Message ID | 20230526083831.33336-1-pramanik.souravkumar@gmail.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone] curl: Correction for CVE-2023-27536 | expand |
Hi @Steve Sakoman<mailto:steve@sakoman.com>, I request to not take this patch in the kirkstone as it seems we are still checking on the data type which we changed from long to unsigned char. It seems that this variable was 'long' only in the curl version which we have in the kirkstone. Of cource the link is wrong and so Sourav will send new patch v2. Thanks, Best Regards, Ranjitsinh Rathod Technical Leader | | KPIT Technologies Ltd. Cellphone: +91-84606 92403
On Tue, May 30, 2023 at 2:45 AM Ranjitsinh Rathod < Ranjitsinh.Rathod@kpit.com> wrote: > Hi @Steve Sakoman <steve@sakoman.com>, > > I request to not take this patch in the kirkstone as it seems we are still > checking on the data type which we changed from long to unsigned char. > It seems that this variable was 'long' only in the curl version which we > have in the kirkstone. > OK, I won't take this patch. Steve > > Of cource the link is wrong and so Sourav will send new patch v2. > > Thanks, > > Best Regards, > > *Ranjitsinh Rathod* > Technical Leader | | KPIT Technologies Ltd. > Cellphone: +91-84606 92403 > > *__________________________________________ *KPIT <http://www.kpit.com/> | > Follow us on LinkedIn <http://www.kpit.com/linkedin> > > <https://www.kpit.com/TheNewBrand> > ------------------------------ > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> on behalf of Sourav Kumar > Pramanik via lists.openembedded.org <pramanik.souravkumar= > gmail.com@lists.openembedded.org> > *Sent:* Friday, May 26, 2023 2:08 PM > *To:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org>; pramanik.souravkumar@gmail.com > <pramanik.souravkumar@gmail.com> > *Cc:* Ranjitsinh Rathod <Ranjitsinh.Rathod@kpit.com>; Omkar Patil < > Omkar.Patil@kpit.com> > *Subject:* [OE-core][kirkstone][PATCH] curl: Correction for CVE-2023-27536 > > Caution: This email originated from outside of the KPIT. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > From: Omkar Patil <omkar.patil@kpit.com> > > Correction of backport link inside the patch with correct commit link as > below > Link: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fcommit%2Fcb49e67303dbafbab1cebf4086e3ec15b7d56ee5&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C7adc60802fd54cbd9b0c08db5dc4abf2%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638206871527044313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NH5veabZDDhqCO2JtlUvnfELKHXLOJFOULlA%2FcZFiBA%3D&reserved=0 > <https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5> > > Variable type change from long to unsigned char as per the original > patch > > Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com> > --- > meta/recipes-support/curl/curl/CVE-2023-27536.patch | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch > b/meta/recipes-support/curl/curl/CVE-2023-27536.patch > index fb3ee6a14d..51a5c0eef1 100644 > --- a/meta/recipes-support/curl/curl/CVE-2023-27536.patch > +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch > @@ -3,7 +3,7 @@ From: Daniel Stenberg <daniel@haxx.se> > Date: Fri, 10 Mar 2023 09:22:43 +0100 > Subject: [PATCH] url: only reuse connections with same GSS delegation > > -Upstream-Status: Backport from [ > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fcommit%2Faf369db4d3833272b8ed443f7fcc2e757a0872eb&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C7adc60802fd54cbd9b0c08db5dc4abf2%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638206871527200533%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxYwhvpTusRONt5yI1HRI4elSpLHpAdcOLNdVAMg2w8%3D&reserved=0 > <https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb> > ] > +Upstream-Status: Backport from [ > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fcommit%2Fcb49e67303dbafbab1cebf4086e3ec15b7d56ee5&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C7adc60802fd54cbd9b0c08db5dc4abf2%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638206871527200533%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vu9ivxrR8hez8PSMdXyyJJ7NYu2cUcLc9PD6%2BAEy5KI%3D&reserved=0 > <https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5> > ] > CVE: CVE-2023-27536 > Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com> > Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> > @@ -44,7 +44,7 @@ index 6e6122a..602c735 100644 > int socks5_gssapi_enctype; > #endif > unsigned short localport; > -+ long gssapi_delegation; /* inherited from set.gssapi_delegation */ > ++ unsigned char gssapi_delegation; /* inherited from > set.gssapi_delegation */ > }; > > /* The end of connectdata. */ > -- > 2.25.1 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. >
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch index fb3ee6a14d..51a5c0eef1 100644 --- a/meta/recipes-support/curl/curl/CVE-2023-27536.patch +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch @@ -3,7 +3,7 @@ From: Daniel Stenberg <daniel@haxx.se> Date: Fri, 10 Mar 2023 09:22:43 +0100 Subject: [PATCH] url: only reuse connections with same GSS delegation -Upstream-Status: Backport from [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] +Upstream-Status: Backport from [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] CVE: CVE-2023-27536 Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> @@ -44,7 +44,7 @@ index 6e6122a..602c735 100644 int socks5_gssapi_enctype; #endif unsigned short localport; -+ long gssapi_delegation; /* inherited from set.gssapi_delegation */ ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ }; /* The end of connectdata. */