diff mbox series

[kirkstone] curl: Correction for CVE-2023-27536

Message ID 20230526083831.33336-1-pramanik.souravkumar@gmail.com
State New, archived
Headers show
Series [kirkstone] curl: Correction for CVE-2023-27536 | expand

Commit Message

Sourav Pramanik May 26, 2023, 8:38 a.m. UTC 
From: Omkar Patil <omkar.patil@kpit.com>

Correction of backport link inside the patch with correct commit link as
below
Link: https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5

Variable type change from long to unsigned char as per the original
patch

Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
---
 meta/recipes-support/curl/curl/CVE-2023-27536.patch | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Ranjitsinh Rathod May 30, 2023, 12:45 p.m. UTC | #1 
Hi @Steve Sakoman<mailto:steve@sakoman.com>,

I request to not take this patch in the kirkstone as it seems we are still checking on the data type which we changed from long to unsigned char.
It seems that this variable was 'long' only in the curl version which we have in the kirkstone.

Of cource the link is wrong and so Sourav will send new patch v2.


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403
Steve Sakoman May 30, 2023, 2:05 p.m. UTC | #2 
On Tue, May 30, 2023 at 2:45 AM Ranjitsinh Rathod <
Ranjitsinh.Rathod@kpit.com> wrote:

> Hi @Steve Sakoman <steve@sakoman.com>,
>
> I request to not take this patch in the kirkstone as it seems we are still
> checking on the data type which we changed from long to unsigned char.
> It seems that this variable was 'long' only in the curl version which we
> have in the kirkstone.
>

OK, I won't take this patch.

Steve


>
> Of cource the link is wrong and so Sourav will send new patch v2.
>
> Thanks,
>
> Best Regards,
>
> *Ranjitsinh Rathod*
> Technical Leader |  | KPIT Technologies Ltd.
> Cellphone: +91-84606 92403
>
> *__________________________________________ *KPIT <http://www.kpit.com/> |
>  Follow us on LinkedIn <http://www.kpit.com/linkedin>
>
> <https://www.kpit.com/TheNewBrand>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of Sourav Kumar
> Pramanik via lists.openembedded.org <pramanik.souravkumar=
> gmail.com@lists.openembedded.org>
> *Sent:* Friday, May 26, 2023 2:08 PM
> *To:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>; pramanik.souravkumar@gmail.com
> <pramanik.souravkumar@gmail.com>
> *Cc:* Ranjitsinh Rathod <Ranjitsinh.Rathod@kpit.com>; Omkar Patil <
> Omkar.Patil@kpit.com>
> *Subject:* [OE-core][kirkstone][PATCH] curl: Correction for CVE-2023-27536
>
> Caution: This email originated from outside of the KPIT. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> From: Omkar Patil <omkar.patil@kpit.com>
>
> Correction of backport link inside the patch with correct commit link as
> below
> Link:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fcommit%2Fcb49e67303dbafbab1cebf4086e3ec15b7d56ee5&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C7adc60802fd54cbd9b0c08db5dc4abf2%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638206871527044313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NH5veabZDDhqCO2JtlUvnfELKHXLOJFOULlA%2FcZFiBA%3D&reserved=0
> <https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5>
>
> Variable type change from long to unsigned char as per the original
> patch
>
> Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
> ---
>  meta/recipes-support/curl/curl/CVE-2023-27536.patch | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch
> b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
> index fb3ee6a14d..51a5c0eef1 100644
> --- a/meta/recipes-support/curl/curl/CVE-2023-27536.patch
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
> @@ -3,7 +3,7 @@ From: Daniel Stenberg <daniel@haxx.se>
>  Date: Fri, 10 Mar 2023 09:22:43 +0100
>  Subject: [PATCH] url: only reuse connections with same GSS delegation
>
> -Upstream-Status: Backport from [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fcommit%2Faf369db4d3833272b8ed443f7fcc2e757a0872eb&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C7adc60802fd54cbd9b0c08db5dc4abf2%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638206871527200533%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxYwhvpTusRONt5yI1HRI4elSpLHpAdcOLNdVAMg2w8%3D&reserved=0
> <https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb>
> ]
> +Upstream-Status: Backport from [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fcommit%2Fcb49e67303dbafbab1cebf4086e3ec15b7d56ee5&data=05%7C01%7Cranjitsinh.rathod%40kpit.com%7C7adc60802fd54cbd9b0c08db5dc4abf2%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638206871527200533%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vu9ivxrR8hez8PSMdXyyJJ7NYu2cUcLc9PD6%2BAEy5KI%3D&reserved=0
> <https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5>
> ]
>  CVE: CVE-2023-27536
>  Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>  Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> @@ -44,7 +44,7 @@ index 6e6122a..602c735 100644
>     int socks5_gssapi_enctype;
>   #endif
>     unsigned short localport;
> -+  long gssapi_delegation; /* inherited from set.gssapi_delegation */
> ++  unsigned char gssapi_delegation; /* inherited from
> set.gssapi_delegation */
>   };
>
>   /* The end of connectdata. */
> --
> 2.25.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
index fb3ee6a14d..51a5c0eef1 100644
--- a/meta/recipes-support/curl/curl/CVE-2023-27536.patch
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -3,7 +3,7 @@  From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 10 Mar 2023 09:22:43 +0100
 Subject: [PATCH] url: only reuse connections with same GSS delegation
 
-Upstream-Status: Backport from [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5]
 CVE: CVE-2023-27536
 Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
 Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
@@ -44,7 +44,7 @@  index 6e6122a..602c735 100644
    int socks5_gssapi_enctype;
  #endif
    unsigned short localport;
-+  long gssapi_delegation; /* inherited from set.gssapi_delegation */
++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
  };
  
  /* The end of connectdata. */