Message ID | 20230404133718.50343-1-badganchipv@gmail.com |
---|---|
State | New, archived |
Headers | show |
Series | [meta,kirkstone] curl: Add fix for CVE-2023-23916 | expand |
This seems to fix the fuzz issue, I'll add the patch to my queue for autobuilder testing. For future patches there is no need for [meta] in the subject line. Just something like "[OE-core][kirkstone][PATCH] curl: Add fix for CVE-2023-23916" is perfect. Also when you are sending multiple versions of the patch use something like: "[OE-core][kirkstone][PATCH v2] curl: Add fix for CVE-2023-23916" and include a comment after the line with three dashes describing the changes in this version. See below for example. Steve On Tue, Apr 4, 2023 at 3:37 AM Pawan Badganchi <badganchipv@gmail.com> wrote: > > Add below patch to fix CVE-2023-23916 > > CVE-2023-23916.patch > > Link: https://curl.se/docs/CVE-2023-23916.html > > Signed-off-by: pawan <badganchipv@gmail.com> > --- V2: fix fuzz errors > .../curl/curl/CVE-2023-23916.patch | 219 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > 2 files changed, 220 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > new file mode 100644 > index 0000000000..a57d275902 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > @@ -0,0 +1,219 @@ > +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 > +From: Patrick Monnerat <patrick@monnerat.net> > +Date: Mon, 13 Feb 2023 08:33:09 +0100 > +Subject: [PATCH] content_encoding: do not reset stage counter for each header > + > +Test 418 verifies > + > +Closes #10492 > + > +CVE: CVE-2023-23916 > +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > +--- > + lib/content_encoding.c | 7 +- > + lib/urldata.h | 1 + > + tests/data/Makefile.inc | 2 +- > + tests/data/test387 | 2 +- > + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ > + 5 files changed, 158 insertions(+), 6 deletions(-) > + create mode 100644 tests/data/test418 > + > +--- a/lib/content_encoding.c > ++++ b/lib/content_encoding.c > +@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(str > + const char *enclist, int maybechunked) > + { > + struct SingleRequest *k = &data->req; > +- int counter = 0; > + > + do { > + const char *name; > +@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(str > + if(!encoding) > + encoding = &error_encoding; /* Defer error at stack use. */ > + > +- if(++counter >= MAX_ENCODE_STACK) { > +- failf(data, "Reject response due to %u content encodings", > +- counter); > ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { > ++ failf(data, "Reject response due to more than %u content encodings", > ++ MAX_ENCODE_STACK); > + return CURLE_BAD_CONTENT_ENCODING; > + } > + /* Stack the unencoding stage. */ > +--- a/lib/urldata.h > ++++ b/lib/urldata.h > +@@ -682,6 +682,7 @@ struct SingleRequest { > + struct dohdata *doh; /* DoH specific data for this request */ > + #endif > + unsigned char setcookies; > ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ > + BIT(header); /* incoming data has HTTP header */ > + BIT(content_range); /* set TRUE if Content-Range: was found */ > + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding > +--- a/tests/data/Makefile.inc > ++++ b/tests/data/Makefile.inc > +@@ -69,6 +69,7 @@ > + \ > + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ > + test409 test410 \ > ++test418 \ > + \ > + test430 test431 test432 test433 test434 test435 test436 \ > + \ > +--- /dev/null > ++++ b/tests/data/test418 > +@@ -0,0 +1,152 @@ > ++<testcase> > ++<info> > ++<keywords> > ++HTTP > ++gzip > ++</keywords> > ++</info> > ++ > ++# > ++# Server-side > ++<reply> > ++<data nocheck="yes"> > ++HTTP/1.1 200 OK > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++Transfer-Encoding: gzip > ++ > ++-foo- > ++</data> > ++</reply> > ++ > ++# > ++# Client-side > ++<client> > ++<server> > ++http > ++</server> > ++ <name> > ++Response with multiple Transfer-Encoding headers > ++ </name> > ++ <command> > ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS > ++</command> > ++</client> > ++ > ++# > ++# Verify data after the test has been "shot" > ++<verify> > ++<protocol crlf="yes"> > ++GET /%TESTNUMBER HTTP/1.1 > ++Host: %HOSTIP:%HTTPPORT > ++User-Agent: curl/%VERSION > ++Accept: */* > ++ > ++</protocol> > ++ > ++# CURLE_BAD_CONTENT_ENCODING is 61 > ++<errorcode> > ++61 > ++</errorcode> > ++<stderr mode="text"> > ++curl: (61) Reject response due to more than 5 content encodings > ++</stderr> > ++</verify> > ++</testcase> > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb > index b583060889..945745cdde 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > file://CVE-2023-23914_5-3.patch \ > file://CVE-2023-23914_5-4.patch \ > file://CVE-2023-23914_5-5.patch \ > + file://CVE-2023-23916.patch \ > " > SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > -- > 2.38.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179689): https://lists.openembedded.org/g/openembedded-core/message/179689 > Mute This Topic: https://lists.openembedded.org/mt/98055877/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Noted, Thanks. On Tue, 4 Apr, 2023, 8:53 pm Steve Sakoman, <steve@sakoman.com> wrote: > This seems to fix the fuzz issue, I'll add the patch to my queue for > autobuilder testing. > > For future patches there is no need for [meta] in the subject line. > Just something like "[OE-core][kirkstone][PATCH] curl: Add fix for > CVE-2023-23916" is perfect. > > Also when you are sending multiple versions of the patch use something > like: "[OE-core][kirkstone][PATCH v2] curl: Add fix for > CVE-2023-23916" and include a comment after the line with three dashes > describing the changes in this version. See below for example. > > Steve > > On Tue, Apr 4, 2023 at 3:37 AM Pawan Badganchi <badganchipv@gmail.com> > wrote: > > > > Add below patch to fix CVE-2023-23916 > > > > CVE-2023-23916.patch > > > > Link: https://curl.se/docs/CVE-2023-23916.html > > > > Signed-off-by: pawan <badganchipv@gmail.com> > > --- > V2: fix fuzz errors > > > .../curl/curl/CVE-2023-23916.patch | 219 ++++++++++++++++++ > > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > > 2 files changed, 220 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch > b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > > new file mode 100644 > > index 0000000000..a57d275902 > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch > > @@ -0,0 +1,219 @@ > > +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 > > +From: Patrick Monnerat <patrick@monnerat.net> > > +Date: Mon, 13 Feb 2023 08:33:09 +0100 > > +Subject: [PATCH] content_encoding: do not reset stage counter for each > header > > + > > +Test 418 verifies > > + > > +Closes #10492 > > + > > +CVE: CVE-2023-23916 > > +Upstream-Status: Backport [ > https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] > > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > > +--- > > + lib/content_encoding.c | 7 +- > > + lib/urldata.h | 1 + > > + tests/data/Makefile.inc | 2 +- > > + tests/data/test387 | 2 +- > > + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ > > + 5 files changed, 158 insertions(+), 6 deletions(-) > > + create mode 100644 tests/data/test418 > > + > > +--- a/lib/content_encoding.c > > ++++ b/lib/content_encoding.c > > +@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(str > > + const char *enclist, int > maybechunked) > > + { > > + struct SingleRequest *k = &data->req; > > +- int counter = 0; > > + > > + do { > > + const char *name; > > +@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(str > > + if(!encoding) > > + encoding = &error_encoding; /* Defer error at stack use. */ > > + > > +- if(++counter >= MAX_ENCODE_STACK) { > > +- failf(data, "Reject response due to %u content encodings", > > +- counter); > > ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { > > ++ failf(data, "Reject response due to more than %u content > encodings", > > ++ MAX_ENCODE_STACK); > > + return CURLE_BAD_CONTENT_ENCODING; > > + } > > + /* Stack the unencoding stage. */ > > +--- a/lib/urldata.h > > ++++ b/lib/urldata.h > > +@@ -682,6 +682,7 @@ struct SingleRequest { > > + struct dohdata *doh; /* DoH specific data for this request */ > > + #endif > > + unsigned char setcookies; > > ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ > > + BIT(header); /* incoming data has HTTP header */ > > + BIT(content_range); /* set TRUE if Content-Range: was found */ > > + BIT(upload_done); /* set to TRUE when doing chunked > transfer-encoding > > +--- a/tests/data/Makefile.inc > > ++++ b/tests/data/Makefile.inc > > +@@ -69,6 +69,7 @@ > > + \ > > + test400 test401 test402 test403 test404 test405 test406 test407 > test408 \ > > + test409 test410 \ > > ++test418 \ > > + \ > > + test430 test431 test432 test433 test434 test435 test436 \ > > + \ > > +--- /dev/null > > ++++ b/tests/data/test418 > > +@@ -0,0 +1,152 @@ > > ++<testcase> > > ++<info> > > ++<keywords> > > ++HTTP > > ++gzip > > ++</keywords> > > ++</info> > > ++ > > ++# > > ++# Server-side > > ++<reply> > > ++<data nocheck="yes"> > > ++HTTP/1.1 200 OK > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++Transfer-Encoding: gzip > > ++ > > ++-foo- > > ++</data> > > ++</reply> > > ++ > > ++# > > ++# Client-side > > ++<client> > > ++<server> > > ++http > > ++</server> > > ++ <name> > > ++Response with multiple Transfer-Encoding headers > > ++ </name> > > ++ <command> > > ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS > > ++</command> > > ++</client> > > ++ > > ++# > > ++# Verify data after the test has been "shot" > > ++<verify> > > ++<protocol crlf="yes"> > > ++GET /%TESTNUMBER HTTP/1.1 > > ++Host: %HOSTIP:%HTTPPORT > > ++User-Agent: curl/%VERSION > > ++Accept: */* > > ++ > > ++</protocol> > > ++ > > ++# CURLE_BAD_CONTENT_ENCODING is 61 > > ++<errorcode> > > ++61 > > ++</errorcode> > > ++<stderr mode="text"> > > ++curl: (61) Reject response due to more than 5 content encodings > > ++</stderr> > > ++</verify> > > ++</testcase> > > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb > b/meta/recipes-support/curl/curl_7.82.0.bb > > index b583060889..945745cdde 100644 > > --- a/meta/recipes-support/curl/curl_7.82.0.bb > > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > > @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > > file://CVE-2023-23914_5-3.patch \ > > file://CVE-2023-23914_5-4.patch \ > > file://CVE-2023-23914_5-5.patch \ > > + file://CVE-2023-23916.patch \ > > " > > SRC_URI[sha256sum] = > "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > > > -- > > 2.38.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#179689): > https://lists.openembedded.org/g/openembedded-core/message/179689 > > Mute This Topic: https://lists.openembedded.org/mt/98055877/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch new file mode 100644 index 0000000000..a57d275902 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch @@ -0,0 +1,219 @@ +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +CVE: CVE-2023-23916 +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test418 + +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(str + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(str + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -682,6 +682,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -69,6 +69,7 @@ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ ++test418 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++gzip ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Response with multiple Transfer-Encoding headers ++ </name> ++ <command> ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++<protocol crlf="yes"> ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++</protocol> ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++<errorcode> ++61 ++</errorcode> ++<stderr mode="text"> ++curl: (61) Reject response due to more than 5 content encodings ++</stderr> ++</verify> ++</testcase> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index b583060889..945745cdde 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -39,6 +39,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2023-23914_5-3.patch \ file://CVE-2023-23914_5-4.patch \ file://CVE-2023-23914_5-5.patch \ + file://CVE-2023-23916.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
Add below patch to fix CVE-2023-23916 CVE-2023-23916.patch Link: https://curl.se/docs/CVE-2023-23916.html Signed-off-by: pawan <badganchipv@gmail.com> --- .../curl/curl/CVE-2023-23916.patch | 219 ++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 220 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch