| Message ID | 20230414105523.81661-1-hprajapati@mvista.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy | expand |
Hi Hitendra, There's been a bug filed against this patch (build failure when when curl is configured with `libssh2` i.e. PACKAGECONFIG_append = " libssh2"): https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 Could you investigate and advise whether there is an easy fix or whether we should revert? Thanks, Steve On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati <hprajapati@mvista.com> wrote: > > Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 2 files changed, 124 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > new file mode 100644 > index 0000000000..aeeffd5fea > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > @@ -0,0 +1,123 @@ > +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Thu, 9 Mar 2023 16:22:11 +0100 > +Subject: [PATCH] curl_path: create the new path with dynbuf > + > +CVE: CVE-2023-27534 > +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > + > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- > + 1 file changed, 35 insertions(+), 36 deletions(-) > + > +diff --git a/lib/curl_path.c b/lib/curl_path.c > +index f429634..e17db4b 100644 > +--- a/lib/curl_path.c > ++++ b/lib/curl_path.c > +@@ -30,6 +30,8 @@ > + #include "escape.h" > + #include "memdebug.h" > + > ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ > ++ > + /* figure out the path to work with in this particular request */ > + CURLcode Curl_getworkingpath(struct connectdata *conn, > + char *homedir, /* when SFTP is used */ > +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > + real path to work with */ > + { > + struct Curl_easy *data = conn->data; > +- char *real_path = NULL; > + char *working_path; > + size_t working_path_len; > ++ struct dynbuf npath; > + CURLcode result = > + Curl_urldecode(data, data->state.up.path, 0, &working_path, > + &working_path_len, FALSE); > + if(result) > + return result; > + > ++ /* new path to switch to in case we need to */ > ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); > ++ > + /* Check for /~/, indicating relative to the user's home directory */ > +- if(conn->handler->protocol & CURLPROTO_SCP) { > +- real_path = malloc(working_path_len + 1); > +- if(real_path == NULL) { > ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && > ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { > ++ /* It is referenced to the home directory, so strip the leading '/~/' */ > ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { > + free(working_path); > + return CURLE_OUT_OF_MEMORY; > + } > +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) > +- /* It is referenced to the home directory, so strip the leading '/~/' */ > +- memcpy(real_path, working_path + 3, working_path_len - 2); > +- else > +- memcpy(real_path, working_path, 1 + working_path_len); > + } > +- else if(conn->handler->protocol & CURLPROTO_SFTP) { > +- if((working_path_len > 1) && (working_path[1] == '~')) { > +- size_t homelen = strlen(homedir); > +- real_path = malloc(homelen + working_path_len + 1); > +- if(real_path == NULL) { > +- free(working_path); > +- return CURLE_OUT_OF_MEMORY; > +- } > +- /* It is referenced to the home directory, so strip the > +- leading '/' */ > +- memcpy(real_path, homedir, homelen); > +- real_path[homelen] = '/'; > +- real_path[homelen + 1] = '\0'; > +- if(working_path_len > 3) { > +- memcpy(real_path + homelen + 1, working_path + 3, > +- 1 + working_path_len -3); > +- } > ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && > ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > ++ size_t len; > ++ const char *p; > ++ int copyfrom = 3; > ++ if(Curl_dyn_add(&npath, homedir)) { > ++ free(working_path); > ++ return CURLE_OUT_OF_MEMORY; > + } > +- else { > +- real_path = malloc(working_path_len + 1); > +- if(real_path == NULL) { > +- free(working_path); > +- return CURLE_OUT_OF_MEMORY; > +- } > +- memcpy(real_path, working_path, 1 + working_path_len); > ++ /* Copy a separating '/' if homedir does not end with one */ > ++ len = Curl_dyn_len(&npath); > ++ p = Curl_dyn_ptr(&npath); > ++ if(len && (p[len-1] != '/')) > ++ copyfrom = 2; > ++ > ++ if(Curl_dyn_addn(&npath, > ++ &working_path[copyfrom], working_path_len - copyfrom)) { > ++ free(working_path); > ++ return CURLE_OUT_OF_MEMORY; > + } > + } > + > +- free(working_path); > ++ if(Curl_dyn_len(&npath)) { > ++ free(working_path); > + > +- /* store the pointer for the caller to receive */ > +- *path = real_path; > ++ /* store the pointer for the caller to receive */ > ++ *path = Curl_dyn_ptr(&npath); > ++ } > ++ else > ++ *path = working_path; > + > + return CURLE_OK; > + } > +-- > +2.25.1 > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > index 899daf8eac..fddf15e3ff 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2022-32221.patch \ > file://CVE-2022-35260.patch \ > file://CVE-2022-43552.patch \ > + file://CVE-2023-27534.patch \ > " > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179997): https://lists.openembedded.org/g/openembedded-core/message/179997 > Mute This Topic: https://lists.openembedded.org/mt/98259554/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, I have committed modified patch on behalf of Hitendra as he is away for few days. please find the patch at -> https://lists.openembedded.org/g/openembedded-core/message/181154 I have verified that this builds fine with adding "--with-libssh2" option also. Regards, Siddharth
