* [PATCH 2/4] nettle: Security fix CVE-2015-8804
2016-02-05 17:07 [PATCH 0/4][jethro] Jethro security fix pull request Armin Kuster
2016-02-05 17:07 ` [PATCH 1/4] nettle: Security fix CVE-2015-8803 and CVE-2015-8805 Armin Kuster
@ 2016-02-05 17:07 ` Armin Kuster
2016-02-05 17:07 ` [PATCH 3/4] curl: Security fix CVE-2016-0754 Armin Kuster
2016-02-05 17:07 ` [PATCH 4/4] curl: Secuirty fix CVE-2016-0755 Armin Kuster
3 siblings, 0 replies; 5+ messages in thread
From: Armin Kuster @ 2016-02-05 17:07 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../nettle/nettle-3.1.1/CVE-2015-8804.patch | 281 +++++++++++++++++++++
meta/recipes-support/nettle/nettle_3.1.1.bb | 1 +
2 files changed, 282 insertions(+)
create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch
diff --git a/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch
new file mode 100644
index 0000000..1d34db7
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch
@@ -0,0 +1,281 @@
+Upstream-Status: Backport
+ https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
+
+CVE: CVE-2015-8804
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nettle-3.1.1/ChangeLog
+===================================================================
+--- nettle-3.1.1.orig/ChangeLog
++++ nettle-3.1.1/ChangeLog
+@@ -1,3 +1,11 @@
++2015-12-15 Niels Möller <nisse@lysator.liu.se>
++
++ * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem
++ reported by Hanno Böck. Simplified the folding to always use
++ non-negative carry, the old code attempted to add in a carry which
++ could be either positive or negative, but didn't get that case
++ right.
++
+ 2015-12-10 Niels Möller <nisse@lysator.liu.se>
+
+ * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem
+Index: nettle-3.1.1/x86_64/ecc-384-modp.asm
+===================================================================
+--- nettle-3.1.1.orig/x86_64/ecc-384-modp.asm
++++ nettle-3.1.1/x86_64/ecc-384-modp.asm
+@@ -1,7 +1,7 @@
+ C x86_64/ecc-384-modp.asm
+
+ ifelse(<
+- Copyright (C) 2013 Niels Möller
++ Copyright (C) 2013, 2015 Niels Möller
+
+ This file is part of GNU Nettle.
+
+@@ -33,7 +33,7 @@ ifelse(<
+ .file "ecc-384-modp.asm"
+
+ define(<RP>, <%rsi>)
+-define(<D4>, <%rax>)
++define(<D5>, <%rax>)
+ define(<T0>, <%rbx>)
+ define(<T1>, <%rcx>)
+ define(<T2>, <%rdx>)
+@@ -48,8 +48,8 @@ define(<H4>, <%r13>)
+ define(<H5>, <%r14>)
+ define(<C2>, <%r15>)
+ define(<C0>, H5) C Overlap
+-define(<D0>, RP) C Overlap
+-define(<TMP>, H4) C Overlap
++define(<TMP>, RP) C Overlap
++
+
+ PROLOGUE(nettle_ecc_384_modp)
+ W64_ENTRY(2, 0)
+@@ -61,34 +61,38 @@ PROLOGUE(nettle_ecc_384_modp)
+ push %r14
+ push %r15
+
+- C First get top 2 limbs, which need folding twice
++ C First get top 2 limbs, which need folding twice.
++ C B^10 = B^6 + B^4 + 2^32 (B-1)B^4.
++ C We handle the terms as follow:
+ C
+- C H5 H4
+- C -H5
+- C ------
+- C H0 D4
++ C B^6: Folded immediatly.
+ C
+- C Then shift right, (H1,H0,D4) <-- (H0,D4) << 32
+- C and add
++ C B^4: Delayed, added in in the next folding.
+ C
+- C H5 H4
+- C H1 H0
+- C ----------
+- C C2 H1 H0
+-
+- mov 80(RP), D4
+- mov 88(RP), H0
+- mov D4, H4
+- mov H0, H5
+- sub H0, D4
+- sbb $0, H0
+-
+- mov D4, T2
+- mov H0, H1
+- shl $32, H0
+- shr $32, T2
++ C 2^32(B-1) B^4: Low half limb delayed until the next
++ C folding. Top 1.5 limbs subtracted and shifter now, resulting
++ C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added
++ C in.
++
++ mov 80(RP), H4
++ mov 88(RP), H5
++ C Shift right 32 bits, into H1, H0
++ mov H4, H0
++ mov H5, H1
++ mov H5, D5
+ shr $32, H1
+- or T2, H0
++ shl $32, D5
++ shr $32, H0
++ or D5, H0
++
++ C H1 H0
++ C - H1 H0
++ C --------
++ C H1 H0 D5
++ mov H0, D5
++ neg D5
++ sbb H1, H0
++ sbb $0, H1
+
+ xor C2, C2
+ add H4, H0
+@@ -127,118 +131,95 @@ PROLOGUE(nettle_ecc_384_modp)
+ adc H3, T5
+ adc $0, C0
+
+- C H3 H2 H1 H0 0
+- C - H4 H3 H2 H1 H0
+- C ---------------
+- C H3 H2 H1 H0 D0
+-
+- mov XREG(D4), XREG(D4)
+- mov H0, D0
+- neg D0
+- sbb H1, H0
+- sbb H2, H1
+- sbb H3, H2
+- sbb H4, H3
+- sbb $0, D4
+-
+- C Shift right. High bits are sign, to be added to C0.
+- mov D4, TMP
+- sar $32, TMP
+- shl $32, D4
+- add TMP, C0
+-
++ C Shift left, including low half of H4
+ mov H3, TMP
++ shl $32, H4
+ shr $32, TMP
+- shl $32, H3
+- or TMP, D4
++ or TMP, H4
+
+ mov H2, TMP
++ shl $32, H3
+ shr $32, TMP
+- shl $32, H2
+ or TMP, H3
+
+ mov H1, TMP
++ shl $32, H2
+ shr $32, TMP
+- shl $32, H1
+ or TMP, H2
+
+ mov H0, TMP
++ shl $32, H1
+ shr $32, TMP
+- shl $32, H0
+ or TMP, H1
+
+- mov D0, TMP
+- shr $32, TMP
+- shl $32, D0
+- or TMP, H0
++ shl $32, H0
++
++ C H4 H3 H2 H1 H0 0
++ C - H4 H3 H2 H1 H0
++ C ---------------
++ C H4 H3 H2 H1 H0 TMP
+
+- add D0, T0
++ mov H0, TMP
++ neg TMP
++ sbb H1, H0
++ sbb H2, H1
++ sbb H3, H2
++ sbb H4, H3
++ sbb $0, H4
++
++ add TMP, T0
+ adc H0, T1
+ adc H1, T2
+ adc H2, T3
+ adc H3, T4
+- adc D4, T5
++ adc H4, T5
+ adc $0, C0
+
+ C Remains to add in C2 and C0
+- C C0 C0<<32 (-2^32+1)C0
+- C C2 C2<<32 (-2^32+1)C2
+- C where C2 is always positive, while C0 may be -1.
++ C Set H1, H0 = (2^96 - 2^32 + 1) C0
+ mov C0, H0
+ mov C0, H1
+- mov C0, H2
+- sar $63, C0 C Get sign
+ shl $32, H1
+- sub H1, H0 C Gives borrow iff C0 > 0
++ sub H1, H0
+ sbb $0, H1
+- add C0, H2
+
++ C Set H3, H2 = (2^96 - 2^32 + 1) C2
++ mov C2, H2
++ mov C2, H3
++ shl $32, H3
++ sub H3, H2
++ sbb $0, H3
++ add C0, H2 C No carry. Could use lea trick
++
++ xor C0, C0
+ add H0, T0
+ adc H1, T1
+- adc $0, H2
+- adc $0, C0
+-
+- C Set (H1 H0) <-- C2 << 96 - C2 << 32 + 1
+- mov C2, H0
+- mov C2, H1
+- shl $32, H1
+- sub H1, H0
+- sbb $0, H1
+-
+- add H2, H0
+- adc C0, H1
+- adc C2, C0
+- mov C0, H2
+- sar $63, C0
+- add H0, T2
+- adc H1, T3
+- adc H2, T4
+- adc C0, T5
+- sbb C0, C0
++ adc H2, T2
++ adc H3, T3
++ adc C2, T4
++ adc D5, T5 C Value delayed from initial folding
++ adc $0, C0 C Use sbb and switch sign?
+
+ C Final unlikely carry
+ mov C0, H0
+ mov C0, H1
+- mov C0, H2
+- sar $63, C0
+ shl $32, H1
+ sub H1, H0
+ sbb $0, H1
+- add C0, H2
+
+ pop RP
+
+- sub H0, T0
++ add H0, T0
+ mov T0, (RP)
+- sbb H1, T1
++ adc H1, T1
+ mov T1, 8(RP)
+- sbb H2, T2
++ adc C0, T2
+ mov T2, 16(RP)
+- sbb C0, T3
++ adc $0, T3
+ mov T3, 24(RP)
+- sbb C0, T4
++ adc $0, T4
+ mov T4, 32(RP)
+- sbb C0, T5
++ adc $0, T5
+ mov T5, 40(RP)
+
+ pop %r15
diff --git a/meta/recipes-support/nettle/nettle_3.1.1.bb b/meta/recipes-support/nettle/nettle_3.1.1.bb
index 1fe3461..4a40e9a 100644
--- a/meta/recipes-support/nettle/nettle_3.1.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.1.1.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6
SRC_URI += "\
file://CVE-2015-8803_8805.patch \
+ file://CVE-2015-8804.patch \
"
SRC_URI[md5sum] = "b40fa88dc32f37a182b6b42092ebb144"
--
2.3.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 3/4] curl: Security fix CVE-2016-0754
2016-02-05 17:07 [PATCH 0/4][jethro] Jethro security fix pull request Armin Kuster
2016-02-05 17:07 ` [PATCH 1/4] nettle: Security fix CVE-2015-8803 and CVE-2015-8805 Armin Kuster
2016-02-05 17:07 ` [PATCH 2/4] nettle: Security fix CVE-2015-8804 Armin Kuster
@ 2016-02-05 17:07 ` Armin Kuster
2016-02-05 17:07 ` [PATCH 4/4] curl: Secuirty fix CVE-2016-0755 Armin Kuster
3 siblings, 0 replies; 5+ messages in thread
From: Armin Kuster @ 2016-02-05 17:07 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2016-0754 curl: remote file name path traversal in curl tool for Windows
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-support/curl/curl/CVE-2016-0754.patch | 417 +++++++++++++++++++++
meta/recipes-support/curl/curl_7.44.0.bb | 3 +-
2 files changed, 419 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/curl/curl/CVE-2016-0754.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2016-0754.patch b/meta/recipes-support/curl/curl/CVE-2016-0754.patch
new file mode 100644
index 0000000..f0402de
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-0754.patch
@@ -0,0 +1,417 @@
+From b1bb4ca6d8777683b6a549fb61dba36759da26f4 Mon Sep 17 00:00:00 2001
+From: Ray Satiro <raysatiro@yahoo.com>
+Date: Tue, 26 Jan 2016 23:23:15 +0100
+Subject: [PATCH] curl: avoid local drive traversal when saving file (Windows)
+
+curl does not sanitize colons in a remote file name that is used as the
+local file name. This may lead to a vulnerability on systems where the
+colon is a special path character. Currently Windows/DOS is the only OS
+where this vulnerability applies.
+
+CVE-2016-0754
+
+Bug: http://curl.haxx.se/docs/adv_20160127B.html
+
+Upstream-Status: Backport
+http://curl.haxx.se/CVE-2016-0754.patch
+
+CVE: CVE-2016-0754
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/tool_cb_hdr.c | 40 ++++++------
+ src/tool_doswin.c | 174 ++++++++++++++++++++++++++++++++++++++++++++---------
+ src/tool_doswin.h | 2 +-
+ src/tool_operate.c | 29 ++++++---
+ 4 files changed, 187 insertions(+), 58 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index fd208e8..0fca39f 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -26,10 +26,11 @@
+ #define ENABLE_CURLX_PRINTF
+ /* use our own printf() functions */
+ #include "curlx.h"
+
+ #include "tool_cfgable.h"
++#include "tool_doswin.h"
+ #include "tool_msgs.h"
+ #include "tool_cb_hdr.h"
+
+ #include "memdebug.h" /* keep this as LAST include */
+
+@@ -112,22 +113,28 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
+ /* this expression below typecasts 'cb' only to avoid
+ warning: signed and unsigned type in conditional expression
+ */
+ len = (ssize_t)cb - (p - str);
+ filename = parse_filename(p, len);
+- if(filename) {
+- outs->filename = filename;
+- outs->alloc_filename = TRUE;
+- outs->is_cd_filename = TRUE;
+- outs->s_isreg = TRUE;
+- outs->fopened = FALSE;
+- outs->stream = NULL;
+- hdrcbdata->honor_cd_filename = FALSE;
+- break;
+- }
+- else
++ if(!filename)
++ return failure;
++
++#if defined(MSDOS) || defined(WIN32)
++ if(sanitize_file_name(&filename)) {
++ free(filename);
+ return failure;
++ }
++#endif /* MSDOS || WIN32 */
++
++ outs->filename = filename;
++ outs->alloc_filename = TRUE;
++ outs->is_cd_filename = TRUE;
++ outs->s_isreg = TRUE;
++ outs->fopened = FALSE;
++ outs->stream = NULL;
++ hdrcbdata->honor_cd_filename = FALSE;
++ break;
+ }
+ }
+
+ return cb;
+ }
+@@ -179,19 +186,16 @@ static char *parse_filename(const char *ptr, size_t len)
+ return NULL;
+ }
+ }
+
+ /* scan for the end letter and stop there */
+- q = p;
+- while(*q) {
+- if(q[1] && (q[0] == '\\'))
+- q++;
+- else if(q[0] == stop)
++ for(q = p; *q; ++q) {
++ if(*q == stop) {
++ *q = '\0';
+ break;
+- q++;
++ }
+ }
+- *q = '\0';
+
+ /* make sure the file name doesn't end in \r or \n */
+ q = strchr(p, '\r');
+ if(q)
+ *q = '\0';
+diff --git a/src/tool_doswin.c b/src/tool_doswin.c
+index dd6e8bb..9c6a7a3 100644
+--- a/src/tool_doswin.c
++++ b/src/tool_doswin.c
+@@ -83,46 +83,110 @@ __pragma(warning(pop))
+ # define _use_lfn(f) ALWAYS_FALSE /* long file names never available */
+ #elif defined(__DJGPP__)
+ # include <fcntl.h> /* _use_lfn(f) prototype */
+ #endif
+
+-static const char *msdosify (const char *file_name);
+-static char *rename_if_dos_device_name (char *file_name);
++static char *msdosify(const char *file_name);
++static char *rename_if_dos_device_name(const char *file_name);
+
+-/*
+- * sanitize_dos_name: returns a newly allocated string holding a
+- * valid file name which will be a transformation of given argument
+- * in case this wasn't already a valid file name.
+- *
+- * This function takes ownership of given argument, free'ing it before
+- * returning. Caller is responsible of free'ing returned string. Upon
+- * out of memory condition function returns NULL.
+- */
+
+-char *sanitize_dos_name(char *file_name)
++/*
++Sanitize *file_name.
++Success: (CURLE_OK) *file_name points to a sanitized version of the original.
++ This function takes ownership of the original *file_name and frees it.
++Failure: (!= CURLE_OK) *file_name is unchanged.
++*/
++CURLcode sanitize_file_name(char **file_name)
+ {
+- char new_name[PATH_MAX];
++ size_t len;
++ char *p, *sanitized;
++
++ /* Calculate the maximum length of a filename.
++ FILENAME_MAX is often the same as PATH_MAX, in other words it does not
++ discount the path information. PATH_MAX size is calculated based on:
++ <drive-letter><colon><path-sep><max-filename-len><NULL> */
++ const size_t max_filename_len = PATH_MAX - 3 - 1;
++
++ if(!file_name || !*file_name)
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++
++ len = strlen(*file_name);
++
++ if(len >= max_filename_len)
++ len = max_filename_len - 1;
+
+- if(!file_name)
+- return NULL;
++ sanitized = malloc(len + 1);
+
+- if(strlen(file_name) >= PATH_MAX)
+- file_name[PATH_MAX-1] = '\0'; /* truncate it */
++ if(!sanitized)
++ return CURLE_OUT_OF_MEMORY;
+
+- strcpy(new_name, msdosify(file_name));
++ strncpy(sanitized, *file_name, len);
++ sanitized[len] = '\0';
+
+- Curl_safefree(file_name);
++ for(p = sanitized; *p; ++p ) {
++ const char *banned;
++ if(1 <= *p && *p <= 31) {
++ *p = '_';
++ continue;
++ }
++ for(banned = "|<>/\\\":?*"; *banned; ++banned) {
++ if(*p == *banned) {
++ *p = '_';
++ break;
++ }
++ }
++ }
+
+- return strdup(rename_if_dos_device_name(new_name));
++#ifdef MSDOS
++ /* msdosify checks for more banned characters for MSDOS, however it allows
++ for some path information to pass through. since we are sanitizing only a
++ filename and cannot allow a path it's important this call be done in
++ addition to and not instead of the banned character check above. */
++ p = msdosify(sanitized);
++ if(!p) {
++ free(sanitized);
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++ }
++ sanitized = p;
++ len = strlen(sanitized);
++#endif
++
++ p = rename_if_dos_device_name(sanitized);
++ if(!p) {
++ free(sanitized);
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++ }
++ sanitized = p;
++ len = strlen(sanitized);
++
++ /* dos_device_name rename will rename a device name, possibly changing the
++ length. If the length is too long now we can't truncate it because we
++ could end up with a device name. In practice this shouldn't be a problem
++ because device names are short, but you never know. */
++ if(len >= max_filename_len) {
++ free(sanitized);
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++ }
++
++ *file_name = sanitized;
++ return CURLE_OK;
+ }
+
+-/* The following functions are taken with modification from the DJGPP
+- * port of tar 1.12. They use algorithms originally from DJTAR. */
++/* The functions msdosify, rename_if_dos_device_name and __crt0_glob_function
++ * were taken with modification from the DJGPP port of tar 1.12. They use
++ * algorithms originally from DJTAR.
++ */
+
+-static const char *msdosify (const char *file_name)
++/*
++Extra sanitization MSDOS for file_name.
++Returns a copy of file_name that is sanitized by MSDOS standards.
++Warning: path information may pass through. For sanitizing a filename use
++sanitize_file_name which calls this function after sanitizing path info.
++*/
++static char *msdosify(const char *file_name)
+ {
+- static char dos_name[PATH_MAX];
++ char dos_name[PATH_MAX];
+ static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */
+ "|<>\\\":?*"; /* illegal in DOS & W95 */
+ static const char *illegal_chars_w95 = &illegal_chars_dos[8];
+ int idx, dot_idx;
+ const char *s = file_name;
+@@ -199,39 +263,89 @@ static const char *msdosify (const char *file_name)
+ else
+ idx++;
+ }
+
+ *d = '\0';
+- return dos_name;
++ return strdup(dos_name);
+ }
+
+-static char *rename_if_dos_device_name (char *file_name)
++/*
++Rename file_name if it's a representation of a device name.
++Returns a copy of file_name, and the copy will have contents different from the
++original if a device name was found.
++*/
++static char *rename_if_dos_device_name(const char *file_name)
+ {
+ /* We could have a file whose name is a device on MS-DOS. Trying to
+ * retrieve such a file would fail at best and wedge us at worst. We need
+ * to rename such files. */
+- char *base;
++ char *p, *base;
+ struct_stat st_buf;
+ char fname[PATH_MAX];
+
+ strncpy(fname, file_name, PATH_MAX-1);
+ fname[PATH_MAX-1] = '\0';
+ base = basename(fname);
+ if(((stat(base, &st_buf)) == 0) && (S_ISCHR(st_buf.st_mode))) {
+ size_t blen = strlen(base);
+
+- if(strlen(fname) >= PATH_MAX-1) {
++ if(strlen(fname) == PATH_MAX-1) {
+ /* Make room for the '_' */
+ blen--;
+ base[blen] = '\0';
+ }
+ /* Prepend a '_'. */
+ memmove(base + 1, base, blen + 1);
+ base[0] = '_';
+- strcpy(file_name, fname);
+ }
+- return file_name;
++
++ /* The above stat check does not identify devices for me in Windows 7. For
++ example a stat on COM1 returns a regular file S_IFREG. According to MSDN
++ stat doc that is the correct behavior, so I assume the above code is
++ legacy, maybe MSDOS or DJGPP specific? */
++
++ /* Rename devices.
++ Examples: CON => _CON, CON.EXT => CON_EXT, CON:ADS => CON_ADS */
++ for(p = fname; p; p = (p == fname && fname != base ? base : NULL)) {
++ size_t p_len;
++ int x = (curl_strnequal(p, "CON", 3) ||
++ curl_strnequal(p, "PRN", 3) ||
++ curl_strnequal(p, "AUX", 3) ||
++ curl_strnequal(p, "NUL", 3)) ? 3 :
++ (curl_strnequal(p, "CLOCK$", 6)) ? 6 :
++ (curl_strnequal(p, "COM", 3) || curl_strnequal(p, "LPT", 3)) ?
++ (('1' <= p[3] && p[3] <= '9') ? 4 : 3) : 0;
++
++ if(!x)
++ continue;
++
++ /* the devices may be accessible with an extension or ADS, for
++ example CON.AIR and CON:AIR both access console */
++ if(p[x] == '.' || p[x] == ':') {
++ p[x] = '_';
++ continue;
++ }
++ else if(p[x]) /* no match */
++ continue;
++
++ p_len = strlen(p);
++
++ if(strlen(fname) == PATH_MAX-1) {
++ /* Make room for the '_' */
++ p_len--;
++ p[p_len] = '\0';
++ }
++ /* Prepend a '_'. */
++ memmove(p + 1, p, p_len + 1);
++ p[0] = '_';
++
++ /* if fname was just modified then the basename pointer must be updated */
++ if(p == fname)
++ base = basename(fname);
++ }
++
++ return strdup(fname);
+ }
+
+ #if defined(MSDOS) && (defined(__DJGPP__) || defined(__GO32__))
+
+ /*
+diff --git a/src/tool_doswin.h b/src/tool_doswin.h
+index cd216db..fc83f16 100644
+--- a/src/tool_doswin.h
++++ b/src/tool_doswin.h
+@@ -23,11 +23,11 @@
+ ***************************************************************************/
+ #include "tool_setup.h"
+
+ #if defined(MSDOS) || defined(WIN32)
+
+-char *sanitize_dos_name(char *file_name);
++CURLcode sanitize_file_name(char **filename);
+
+ #if defined(MSDOS) && (defined(__DJGPP__) || defined(__GO32__))
+
+ char **__crt0_glob_function(char *arg);
+
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 30d60cb..272ebd4 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -541,30 +541,41 @@ static CURLcode operate_do(struct GlobalConfig *global,
+ if(!outfile) {
+ /* extract the file name from the URL */
+ result = get_url_file_name(&outfile, this_url);
+ if(result)
+ goto show_error;
++
++#if defined(MSDOS) || defined(WIN32)
++ result = sanitize_file_name(&outfile);
++ if(result) {
++ Curl_safefree(outfile);
++ goto show_error;
++ }
++#endif /* MSDOS || WIN32 */
++
+ if(!*outfile && !config->content_disposition) {
+ helpf(global->errors, "Remote file name has no length!\n");
+ result = CURLE_WRITE_ERROR;
+ goto quit_urls;
+ }
+-#if defined(MSDOS) || defined(WIN32)
+- /* For DOS and WIN32, we do some major replacing of
+- bad characters in the file name before using it */
+- outfile = sanitize_dos_name(outfile);
+- if(!outfile) {
+- result = CURLE_OUT_OF_MEMORY;
+- goto show_error;
+- }
+-#endif /* MSDOS || WIN32 */
+ }
+ else if(urls) {
+ /* fill '#1' ... '#9' terms from URL pattern */
+ char *storefile = outfile;
+ result = glob_match_url(&outfile, storefile, urls);
+ Curl_safefree(storefile);
++
++#if defined(MSDOS) || defined(WIN32)
++ if(!result) {
++ result = sanitize_file_name(&outfile);
++ if(result) {
++ Curl_safefree(outfile);
++ goto show_error;
++ }
++ }
++#endif /* MSDOS || WIN32 */
++
+ if(result) {
+ /* bad globbing */
+ warnf(config->global, "bad output glob!\n");
+ goto quit_urls;
+ }
+--
+2.7.0
+
diff --git a/meta/recipes-support/curl/curl_7.44.0.bb b/meta/recipes-support/curl/curl_7.44.0.bb
index f6d350e..852c4dd 100644
--- a/meta/recipes-support/curl/curl_7.44.0.bb
+++ b/meta/recipes-support/curl/curl_7.44.0.bb
@@ -12,7 +12,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
# curl likes to set -g0 in CFLAGS, so we stop it
# from mucking around with debug options
#
-SRC_URI += " file://configure_ac.patch"
+SRC_URI += " file://configure_ac.patch \
+ file://CVE-2016-0754.patch"
SRC_URI[md5sum] = "6b952ca00e5473b16a11f05f06aa8dae"
SRC_URI[sha256sum] = "1e2541bae6582bb697c0fbae49e1d3e6fad5d05d5aa80dbd6f072e0a44341814"
--
2.3.5
^ permalink raw reply related [flat|nested] 5+ messages in thread