From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/19] curl: patch CVE-2024-9681
Date: Tue, 12 Nov 2024 19:15:55 -0800 [thread overview]
Message-ID: <fbb8928ea85980bb866febd66e5e18ad843dbef8.1731467662.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1731467662.git.steve@sakoman.com>
From: Peter Marko <peter.marko@siemens.com>
Picked commit [1] per solution described in [2].
[1] https://github.com/curl/curl/commit/a94973805df96269bf
[2] https://curl.se/docs/CVE-2024-9681.html
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2024-9681.patch | 85 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 86 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-9681.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2024-9681.patch b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
new file mode 100644
index 0000000000..e6c8bf7223
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
@@ -0,0 +1,85 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+ match
+
+- on matching, prefer a full host match and secondary the longest tail
+ subdomain match
+
+Closes #15210
+
+CVE: CVE-2024-9681
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/hsts.c | 14 ++++++++++----
+ tests/data/test1660 | 2 +-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index d5e883f51ef0f7..12052ce53c1c5a 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -247,12 +247,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+ bool subdomain)
+ {
++ struct stsentry *bestsub = NULL;
+ if(h) {
+ char buffer[MAX_HSTS_HOSTLEN + 1];
+ time_t now = time(NULL);
+ size_t hlen = strlen(hostname);
+ struct Curl_llist_element *e;
+ struct Curl_llist_element *n;
++ size_t blen = 0;
+
+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+ return NULL;
+@@ -277,15 +279,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+ if(ntail < hlen) {
+ size_t offs = hlen - ntail;
+ if((hostname[offs-1] == '.') &&
+- Curl_strncasecompare(&hostname[offs], sts->host, ntail))
+- return sts;
++ Curl_strncasecompare(&hostname[offs], sts->host, ntail) &&
++ (ntail > blen)) {
++ /* save the tail match with the longest tail */
++ bestsub = sts;
++ blen = ntail;
++ }
+ }
+ }
+ if(Curl_strcasecompare(hostname, sts->host))
+ return sts;
+ }
+ }
+- return NULL; /* no match */
++ return bestsub;
+ }
+
+ /*
+@@ -447,7 +453,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+ e = Curl_hsts(h, p, subdomain);
+ if(!e)
+ result = hsts_create(h, p, subdomain, expires);
+- else {
++ else if(Curl_strcasecompare(p, e->host)) {
+ /* the same host name, use the largest expire time */
+ if(expires > e->expires)
+ e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index f86126d19cf269..4b6f9615c9d517 100644
+--- a/tests/data/test1660
++++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
++3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index ba3abadac9..cda42da4d3 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -62,6 +62,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2024-7264_2.patch \
file://CVE-2024-8096.patch \
file://0001-url-free-old-conn-better-on-reuse.patch \
+ file://CVE-2024-9681.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.34.1
next prev parent reply other threads:[~2024-11-13 3:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-13 3:15 [OE-core][kirkstone 00/19] Patch review Steve Sakoman
2024-11-13 3:15 ` [OE-core][kirkstone 01/19] ghostscript: fix CVE-2023-46361 Steve Sakoman
2024-11-13 3:15 ` Steve Sakoman [this message]
2024-11-13 3:15 ` [OE-core][kirkstone 03/19] gstreamer1.0: ignore CVE-2024-0444 Steve Sakoman
2024-11-13 3:15 ` [OE-core][kirkstone 04/19] expat: patch CVE-2024-50602 Steve Sakoman
2024-11-13 3:15 ` [OE-core][kirkstone 05/19] glib-2.0: patch regression of CVE-2023-32665 Steve Sakoman
2024-11-13 3:39 ` Patchtest results for " patchtest
2024-11-13 3:15 ` [OE-core][kirkstone 06/19] patch.py: Use shlex instead of deprecated pipe Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 07/19] cmake: Fix sporadic issues when determining compiler internals Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 08/19] pseudo: Update to pull in linux-libc-headers race fix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 09/19] pseudo: Disable LFS on 32bit arches Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 10/19] pseudo: Switch back to the master branch Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 11/19] pseudo: Update to include logic fix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 12/19] pseudo: Update to pull in fd leak fix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 13/19] pseudo: Update to pull in syncfs probe fix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 14/19] pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 15/19] pseudo: Update to pull in fchmodat fix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 16/19] pseudo: Update to pull in python 3.12+ fix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 17/19] pseudo: Fix to work with glibc 2.40 Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 18/19] pseudo: Update to include open symlink handling bugfix Steve Sakoman
2024-11-13 3:16 ` [OE-core][kirkstone 19/19] pseudo: Fix envp bug and add posix_spawn wrapper Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbb8928ea85980bb866febd66e5e18ad843dbef8.1731467662.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox