| Message ID | 20221110062840.52346-1-vkumbhar@mvista.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] curl: fix CVE-2022-32221 POST following PUT confusion | expand |
This patch doesn't apply. It appears you are not at the current dunfell HEAD. steve@hexa ~/Repos/openembedded-core (stable/dunfell-nut) $ git am -3 ~/Downloads/dunfell-curl-fix-CVE-2022-32221-POST-following-PUT-confusion.patch Applying: curl: fix CVE-2022-32221 POST following PUT confusion Using index info to reconstruct a base tree... M meta/recipes-support/curl/curl_7.69.1.bb .git/rebase-apply/patch:37: trailing whitespace. .git/rebase-apply/patch:39: trailing whitespace. -- .git/rebase-apply/patch:41: new blank line at EOF. + warning: 3 lines add whitespace errors. Falling back to patching base and 3-way merge... Auto-merging meta/recipes-support/curl/curl_7.69.1.bb CONFLICT (content): Merge conflict in meta/recipes-support/curl/curl_7.69.1.bb error: Failed to merge in the changes. Patch failed at 0001 curl: fix CVE-2022-32221 POST following PUT confusion Steve On Wed, Nov 9, 2022 at 8:28 PM vkumbhar <vkumbhar@mvista.com> wrote: > > From: Vivek Kumbhar <vkumbhar@mvista.com> > > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > --- > .../curl/curl/CVE-2022-32221.patch | 29 +++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 2 files changed, 30 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch > new file mode 100644 > index 0000000000..ad1769e19a > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch > @@ -0,0 +1,29 @@ > +From 9f9f2ed81151b1063eac5fb0eca5bbb195cbfe79 Mon Sep 17 00:00:00 2001 > +From: Vivek Kumbhar <vkumbhar@mvista.com> > +Date: Mon, 7 Nov 2022 12:51:19 +0530 > +Subject: [PATCH] CVE-2022-32221 > + > +Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6] > +CVE: CVE-2022-32221 > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > + > +setopt: when POST is set, reset the 'upload' field. > +--- > + lib/setopt.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/lib/setopt.c b/lib/setopt.c > +index 4648c87..48f789c 100644 > +--- a/lib/setopt.c > ++++ b/lib/setopt.c > +@@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) > + } > + else > + data->set.httpreq = HTTPREQ_GET; > ++ data->set.upload = FALSE; > + break; > + > + case CURLOPT_COPYPOSTFIELDS: > +-- > +2.25.1 > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > index c3d629108a..a5795c5038 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -13,6 +13,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2020-8284.patch \ > file://CVE-2020-8285.patch \ > file://CVE-2020-8286.patch \ > + file://CVE-2022-32221.patch \ > " > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#173069): https://lists.openembedded.org/g/openembedded-core/message/173069 > Mute This Topic: https://lists.openembedded.org/mt/94931188/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..ad1769e19a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch @@ -0,0 +1,29 @@ +From 9f9f2ed81151b1063eac5fb0eca5bbb195cbfe79 Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar <vkumbhar@mvista.com> +Date: Mon, 7 Nov 2022 12:51:19 +0530 +Subject: [PATCH] CVE-2022-32221 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6] +CVE: CVE-2022-32221 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> + +setopt: when POST is set, reset the 'upload' field. +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 4648c87..48f789c 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.httpreq = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_COPYPOSTFIELDS: +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index c3d629108a..a5795c5038 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -13,6 +13,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2020-8284.patch \ file://CVE-2020-8285.patch \ file://CVE-2020-8286.patch \ + file://CVE-2022-32221.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"