Hi Steve, I'll look into this issue by enabling the package at my end and send the possible solution if any. Regards, Hitendra On 11/05/23 20:15, Steve Sakoman wrote: > Hi Hitendra, > > There's been a bug filed against this patch (build failure when when > curl is configured with `libssh2` i.e. PACKAGECONFIG_append = " > libssh2"): > > https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 > > Could you investigate and advise whether there is an easy fix or > whether we should revert? > > Thanks, > > Steve > > On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati > <hprajapati@mvista.com> wrote: >> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 >> >> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> >> --- >> .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ >> meta/recipes-support/curl/curl_7.69.1.bb | 1 + >> 2 files changed, 124 insertions(+) >> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch >> >> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch >> new file mode 100644 >> index 0000000000..aeeffd5fea >> --- /dev/null >> +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch >> @@ -0,0 +1,123 @@ >> +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 >> +From: Daniel Stenberg<daniel@haxx.se> >> +Date: Thu, 9 Mar 2023 16:22:11 +0100 >> +Subject: [PATCH] curl_path: create the new path with dynbuf >> + >> +CVE: CVE-2023-27534 >> +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] >> + >> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> >> +--- >> + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- >> + 1 file changed, 35 insertions(+), 36 deletions(-) >> + >> +diff --git a/lib/curl_path.c b/lib/curl_path.c >> +index f429634..e17db4b 100644 >> +--- a/lib/curl_path.c >> ++++ b/lib/curl_path.c >> +@@ -30,6 +30,8 @@ >> + #include "escape.h" >> + #include "memdebug.h" >> + >> ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ >> ++ >> + /* figure out the path to work with in this particular request */ >> + CURLcode Curl_getworkingpath(struct connectdata *conn, >> + char *homedir, /* when SFTP is used */ >> +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, >> + real path to work with */ >> + { >> + struct Curl_easy *data = conn->data; >> +- char *real_path = NULL; >> + char *working_path; >> + size_t working_path_len; >> ++ struct dynbuf npath; >> + CURLcode result = >> + Curl_urldecode(data, data->state.up.path, 0, &working_path, >> + &working_path_len, FALSE); >> + if(result) >> + return result; >> + >> ++ /* new path to switch to in case we need to */ >> ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); >> ++ >> + /* Check for /~/, indicating relative to the user's home directory */ >> +- if(conn->handler->protocol & CURLPROTO_SCP) { >> +- real_path = malloc(working_path_len + 1); >> +- if(real_path == NULL) { >> ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && >> ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { >> ++ /* It is referenced to the home directory, so strip the leading '/~/' */ >> ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { >> + free(working_path); >> + return CURLE_OUT_OF_MEMORY; >> + } >> +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) >> +- /* It is referenced to the home directory, so strip the leading '/~/' */ >> +- memcpy(real_path, working_path + 3, working_path_len - 2); >> +- else >> +- memcpy(real_path, working_path, 1 + working_path_len); >> + } >> +- else if(conn->handler->protocol & CURLPROTO_SFTP) { >> +- if((working_path_len > 1) && (working_path[1] == '~')) { >> +- size_t homelen = strlen(homedir); >> +- real_path = malloc(homelen + working_path_len + 1); >> +- if(real_path == NULL) { >> +- free(working_path); >> +- return CURLE_OUT_OF_MEMORY; >> +- } >> +- /* It is referenced to the home directory, so strip the >> +- leading '/' */ >> +- memcpy(real_path, homedir, homelen); >> +- real_path[homelen] = '/'; >> +- real_path[homelen + 1] = '\0'; >> +- if(working_path_len > 3) { >> +- memcpy(real_path + homelen + 1, working_path + 3, >> +- 1 + working_path_len -3); >> +- } >> ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && >> ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { >> ++ size_t len; >> ++ const char *p; >> ++ int copyfrom = 3; >> ++ if(Curl_dyn_add(&npath, homedir)) { >> ++ free(working_path); >> ++ return CURLE_OUT_OF_MEMORY; >> + } >> +- else { >> +- real_path = malloc(working_path_len + 1); >> +- if(real_path == NULL) { >> +- free(working_path); >> +- return CURLE_OUT_OF_MEMORY; >> +- } >> +- memcpy(real_path, working_path, 1 + working_path_len); >> ++ /* Copy a separating '/' if homedir does not end with one */ >> ++ len = Curl_dyn_len(&npath); >> ++ p = Curl_dyn_ptr(&npath); >> ++ if(len && (p[len-1] != '/')) >> ++ copyfrom = 2; >> ++ >> ++ if(Curl_dyn_addn(&npath, >> ++ &working_path[copyfrom], working_path_len - copyfrom)) { >> ++ free(working_path); >> ++ return CURLE_OUT_OF_MEMORY; >> + } >> + } >> + >> +- free(working_path); >> ++ if(Curl_dyn_len(&npath)) { >> ++ free(working_path); >> + >> +- /* store the pointer for the caller to receive */ >> +- *path = real_path; >> ++ /* store the pointer for the caller to receive */ >> ++ *path = Curl_dyn_ptr(&npath); >> ++ } >> ++ else >> ++ *path = working_path; >> + >> + return CURLE_OK; >> + } >> +-- >> +2.25.1 >> + >> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb >> index 899daf8eac..fddf15e3ff 100644 >> --- a/meta/recipes-support/curl/curl_7.69.1.bb >> +++ b/meta/recipes-support/curl/curl_7.69.1.bb >> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ >> file://CVE-2022-32221.patch \ file://CVE-2022-35260.patch \ >> file://CVE-2022-43552.patch \ + file://CVE-2023-27534.patch \ " >> >> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#179997):https://lists.openembedded.org/g/openembedded-core/message/179997 >> Mute This Topic:https://lists.openembedded.org/mt/98259554/3620601 >> Group Owner:openembedded-core+owner@lists.openembedded.org >> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
Hi Hitendra, Any update on this? This should be reverted since the dynbuf APIs are not available in curl 7.69. Regards, Abdurrahman From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Hitendra Prajapati Sent: Friday, May 12, 2023 4:26 AM To: Steve Sakoman <steve@sakoman.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy Hi Steve, I'll look into this issue by enabling the package at my end and send the possible solution if any. Regards, Hitendra On 11/05/23 20:15, Steve Sakoman wrote: Hi Hitendra, There's been a bug filed against this patch (build failure when when curl is configured with `libssh2` i.e. PACKAGECONFIG_append = " libssh2"): https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 Could you investigate and advise whether there is an easy fix or whether we should revert? Thanks, Steve On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati <hprajapati@mvista.com><mailto:hprajapati@mvista.com> wrote: Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com><mailto:hprajapati@mvista.com> --- .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..aeeffd5fea --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -0,0 +1,123 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se><mailto:daniel@haxx.se> +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +CVE: CVE-2023-27534 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com><mailto:hprajapati@mvista.com> +--- + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- + 1 file changed, 35 insertions(+), 36 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..e17db4b 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,6 +30,8 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct connectdata *conn, + char *homedir, /* when SFTP is used */ +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + real path to work with */ + { + struct Curl_easy *data = conn->data; +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data, data->state.up.path, 0, &working_path, + &working_path_len, FALSE); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; +- if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 899daf8eac..fddf15e3ff 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> file://CVE-2022-32221.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> file://CVE-2022-35260.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> file://CVE-2022-43552.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> + file://CVE-2023-27534.patch \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> "<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" -- 2.25.1 -- Regards, Hitendra Prajapati MontaVista Software LLC
Hi Team, Please revert the changes of curl: CVE-2023-27534 SFTP path ~ resolving discrepancy as of now. My apologies for the delay in reply. Regards, Hitendra On 17/05/23 00:08, Abdurrahman Hussain (fib) wrote: > > Hi Hitendra, > > Any update on this? This should be reverted since the dynbuf APIs are > not available in curl 7.69. > > Regards, > > Abdurrahman > > *From:* openembedded-core@lists.openembedded.org > <openembedded-core@lists.openembedded.org> *On Behalf Of *Hitendra > Prajapati > *Sent:* Friday, May 12, 2023 4:26 AM > *To:* Steve Sakoman <steve@sakoman.com> > *Cc:* openembedded-core@lists.openembedded.org > *Subject:* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP > path ~ resolving discrepancy > > Hi Steve, > > I'll look into this issue by enabling the package at my end and send > the possible solution if any. > > Regards, > > Hitendra > > On 11/05/23 20:15, Steve Sakoman wrote: > > Hi Hitendra, > > There's been a bug filed against this patch (build failure when when > > curl is configured with `libssh2` i.e. PACKAGECONFIG_append = " > > libssh2"): > > https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 > > Could you investigate and advise whether there is an easy fix or > > whether we should revert? > > Thanks, > > Steve > > On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati > > <hprajapati@mvista.com> <mailto:hprajapati@mvista.com> wrote: > > Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 > > Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com> > > --- > > .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ > > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > > 2 files changed, 124 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > > new file mode 100644 > > index 0000000000..aeeffd5fea > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > > @@ -0,0 +1,123 @@ > > +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg<daniel@haxx.se> <mailto:daniel@haxx.se> > > +Date: Thu, 9 Mar 2023 16:22:11 +0100 > > +Subject: [PATCH] curl_path: create the new path with dynbuf > > + > > +CVE: CVE-2023-27534 > > +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > > + > > +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com> > > +--- > > + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- > > + 1 file changed, 35 insertions(+), 36 deletions(-) > > + > > +diff --git a/lib/curl_path.c b/lib/curl_path.c > > +index f429634..e17db4b 100644 > > +--- a/lib/curl_path.c > > ++++ b/lib/curl_path.c > > +@@ -30,6 +30,8 @@ > > + #include "escape.h" > > + #include "memdebug.h" > > + > > ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ > > ++ > > + /* figure out the path to work with in this particular request */ > > + CURLcode Curl_getworkingpath(struct connectdata *conn, > > + char *homedir, /* when SFTP is used */ > > +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > > + real path to work with */ > > + { > > + struct Curl_easy *data = conn->data; > > +- char *real_path = NULL; > > + char *working_path; > > + size_t working_path_len; > > ++ struct dynbuf npath; > > + CURLcode result = > > + Curl_urldecode(data, data->state.up.path, 0, &working_path, > > + &working_path_len, FALSE); > > + if(result) > > + return result; > > + > > ++ /* new path to switch to in case we need to */ > > ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); > > ++ > > + /* Check for /~/, indicating relative to the user's home directory */ > > +- if(conn->handler->protocol & CURLPROTO_SCP) { > > +- real_path = malloc(working_path_len + 1); > > +- if(real_path == NULL) { > > ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && > > ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { > > ++ /* It is referenced to the home directory, so strip the leading '/~/' */ > > ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { > > + free(working_path); > > + return CURLE_OUT_OF_MEMORY; > > + } > > +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) > > +- /* It is referenced to the home directory, so strip the leading '/~/' */ > > +- memcpy(real_path, working_path + 3, working_path_len - 2); > > +- else > > +- memcpy(real_path, working_path, 1 + working_path_len); > > + } > > +- else if(conn->handler->protocol & CURLPROTO_SFTP) { > > +- if((working_path_len > 1) && (working_path[1] == '~')) { > > +- size_t homelen = strlen(homedir); > > +- real_path = malloc(homelen + working_path_len + 1); > > +- if(real_path == NULL) { > > +- free(working_path); > > +- return CURLE_OUT_OF_MEMORY; > > +- } > > +- /* It is referenced to the home directory, so strip the > > +- leading '/' */ > > +- memcpy(real_path, homedir, homelen); > > +- real_path[homelen] = '/'; > > +- real_path[homelen + 1] = '\0'; > > +- if(working_path_len > 3) { > > +- memcpy(real_path + homelen + 1, working_path + 3, > > +- 1 + working_path_len -3); > > +- } > > ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && > > ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > > ++ size_t len; > > ++ const char *p; > > ++ int copyfrom = 3; > > ++ if(Curl_dyn_add(&npath, homedir)) { > > ++ free(working_path); > > ++ return CURLE_OUT_OF_MEMORY; > > + } > > +- else { > > +- real_path = malloc(working_path_len + 1); > > +- if(real_path == NULL) { > > +- free(working_path); > > +- return CURLE_OUT_OF_MEMORY; > > +- } > > +- memcpy(real_path, working_path, 1 + working_path_len); > > ++ /* Copy a separating '/' if homedir does not end with one */ > > ++ len = Curl_dyn_len(&npath); > > ++ p = Curl_dyn_ptr(&npath); > > ++ if(len && (p[len-1] != '/')) > > ++ copyfrom = 2; > > ++ > > ++ if(Curl_dyn_addn(&npath, > > ++ &working_path[copyfrom], working_path_len - copyfrom)) { > > ++ free(working_path); > > ++ return CURLE_OUT_OF_MEMORY; > > + } > > + } > > + > > +- free(working_path); > > ++ if(Curl_dyn_len(&npath)) { > > ++ free(working_path); > > + > > +- /* store the pointer for the caller to receive */ > > +- *path = real_path; > > ++ /* store the pointer for the caller to receive */ > > ++ *path = Curl_dyn_ptr(&npath); > > ++ } > > ++ else > > ++ *path = working_path; > > + > > + return CURLE_OK; > > + } > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > > index 899daf8eac..fddf15e3ff 100644 > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > @@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > file://CVE-2022-32221.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > file://CVE-2022-35260.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > file://CVE-2022-43552.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > + file://CVE-2023-27534.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > " > <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > > -- > > 2.25.1 > > -- > Regards, > Hitendra Prajapati > MontaVista Software LLC >
Hi Team, As my Team member Siddharth Doshi already send the revised patch for that. Commit : *https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/dunfell-nut&id=3e4520554cf8bd441f021f46f2e68eace5ca42e6 * Please look into that patch once and for any issue revert me or Siddharth. Thank you Siddharth. Regards, Hitendra Prajapati// On 17/05/23 00:08, Abdurrahman Hussain (fib) wrote: > > Hi Hitendra, > > Any update on this? This should be reverted since the dynbuf APIs are > not available in curl 7.69. > > Regards, > > Abdurrahman > > *From:* openembedded-core@lists.openembedded.org > <openembedded-core@lists.openembedded.org> *On Behalf Of *Hitendra > Prajapati > *Sent:* Friday, May 12, 2023 4:26 AM > *To:* Steve Sakoman <steve@sakoman.com> > *Cc:* openembedded-core@lists.openembedded.org > *Subject:* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP > path ~ resolving discrepancy > > Hi Steve, > > I'll look into this issue by enabling the package at my end and send > the possible solution if any. > > Regards, > > Hitendra > > On 11/05/23 20:15, Steve Sakoman wrote: > > Hi Hitendra, > > There's been a bug filed against this patch (build failure when when > > curl is configured with `libssh2` i.e. PACKAGECONFIG_append = " > > libssh2"): > > https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 > > Could you investigate and advise whether there is an easy fix or > > whether we should revert? > > Thanks, > > Steve > > On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati > > <hprajapati@mvista.com> <mailto:hprajapati@mvista.com> wrote: > > Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 > > Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com> > > --- > > .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ > > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > > 2 files changed, 124 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > > new file mode 100644 > > index 0000000000..aeeffd5fea > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > > @@ -0,0 +1,123 @@ > > +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg<daniel@haxx.se> <mailto:daniel@haxx.se> > > +Date: Thu, 9 Mar 2023 16:22:11 +0100 > > +Subject: [PATCH] curl_path: create the new path with dynbuf > > + > > +CVE: CVE-2023-27534 > > +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > > + > > +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> <mailto:hprajapati@mvista.com> > > +--- > > + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- > > + 1 file changed, 35 insertions(+), 36 deletions(-) > > + > > +diff --git a/lib/curl_path.c b/lib/curl_path.c > > +index f429634..e17db4b 100644 > > +--- a/lib/curl_path.c > > ++++ b/lib/curl_path.c > > +@@ -30,6 +30,8 @@ > > + #include "escape.h" > > + #include "memdebug.h" > > + > > ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ > > ++ > > + /* figure out the path to work with in this particular request */ > > + CURLcode Curl_getworkingpath(struct connectdata *conn, > > + char *homedir, /* when SFTP is used */ > > +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > > + real path to work with */ > > + { > > + struct Curl_easy *data = conn->data; > > +- char *real_path = NULL; > > + char *working_path; > > + size_t working_path_len; > > ++ struct dynbuf npath; > > + CURLcode result = > > + Curl_urldecode(data, data->state.up.path, 0, &working_path, > > + &working_path_len, FALSE); > > + if(result) > > + return result; > > + > > ++ /* new path to switch to in case we need to */ > > ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); > > ++ > > + /* Check for /~/, indicating relative to the user's home directory */ > > +- if(conn->handler->protocol & CURLPROTO_SCP) { > > +- real_path = malloc(working_path_len + 1); > > +- if(real_path == NULL) { > > ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && > > ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { > > ++ /* It is referenced to the home directory, so strip the leading '/~/' */ > > ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { > > + free(working_path); > > + return CURLE_OUT_OF_MEMORY; > > + } > > +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) > > +- /* It is referenced to the home directory, so strip the leading '/~/' */ > > +- memcpy(real_path, working_path + 3, working_path_len - 2); > > +- else > > +- memcpy(real_path, working_path, 1 + working_path_len); > > + } > > +- else if(conn->handler->protocol & CURLPROTO_SFTP) { > > +- if((working_path_len > 1) && (working_path[1] == '~')) { > > +- size_t homelen = strlen(homedir); > > +- real_path = malloc(homelen + working_path_len + 1); > > +- if(real_path == NULL) { > > +- free(working_path); > > +- return CURLE_OUT_OF_MEMORY; > > +- } > > +- /* It is referenced to the home directory, so strip the > > +- leading '/' */ > > +- memcpy(real_path, homedir, homelen); > > +- real_path[homelen] = '/'; > > +- real_path[homelen + 1] = '\0'; > > +- if(working_path_len > 3) { > > +- memcpy(real_path + homelen + 1, working_path + 3, > > +- 1 + working_path_len -3); > > +- } > > ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && > > ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > > ++ size_t len; > > ++ const char *p; > > ++ int copyfrom = 3; > > ++ if(Curl_dyn_add(&npath, homedir)) { > > ++ free(working_path); > > ++ return CURLE_OUT_OF_MEMORY; > > + } > > +- else { > > +- real_path = malloc(working_path_len + 1); > > +- if(real_path == NULL) { > > +- free(working_path); > > +- return CURLE_OUT_OF_MEMORY; > > +- } > > +- memcpy(real_path, working_path, 1 + working_path_len); > > ++ /* Copy a separating '/' if homedir does not end with one */ > > ++ len = Curl_dyn_len(&npath); > > ++ p = Curl_dyn_ptr(&npath); > > ++ if(len && (p[len-1] != '/')) > > ++ copyfrom = 2; > > ++ > > ++ if(Curl_dyn_addn(&npath, > > ++ &working_path[copyfrom], working_path_len - copyfrom)) { > > ++ free(working_path); > > ++ return CURLE_OUT_OF_MEMORY; > > + } > > + } > > + > > +- free(working_path); > > ++ if(Curl_dyn_len(&npath)) { > > ++ free(working_path); > > + > > +- /* store the pointer for the caller to receive */ > > +- *path = real_path; > > ++ /* store the pointer for the caller to receive */ > > ++ *path = Curl_dyn_ptr(&npath); > > ++ } > > ++ else > > ++ *path = working_path; > > + > > + return CURLE_OK; > > + } > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > > index 899daf8eac..fddf15e3ff 100644 > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > @@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > file://CVE-2022-32221.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > file://CVE-2022-35260.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > file://CVE-2022-43552.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > + file://CVE-2023-27534.patch > \<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > " > <https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/> > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > > -- > > 2.25.1 > > -- > Regards, > Hitendra Prajapati > MontaVista Software LLC >
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..aeeffd5fea --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -0,0 +1,123 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +CVE: CVE-2023-27534 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- + 1 file changed, 35 insertions(+), 36 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..e17db4b 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,6 +30,8 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct connectdata *conn, + char *homedir, /* when SFTP is used */ +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + real path to work with */ + { + struct Curl_easy *data = conn->data; +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data, data->state.up.path, 0, &working_path, + &working_path_len, FALSE); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; +- if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 899daf8eac..fddf15e3ff 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-32221.patch \ file://CVE-2022-35260.patch \ file://CVE-2022-43552.patch \ + file://CVE-2023-27534.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch