[dunfell,v2] curl: fix CVE-2022-32221 POST following PUT

Message ID	20221111054031.878995-1-vkumbhar@mvista.com
State	New, archived
Headers	show Return-Path: <vkumbhar@mvista.com> ip: 209.85.215.179, mailfrom: vkumbhar@mvista.com) From: vkumbhar@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vivek Kumbhar <vkumbhar@mvista.com> Subject: [OE-core][dunfell][PATCH v2] curl: fix CVE-2022-32221 POST following PUT Date: Fri, 11 Nov 2022 11:10:31 +0530 Message-Id: <20221111054031.878995-1-vkumbhar@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,v2] curl: fix CVE-2022-32221 POST following PUT \| expand [dunfell,v2] curl: fix CVE-2022-32221 POST following PUT

Message ID

20221111054031.878995-1-vkumbhar@mvista.com

State

New, archived

Headers

From: vkumbhar@mvista.com
To: openembedded-core@lists.openembedded.org
Cc: Vivek Kumbhar <vkumbhar@mvista.com>
Subject: [OE-core][dunfell][PATCH v2] curl: fix CVE-2022-32221 POST following
 PUT
Date: Fri, 11 Nov 2022 11:10:31 +0530
Message-Id: <20221111054031.878995-1-vkumbhar@mvista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,v2] curl: fix CVE-2022-32221 POST following PUT | expand

Commit Message

Vivek Kumbhar Nov. 11, 2022, 5:40 a.m. UTC

From: Vivek Kumbhar <vkumbhar@mvista.com>

Upstream-Status: Backport from https://github.com/curl/curl/commit/a64e3e59938abd7d6

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 .../curl/curl/CVE-2022-32221.patch            | 29 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
new file mode 100644
index 0000000000..8e662abd3a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,29 @@ 
+From 75c04a3e75e8e3025a17ca3033ca307da9691cd0 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Fri, 11 Nov 2022 10:49:58 +0530
+Subject: [PATCH] CVE-2022-32221
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6]
+CVE: CVE-2022-32221
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+setopt: when POST is set, reset the 'upload' field.
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index bebb2e4..4d96f6b 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.httpreq = HTTPREQ_GET;
++    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_COPYPOSTFIELDS:
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index ed37094049..31aa9d7185 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -39,6 +39,7 @@  SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-32207.patch \
            file://CVE-2022-32208.patch \
            file://CVE-2022-35252.patch \
+           file://CVE-2022-32221.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"

[dunfell,v2] curl: fix CVE-2022-32221 POST following PUT

Commit Message

Patch