curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842

Submitted by changqing.li@windriver.com on Nov. 2, 2018, 6:07 a.m. | Patch ID: 156045

Details

Message ID 1541138869-68039-1-git-send-email-changqing.li@windriver.com
State Master Next
Commit 0f0db9fc8512a0ecd0cdba3304a195cd925a5029
Headers show

Commit Message

changqing.li@windriver.com Nov. 2, 2018, 6:07 a.m.
From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../recipes-support/curl/curl/CVE-2018-16839.patch | 35 ++++++++++++++++++
 .../recipes-support/curl/curl/CVE-2018-16840.patch | 43 ++++++++++++++++++++++
 .../recipes-support/curl/curl/CVE-2018-16842.patch | 35 ++++++++++++++++++
 3 files changed, 113 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16839.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16840.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16842.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
new file mode 100644
index 0000000..bf972d2
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
@@ -0,0 +1,35 @@ 
+From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:27:35 +0800
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
+
+CVE: CVE-2018-16839
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
new file mode 100644
index 0000000..3d086c4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
@@ -0,0 +1,43 @@ 
+From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:33:35 +0800
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
+ use-after-free
+
+Regression from b46cfbc (7.59.0)
+CVE-2018-16840
+Reported-by: Brian Carpenter (Geeknik Labs)
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/
+81d135d67155c5295b1033679c606165d4e28f3f]
+
+CVE: CVE-2018-16840
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/url.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 27b2c1e..7ef7c20 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
+        and detach this handle from there. */
+     curl_multi_remove_handle(data->multi, data);
+ 
+-  if(data->multi_easy)
++  if(data->multi_easy) {
+     /* when curl_easy_perform() is used, it creates its own multi handle to
+        use and this is the one */
+     curl_multi_cleanup(data->multi_easy);
++    data->multi_easy = NULL;
++  }
+ 
+   /* Destroy the timeout list that is held in the easy handle. It is
+      /normally/ done by curl_multi_remove_handle() but this is "just in
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
new file mode 100644
index 0000000..82e7557
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
@@ -0,0 +1,35 @@ 
+From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:30:56 +0800
+Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
+
+CVE: CVE-2018-16842
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c
+index 9cce806..05bec39 100644
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
++        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);
+-- 
+2.7.4
+

Comments

changqing.li@windriver.com Nov. 2, 2018, 6:48 a.m.
I have add CVE tag in the patch file,   is this test result incorrect?

On 11/2/18 2:41 PM, Patchwork wrote:
> == Series Details ==
>
> Series: curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842
> Revision: 1
> URL   : https://patchwork.openembedded.org/series/14764/
> State : failure
>
> == Summary ==
>
>
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
>
>
>
> * Patch            curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842
>   Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format]
>    Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
>
>
>
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
>
> ---
> Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
>
>
Armin Kuster Nov. 2, 2018, 4:05 p.m.
On 11/1/18 11:07 PM, changqing.li@windriver.com wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>  .../recipes-support/curl/curl/CVE-2018-16839.patch | 35 ++++++++++++++++++
>  .../recipes-support/curl/curl/CVE-2018-16840.patch | 43 ++++++++++++++++++++++
>  .../recipes-support/curl/curl/CVE-2018-16842.patch | 35 ++++++++++++++++++
>  3 files changed, 113 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16839.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16840.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16842.patch


curl update to 7.61.1 is in Master-next. do this also affect that version?

- armin

>
> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
> new file mode 100644
> index 0000000..bf972d2
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
> @@ -0,0 +1,35 @@
> +From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Thu, 1 Nov 2018 15:27:35 +0800
> +Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
> +
> +CVE-2018-16839
> +Reported-by: Harry Sintonen
> +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit
> +/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
> +
> +CVE: CVE-2018-16839
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + lib/vauth/cleartext.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
> +index 5d61ce6..1367143 100644
> +--- a/lib/vauth/cleartext.c
> ++++ b/lib/vauth/cleartext.c
> +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
> +   plen = strlen(passwdp);
> + 
> +   /* Compute binary message length. Check for overflows. */
> +-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
> ++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
> +     return CURLE_OUT_OF_MEMORY;
> +   plainlen = 2 * ulen + plen + 2;
> + 
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
> new file mode 100644
> index 0000000..3d086c4
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
> @@ -0,0 +1,43 @@
> +From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Thu, 1 Nov 2018 15:33:35 +0800
> +Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
> + use-after-free
> +
> +Regression from b46cfbc (7.59.0)
> +CVE-2018-16840
> +Reported-by: Brian Carpenter (Geeknik Labs)
> +
> +Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/
> +81d135d67155c5295b1033679c606165d4e28f3f]
> +
> +CVE: CVE-2018-16840
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + lib/url.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/url.c b/lib/url.c
> +index 27b2c1e..7ef7c20 100644
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
> +        and detach this handle from there. */
> +     curl_multi_remove_handle(data->multi, data);
> + 
> +-  if(data->multi_easy)
> ++  if(data->multi_easy) {
> +     /* when curl_easy_perform() is used, it creates its own multi handle to
> +        use and this is the one */
> +     curl_multi_cleanup(data->multi_easy);
> ++    data->multi_easy = NULL;
> ++  }
> + 
> +   /* Destroy the timeout list that is held in the easy handle. It is
> +      /normally/ done by curl_multi_remove_handle() but this is "just in
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
> new file mode 100644
> index 0000000..82e7557
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
> @@ -0,0 +1,35 @@
> +From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Thu, 1 Nov 2018 15:30:56 +0800
> +Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
> +
> +CVE-2018-16842
> +Reported-by: Brian Carpenter
> +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit
> +/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
> +
> +CVE: CVE-2018-16842
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + src/tool_msgs.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/tool_msgs.c b/src/tool_msgs.c
> +index 9cce806..05bec39 100644
> +--- a/src/tool_msgs.c
> ++++ b/src/tool_msgs.c
> +@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
> +         (void)fwrite(ptr, cut + 1, 1, config->errors);
> +         fputs("\n", config->errors);
> +         ptr += cut + 1; /* skip the space too */
> +-        len -= cut;
> ++        len -= cut + 1;
> +       }
> +       else {
> +         fputs(ptr, config->errors);
> +-- 
> +2.7.4
> +
changqing.li@windriver.com Nov. 5, 2018, 2:32 a.m.
On 11/3/18 12:05 AM, akuster808 wrote:
> On 11/1/18 11:07 PM, changqing.li@windriver.com wrote:
>> From: Changqing Li <changqing.li@windriver.com>
>>
>> Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> ---
>>   .../recipes-support/curl/curl/CVE-2018-16839.patch | 35 ++++++++++++++++++
>>   .../recipes-support/curl/curl/CVE-2018-16840.patch | 43 ++++++++++++++++++++++
>>   .../recipes-support/curl/curl/CVE-2018-16842.patch | 35 ++++++++++++++++++
>>   3 files changed, 113 insertions(+)
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16839.patch
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16840.patch
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16842.patch
>
> curl update to 7.61.1 is in Master-next. do this also affect that version?
>
> - armin

Yes,  These 3 CVEs all affected version 7.61.1


//changqing

>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
>> new file mode 100644
>> index 0000000..bf972d2
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
>> @@ -0,0 +1,35 @@
>> +From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li@windriver.com>
>> +Date: Thu, 1 Nov 2018 15:27:35 +0800
>> +Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
>> +
>> +CVE-2018-16839
>> +Reported-by: Harry Sintonen
>> +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit
>> +/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
>> +
>> +CVE: CVE-2018-16839
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + lib/vauth/cleartext.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
>> +index 5d61ce6..1367143 100644
>> +--- a/lib/vauth/cleartext.c
>> ++++ b/lib/vauth/cleartext.c
>> +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
>> +   plen = strlen(passwdp);
>> +
>> +   /* Compute binary message length. Check for overflows. */
>> +-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
>> ++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
>> +     return CURLE_OUT_OF_MEMORY;
>> +   plainlen = 2 * ulen + plen + 2;
>> +
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
>> new file mode 100644
>> index 0000000..3d086c4
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
>> @@ -0,0 +1,43 @@
>> +From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li@windriver.com>
>> +Date: Thu, 1 Nov 2018 15:33:35 +0800
>> +Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
>> + use-after-free
>> +
>> +Regression from b46cfbc (7.59.0)
>> +CVE-2018-16840
>> +Reported-by: Brian Carpenter (Geeknik Labs)
>> +
>> +Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/
>> +81d135d67155c5295b1033679c606165d4e28f3f]
>> +
>> +CVE: CVE-2018-16840
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + lib/url.c | 4 +++-
>> + 1 file changed, 3 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index 27b2c1e..7ef7c20 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
>> +        and detach this handle from there. */
>> +     curl_multi_remove_handle(data->multi, data);
>> +
>> +-  if(data->multi_easy)
>> ++  if(data->multi_easy) {
>> +     /* when curl_easy_perform() is used, it creates its own multi handle to
>> +        use and this is the one */
>> +     curl_multi_cleanup(data->multi_easy);
>> ++    data->multi_easy = NULL;
>> ++  }
>> +
>> +   /* Destroy the timeout list that is held in the easy handle. It is
>> +      /normally/ done by curl_multi_remove_handle() but this is "just in
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
>> new file mode 100644
>> index 0000000..82e7557
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
>> @@ -0,0 +1,35 @@
>> +From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li@windriver.com>
>> +Date: Thu, 1 Nov 2018 15:30:56 +0800
>> +Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
>> +
>> +CVE-2018-16842
>> +Reported-by: Brian Carpenter
>> +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit
>> +/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
>> +
>> +CVE: CVE-2018-16842
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + src/tool_msgs.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/src/tool_msgs.c b/src/tool_msgs.c
>> +index 9cce806..05bec39 100644
>> +--- a/src/tool_msgs.c
>> ++++ b/src/tool_msgs.c
>> +@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
>> +         (void)fwrite(ptr, cut + 1, 1, config->errors);
>> +         fputs("\n", config->errors);
>> +         ptr += cut + 1; /* skip the space too */
>> +-        len -= cut;
>> ++        len -= cut + 1;
>> +       }
>> +       else {
>> +         fputs(ptr, config->errors);
>> +--
>> +2.7.4
>> +
Andrii Bordunov via Openembedded-core Nov. 5, 2018, 5:39 p.m.
On Fri Nov02 2018 @ 06:48, Changqing Li 
<changqing.li@windriver.com> wrote:

> I have add CVE tag in the patch file, is this test result 
> incorrect?

My guess is it was fooled by (well, "incorrect") "CVE-YYYY-XXXX" 
lines. Even thouhg it is followed by the (correct) "CVE: 
CVE-YYYY-XXXX" in your CVE patches

 43                     # first match is lax but second strict                                                                                                                   
 44                     if 
 self.re_cve_payload_pattern.match(line):                                                                                                              
 45                         if not 
 self.re_cve_payload_tag.match(line):                                                                                                          
 46                             self.fail('Missing or incorrectly 
 formatted CVE tag in included patch file',                                                                     
 47                                       'Correct or include the 
 CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"',                                                       
 48                                       commit)                                                                                                                                

Do you really need "incorrect" lines?

> On 11/2/18 2:41 PM, Patchwork wrote:
>> == Series Details ==
>>
>> Series: curl: fix for 
>> CVE-2018-16839/CVE-2018-16840/CVE-2018-16842
>> Revision: 1
>> URL   : https://patchwork.openembedded.org/series/14764/
>> State : failure
>>
>> == Summary ==
>>
>>
>> Thank you for submitting this patch series to OpenEmbedded 
>> Core. This is
>> an automated response. Several tests have been executed on the 
>> proposed
>> series by patchtest resulting in the following failures:
>>
>>
>>
>> * Patch            curl: fix for 
>> CVE-2018-16839/CVE-2018-16840/CVE-2018-16842
>>   Issue             Missing or incorrectly formatted CVE tag in 
>>   included patch file [test_cve_tag_format]
>>    Suggested fix    Correct or include the CVE tag on cve patch 
>>    with format: "CVE: CVE-YYYY-XXXX"
>>
>>
>>
>> If you believe any of these test results are incorrect, please 
>> reply to the
>> mailing list (openembedded-core@lists.openembedded.org) raising 
>> your concerns.
>> Otherwise we would appreciate you correcting the issues and 
>> submitting a new
>> version of the patchset if applicable. Please ensure you 
>> add/increment the
>> version number when sending the new version (i.e. [PATCH] -> 
>> [PATCH v2] ->
>> [PATCH v3] -> ...).
>>
>> ---
>> Guidelines: 
>> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
>> Test framework: 
>> http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
>> Test suite: 
>> http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
>>
>>
> -- 
> BRs
>
> Sandy(Li Changqing)
changqing.li@windriver.com Nov. 6, 2018, 2:09 a.m.
On 11/6/18 1:39 AM, Grygorii Tertychnyi wrote:
>
> On Fri Nov02 2018 @ 06:48, Changqing Li <changqing.li@windriver.com> 
> wrote:
>
>> I have add CVE tag in the patch file, is this test result incorrect?
>
> My guess is it was fooled by (well, "incorrect") "CVE-YYYY-XXXX" 
> lines. Even thouhg it is followed by the (correct) "CVE: 
> CVE-YYYY-XXXX" in your CVE patches
>
> 43                     # first match is lax but second strict 
> 44                     if self.re_cve_payload_pattern.match(line): 
> 45                         if not self.re_cve_payload_tag.match(line): 
> 46                             self.fail('Missing or incorrectly 
> formatted CVE tag in included patch file', 
> 47                                       'Correct or include the CVE 
> tag on cve patch with format: "CVE: CVE-YYYY-XXXX"', 48 commit)
> Do you really need "incorrect" lines?

Thanks.  the incorrect line are not necessary. I will rework this patch 
based on  new updated version 7.61.1

//changqing

>
>> On 11/2/18 2:41 PM, Patchwork wrote:
>>> == Series Details ==
>>>
>>> Series: curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842
>>> Revision: 1
>>> URL   : https://patchwork.openembedded.org/series/14764/
>>> State : failure
>>>
>>> == Summary ==
>>>
>>>
>>> Thank you for submitting this patch series to OpenEmbedded Core. 
>>> This is
>>> an automated response. Several tests have been executed on the proposed
>>> series by patchtest resulting in the following failures:
>>>
>>>
>>>
>>> * Patch            curl: fix for 
>>> CVE-2018-16839/CVE-2018-16840/CVE-2018-16842
>>>   Issue             Missing or incorrectly formatted CVE tag in   
>>> included patch file [test_cve_tag_format]
>>>    Suggested fix    Correct or include the CVE tag on cve patch    
>>> with format: "CVE: CVE-YYYY-XXXX"
>>>
>>>
>>>
>>> If you believe any of these test results are incorrect, please reply 
>>> to the
>>> mailing list (openembedded-core@lists.openembedded.org) raising your 
>>> concerns.
>>> Otherwise we would appreciate you correcting the issues and 
>>> submitting a new
>>> version of the patchset if applicable. Please ensure you 
>>> add/increment the
>>> version number when sending the new version (i.e. [PATCH] -> [PATCH 
>>> v2] ->
>>> [PATCH v3] -> ...).
>>>
>>> ---
>>> Guidelines: 
>>> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
>>> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
>>> Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
>>>
>>>
>> -- 
>> BRs
>>
>> Sandy(Li Changqing)
>
>
Armin Kuster Nov. 9, 2018, 4:36 p.m.
On 11/1/18 11:07 PM, changqing.li@windriver.com wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>  .../recipes-support/curl/curl/CVE-2018-16839.patch | 35 ++++++++++++++++++
>  .../recipes-support/curl/curl/CVE-2018-16840.patch | 43 ++++++++++++++++++++++
>  .../recipes-support/curl/curl/CVE-2018-16842.patch | 35 ++++++++++++++++++
>  3 files changed, 113 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16839.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16840.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16842.patch

