldn't be a problem
++     because device names are short, but you never know. */
++  if(len >= max_filename_len) {
++    free(sanitized);
++    return CURLE_BAD_FUNCTION_ARGUMENT;
++  }
++
++  *file_name = sanitized;
++  return CURLE_OK;
+ }
+ 
+-/* The following functions are taken with modification from the DJGPP
+- * port of tar 1.12. They use algorithms originally from DJTAR. */
++/* The functions msdosify, rename_if_dos_device_name and __crt0_glob_function
++ * were taken with modification from the DJGPP port of tar 1.12. They use
++ * algorithms originally from DJTAR.
++ */
+ 
+-static const char *msdosify (const char *file_name)
++/*
++Extra sanitization MSDOS for file_name.
++Returns a copy of file_name that is sanitized by MSDOS standards.
++Warning: path information may pass through. For sanitizing a filename use
++sanitize_file_name which calls this function after sanitizing path info.
++*/
++static char *msdosify(const char *file_name)
+ {
+-  static char dos_name[PATH_MAX];
++  char dos_name[PATH_MAX];
+   static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */
+     "|<>\\\":?*"; /* illegal in DOS & W95 */
+   static const char *illegal_chars_w95 = &illegal_chars_dos[8];
+   int idx, dot_idx;
+   const char *s = file_name;
+@@ -199,39 +263,89 @@ static const char *msdosify (const char *file_name)
+     else
+       idx++;
+   }
+ 
+   *d = '\0';
+-  return dos_name;
++  return strdup(dos_name);
+ }
+ 
+-static char *rename_if_dos_device_name (char *file_name)
++/*
++Rename file_name if it's a representation of a device name.
++Returns a copy of file_name, and the copy will have contents different from the
++original if a device name was found.
++*/
++static char *rename_if_dos_device_name(const char *file_name)
+ {
+   /* We could have a file whose name is a device on MS-DOS.  Trying to
+    * retrieve such a file would fail at best and wedge us at worst.  We need
+    * to rename such files. */
+-  char *base;
++  char *p, *base;
+   struct_stat st_buf;
+   char fname[PATH_MAX];
+ 
+   strncpy(fname, file_name, PATH_MAX-1);
+   fname[PATH_MAX-1] = '\0';
+   base = basename(fname);
+   if(((stat(base, &st_buf)) == 0) && (S_ISCHR(st_buf.st_mode))) {
+     size_t blen = strlen(base);
+ 
+-    if(strlen(fname) >= PATH_MAX-1) {
++    if(strlen(fname) == PATH_MAX-1) {
+       /* Make room for the '_' */
+       blen--;
+       base[blen] = '\0';
+     }
+     /* Prepend a '_'.  */
+     memmove(base + 1, base, blen + 1);
+     base[0] = '_';
+-    strcpy(file_name, fname);
+   }
+-  return file_name;
++
++  /* The above stat check does not identify devices for me in Windows 7. For
++     example a stat on COM1 returns a regular file S_IFREG. According to MSDN
++     stat doc that is the correct behavior, so I assume the above code is
++     legacy, maybe MSDOS or DJGPP specific? */
++
++  /* Rename devices.
++     Examples: CON => _CON, CON.EXT => CON_EXT, CON:ADS => CON_ADS */
++  for(p = fname; p; p = (p == fname && fname != base ? base : NULL)) {
++    size_t p_len;
++    int x = (curl_strnequal(p, "CON", 3) ||
++             curl_strnequal(p, "PRN", 3) ||
++             curl_strnequal(p, "AUX", 3) ||
++             curl_strnequal(p, "NUL", 3)) ? 3 :
++            (curl_strnequal(p, "CLOCK$", 6)) ? 6 :
++            (curl_strnequal(p, "COM", 3) || curl_strnequal(p, "LPT", 3)) ?
++              (('1' <= p[3] && p[3] <= '9') ? 4 : 3) : 0;
++
++    if(!x)
++      continue;
++
++    /* the devices may be accessible with an extension or ADS, for
++       example CON.AIR and CON:AIR both access console */
++    if(p[x] == '.' || p[x] == ':') {
++      p[x] = '_';
++      continue;
++    }
++    else if(p[x]) /* no match */
++      continue;
++
++    p_len = strlen(p);
++
++    if(strlen(fname) == PATH_MAX-1) {
++      /* Make room for the '_' */
++      p_len--;
++      p[p_len] = '\0';
++    }
++    /* Prepend a '_'.  */
++    memmove(p + 1, p, p_len + 1);
++    p[0] = '_';
++
++    /* if fname was just modified then the basename pointer must be updated */
++    if(p == fname)
++      base = basename(fname);
++  }
++
++  return strdup(fname);
+ }
+ 
+ #if defined(MSDOS) && (defined(__DJGPP__) || defined(__GO32__))
+ 
+ /*
+diff --git a/src/tool_doswin.h b/src/tool_doswin.h
+index cd216db..fc83f16 100644
+--- a/src/tool_doswin.h
++++ b/src/tool_doswin.h
+@@ -23,11 +23,11 @@
+  ***************************************************************************/
+ #include "tool_setup.h"
+ 
+ #if defined(MSDOS) || defined(WIN32)
+ 
+-char *sanitize_dos_name(char *file_name);
++CURLcode sanitize_file_name(char **filename);
+ 
+ #if defined(MSDOS) && (defined(__DJGPP__) || defined(__GO32__))
+ 
+ char **__crt0_glob_function(char *arg);
+ 
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 30d60cb..272ebd4 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -541,30 +541,41 @@ static CURLcode operate_do(struct GlobalConfig *global,
+           if(!outfile) {
+             /* extract the file name from the URL */
+             result = get_url_file_name(&outfile, this_url);
+             if(result)
+               goto show_error;
++
++#if defined(MSDOS) || defined(WIN32)
++            result = sanitize_file_name(&outfile);
++            if(result) {
++              Curl_safefree(outfile);
++              goto show_error;
++            }
++#endif /* MSDOS || WIN32 */
++
+             if(!*outfile && !config->content_disposition) {
+               helpf(global->errors, "Remote file name has no length!\n");
+               result = CURLE_WRITE_ERROR;
+               goto quit_urls;
+             }
+-#if defined(MSDOS) || defined(WIN32)
+-            /* For DOS and WIN32, we do some major replacing of
+-               bad characters in the file name before using it */
+-            outfile = sanitize_dos_name(outfile);
+-            if(!outfile) {
+-              result = CURLE_OUT_OF_MEMORY;
+-              goto show_error;
+-            }
+-#endif /* MSDOS || WIN32 */
+           }
+           else if(urls) {
+             /* fill '#1' ... '#9' terms from URL pattern */
+             char *storefile = outfile;
+             result = glob_match_url(&outfile, storefile, urls);
+             Curl_safefree(storefile);
++
++#if defined(MSDOS) || defined(WIN32)
++            if(!result) {
++              result = sanitize_file_name(&outfile);
++              if(result) {
++                Curl_safefree(outfile);
++                goto show_error;
++              }
++            }
++#endif /* MSDOS || WIN32 */
++
+             if(result) {
+               /* bad globbing */
+               warnf(config->global, "bad output glob!\n");
+               goto quit_urls;
+             }
+-- 
+2.7.0
+
diff --git a/meta/recipes-support/curl/curl_7.44.0.bb b/meta/recipes-support/curl/curl_7.44.0.bb
index f6d350e..852c4dd 100644
--- a/meta/recipes-support/curl/curl_7.44.0.bb
+++ b/meta/recipes-support/curl/curl_7.44.0.bb
@@ -12,7 +12,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 # curl likes to set -g0 in CFLAGS, so we stop it
 # from mucking around with debug options
 #
-SRC_URI += " file://configure_ac.patch"
+SRC_URI += " file://configure_ac.patch \
+             file://CVE-2016-0754.patch"
 
 SRC_URI[md5sum] = "6b952ca00e5473b16a11f05f06aa8dae"
 SRC_URI[sha256sum] = "1e2541bae6582bb697c0fbae49e1d3e6fad5d05d5aa80dbd6f072e0a44341814"
-- 
2.3.5

[PATCH 4/4] curl: Secuirty fix CVE-2016-0755

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/curl/curl/CVE-2016-0755.patch | 138 +++++++++++++++++++++
 meta/recipes-support/curl/curl_7.44.0.bb           |   3 +-
 2 files changed, 140 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-0755.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-0755.patch b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
new file mode 100644
index 0000000..44b9d9a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
@@ -0,0 +1,138 @@
+From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 13 Jan 2016 11:05:51 +0200
+Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials
+
+Proxy NTLM authentication should compare credentials when
+re-using a connection similar to host authentication, as it
+authenticate the connection.