Patchtest is not catching missing bb file changes. 

https://bugzilla.yoctoproject.org/show_bug.cgi?id=13005

Sad thing is 3 people commented on this thread and no one saw the
missing recipe changes to add these patches.

- armin

>
> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
> new file mode 100644
> index 0000000..bf972d2
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
> @@ -0,0 +1,35 @@
> +From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Thu, 1 Nov 2018 15:27:35 +0800
> +Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
> +
> +CVE-2018-16839
> +Reported-by: Harry Sintonen
> +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit
> +/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
> +
> +CVE: CVE-2018-16839
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + lib/vauth/cleartext.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
> +index 5d61ce6..1367143 100644
> +--- a/lib/vauth/cleartext.c
> ++++ b/lib/vauth/cleartext.c
> +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
> +   plen = strlen(passwdp);
> + 
> +   /* Compute binary message length. Check for overflows. */
> +-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
> ++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
> +     return CURLE_OUT_OF_MEMORY;
> +   plainlen = 2 * ulen + plen + 2;
> + 
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
> new file mode 100644
> index 0000000..3d086c4
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
> @@ -0,0 +1,43 @@
> +From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Thu, 1 Nov 2018 15:33:35 +0800
> +Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
> + use-after-free
> +
> +Regression from b46cfbc (7.59.0)
> +CVE-2018-16840
> +Reported-by: Brian Carpenter (Geeknik Labs)
> +
> +Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/
> +81d135d67155c5295b1033679c606165d4e28f3f]
> +
> +CVE: CVE-2018-16840
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + lib/url.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/url.c b/lib/url.c
> +index 27b2c1e..7ef7c20 100644
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
> +        and detach this handle from there. */
> +     curl_multi_remove_handle(data->multi, data);
> + 
> +-  if(data->multi_easy)
> ++  if(data->multi_easy) {
> +     /* when curl_easy_perform() is used, it creates its own multi handle to
> +        use and this is the one */
> +     curl_multi_cleanup(data->multi_easy);
> ++    data->multi_easy = NULL;
> ++  }
> + 
> +   /* Destroy the timeout list that is held in the easy handle. It is
> +      /normally/ done by curl_multi_remove_handle() but this is "just in
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
> new file mode 100644
> index 0000000..82e7557
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
> @@ -0,0 +1,35 @@
> +From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Thu, 1 Nov 2018 15:30:56 +0800
> +Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
> +
> +CVE-2018-16842
> +Reported-by: Brian Carpenter
> +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit
> +/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
> +
> +CVE: CVE-2018-16842
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + src/tool_msgs.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/tool_msgs.c b/src/tool_msgs.c
> +index 9cce806..05bec39 100644
> +--- a/src/tool_msgs.c
> ++++ b/src/tool_msgs.c
> +@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
> +         (void)fwrite(ptr, cut + 1, 1, config->errors);
> +         fputs("\n", config->errors);
> +         ptr += cut + 1; /* skip the space too */
> +-        len -= cut;
> ++        len -= cut + 1;
> +       }
> +       else {
> +         fputs(ptr, config->errors);
> +-- 
> +2.7.4
> +
changqing.li@windriver.com Nov. 12, 2018, 1:46 a.m.
On 11/10/18 12:36 AM, akuster808 wrote:
> On 11/1/18 11:07 PM, changqing.li@windriver.com wrote:
>> From: Changqing Li <changqing.li@windriver.com>
>>
>> Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> ---
>>   .../recipes-support/curl/curl/CVE-2018-16839.patch | 35 ++++++++++++++++++
>>   .../recipes-support/curl/curl/CVE-2018-16840.patch | 43 ++++++++++++++++++++++
>>   .../recipes-support/curl/curl/CVE-2018-16842.patch | 35 ++++++++++++++++++
>>   3 files changed, 113 insertions(+)
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16839.patch
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16840.patch
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16842.patch
> Patchtest is not catching missing bb file changes.
>
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=13005
>
> Sad thing is 3 people commented on this thread and no one saw the
> missing recipe changes to add these patches.
>
> - armin

I'm so sorry,  I just see your reply.   And Ross have added it, Thanks.

>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
>> new file mode 100644
>> index 0000000..bf972d2
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2018-16839.patch
>> @@ -0,0 +1,35 @@
>> +From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li@windriver.com>
>> +Date: Thu, 1 Nov 2018 15:27:35 +0800
>> +Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
>> +
>> +CVE-2018-16839
>> +Reported-by: Harry Sintonen
>> +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit
>> +/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
>> +
>> +CVE: CVE-2018-16839
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + lib/vauth/cleartext.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
>> +index 5d61ce6..1367143 100644
>> +--- a/lib/vauth/cleartext.c
>> ++++ b/lib/vauth/cleartext.c
>> +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
>> +   plen = strlen(passwdp);
>> +
>> +   /* Compute binary message length. Check for overflows. */
>> +-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
>> ++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
>> +     return CURLE_OUT_OF_MEMORY;
>> +   plainlen = 2 * ulen + plen + 2;
>> +
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
>> new file mode 100644
>> index 0000000..3d086c4
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2018-16840.patch
>> @@ -0,0 +1,43 @@
>> +From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li@windriver.com>
>> +Date: Thu, 1 Nov 2018 15:33:35 +0800
>> +Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
>> + use-after-free
>> +
>> +Regression from b46cfbc (7.59.0)
>> +CVE-2018-16840
>> +Reported-by: Brian Carpenter (Geeknik Labs)
>> +
>> +Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/
>> +81d135d67155c5295b1033679c606165d4e28f3f]
>> +
>> +CVE: CVE-2018-16840
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + lib/url.c | 4 +++-
>> + 1 file changed, 3 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index 27b2c1e..7ef7c20 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
>> +        and detach this handle from there. */
>> +     curl_multi_remove_handle(data->multi, data);
>> +
>> +-  if(data->multi_easy)
>> ++  if(data->multi_easy) {
>> +     /* when curl_easy_perform() is used, it creates its own multi handle to
>> +        use and this is the one */
>> +     curl_multi_cleanup(data->multi_easy);
>> ++    data->multi_easy = NULL;
>> ++  }
>> +
>> +   /* Destroy the timeout list that is held in the easy handle. It is
>> +      /normally/ done by curl_multi_remove_handle() but this is "just in
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
>> new file mode 100644
>> index 0000000..82e7557
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2018-16842.patch
>> @@ -0,0 +1,35 @@
>> +From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
>> +From: Changqing Li <changqing.li@windriver.com>
>> +Date: Thu, 1 Nov 2018 15:30:56 +0800
>> +Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
>> +
>> +CVE-2018-16842
>> +Reported-by: Brian Carpenter
>> +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit
>> +/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
>> +
>> +CVE: CVE-2018-16842
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + src/tool_msgs.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/src/tool_msgs.c b/src/tool_msgs.c
>> +index 9cce806..05bec39 100644
>> +--- a/src/tool_msgs.c
>> ++++ b/src/tool_msgs.c
>> +@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
>> +         (void)fwrite(ptr, cut + 1, 1, config->errors);
>> +         fputs("\n", config->errors);
>> +         ptr += cut + 1; /* skip the space too */
>> +-        len -= cut;
>> ++        len -= cut + 1;
>> +       }
>> +       else {
>> +         fputs(ptr, config->errors);
>> +--
>> +2.7.4
>> +