+
+Example:
+curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+  --proxy-ntlm --next -x http://proxy:port http://host/
+    [-U fake_user:fake_pwd --proxy-ntlm]
+
+CVE-2016-0755
+
+Bug: http://curl.haxx.se/docs/adv_20160127A.html
+
+Upstream-Status: Backport
+http://curl.haxx.se/CVE-2016-0755.patch
+
+CVE: CVE-2016-0755
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+
+Index: curl-7.44.0/lib/url.c
+===================================================================
+--- curl-7.44.0.orig/lib/url.c
++++ curl-7.44.0/lib/url.c
+@@ -3107,12 +3107,17 @@ ConnectionExists(struct SessionHandle *d
+   struct connectdata *check;
+   struct connectdata *chosen = 0;
+   bool canPipeline = IsPipeliningPossible(data, needle);
++  struct connectbundle *bundle;
++
+ #ifdef USE_NTLM
+-  bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
+-                       (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
+-    (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
++  bool wantNTLMhttp = ((data->state.authhost.want &
++                      (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++                      (needle->handler->protocol & PROTO_FAMILY_HTTP));
++  bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
++                           ((data->state.authproxy.want &
++                           (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++                           (needle->handler->protocol & PROTO_FAMILY_HTTP)));
+ #endif
+-  struct connectbundle *bundle;
+ 
+   *force_reuse = FALSE;
+   *waitpipe = FALSE;
+@@ -3152,9 +3157,6 @@ ConnectionExists(struct SessionHandle *d
+     curr = bundle->conn_list->head;
+     while(curr) {
+       bool match = FALSE;
+-#if defined(USE_NTLM)
+-      bool credentialsMatch = FALSE;
+-#endif
+       size_t pipeLen;
+ 
+       /*
+@@ -3262,21 +3264,14 @@ ConnectionExists(struct SessionHandle *d
+           continue;
+       }
+ 
+-      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
+-#ifdef USE_NTLM
+-         || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
+-#endif
+-        ) {
+-        /* This protocol requires credentials per connection or is HTTP+NTLM,
++      if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
++        /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+           /* one of them was different */
+           continue;
+         }
+-#if defined(USE_NTLM)
+-        credentialsMatch = TRUE;
+-#endif
+       }
+ 
+       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+@@ -3335,20 +3330,43 @@ ConnectionExists(struct SessionHandle *d
+            possible. (Especially we must not reuse the same connection if
+            partway through a handshake!) */
+         if(wantNTLMhttp) {
+-          if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
+-            chosen = check;
++          if(!strequal(needle->user, check->user) ||
++             !strequal(needle->passwd, check->passwd))
++            continue;
++        }
++        else if(check->ntlm.state != NTLMSTATE_NONE) {
++          /* Connection is using NTLM auth but we don't want NTLM */
++          continue;
++        }
++
++        /* Same for Proxy NTLM authentication */
++        if(wantProxyNTLMhttp) {
++          if(!strequal(needle->proxyuser, check->proxyuser) ||
++             !strequal(needle->proxypasswd, check->proxypasswd))
++            continue;
++        }
++        else if(check->proxyntlm.state != NTLMSTATE_NONE) {
++          /* Proxy connection is using NTLM auth but we don't want NTLM */
++          continue;
++        }
+ 
++        if(wantNTLMhttp || wantProxyNTLMhttp) {
++          /* Credentials are already checked, we can use this connection */
++          chosen = check;
++
++          if((wantNTLMhttp &&
++             (check->ntlm.state != NTLMSTATE_NONE)) ||
++              (wantProxyNTLMhttp &&
++               (check->proxyntlm.state != NTLMSTATE_NONE))) {
+             /* We must use this connection, no other */
+             *force_reuse = TRUE;
+             break;
+           }
+-          else if(credentialsMatch)
+-            /* this is a backup choice */
+-            chosen = check;
++
++          /* Continue look up for a better connection */
+           continue;
+         }
+ #endif
+-
+         if(canPipeline) {
+           /* We can pipeline if we want to. Let's continue looking for
+              the optimal connection to use, i.e the shortest pipe that is not
diff --git a/meta/recipes-support/curl/curl_7.44.0.bb b/meta/recipes-support/curl/curl_7.44.0.bb
index 852c4dd..419ed83 100644
--- a/meta/recipes-support/curl/curl_7.44.0.bb
+++ b/meta/recipes-support/curl/curl_7.44.0.bb
@@ -13,7 +13,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 # from mucking around with debug options
 #
 SRC_URI += " file://configure_ac.patch \
-             file://CVE-2016-0754.patch"
+             file://CVE-2016-0754.patch \
+             file://CVE-2016-0755.patch"
 
 SRC_URI[md5sum] = "6b952ca00e5473b16a11f05f06aa8dae"
 SRC_URI[sha256sum] = "1e2541bae6582bb697c0fbae49e1d3e6fad5d05d5aa80dbd6f072e0a44341814"
-- 
2.3.5