| Message ID | 20231012055444.564180-2-mac@mcrowe.com |
|---|---|
| State | Accepted, archived |
| Commit | 364a9e46f167c2501785cd55a71cf9a614e64710 |
| Headers | show |
| Series | [dunfell,1/2] curl: Backport fix for CVE-2023-38545 | expand |
On Wed, Oct 11, 2023 at 7:55 PM Mike Crowe via lists.openembedded.org <mac=mcrowe.com@lists.openembedded.org> wrote: > > From: Mike Crowe <mac@mcrowe.com> > > Take patch from Debian 7.64.0-4+deb10u7. > > Signed-off-by: Mike Crowe <mac@mcrowe.com> > --- > .../curl/curl/CVE-2023-38546.patch | 131 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 2 files changed, 132 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38546.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch > new file mode 100644 > index 0000000000..21887d58a3 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch > @@ -0,0 +1,131 @@ > +From 7b67721f12cbe6ed1a41e7332f3b5a7186a5e23f Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Thu, 14 Sep 2023 23:28:32 +0200 > +Subject: [PATCH] cookie: remove unnecessary struct fields > +To: libcurl development <curl-library@cool.haxx.se> > + > +Plus: reduce the hash table size from 256 to 63. It seems unlikely to > +make much of a speed difference for most use cases but saves 1.5KB of > +data per instance. > + > +Closes #11862 > + > +This patch taken from Debian's 7.64.0-4+deb10u7 package which applied with > +only a little fuzz. > + > +CVE: CVE-2023-38546 > +Upstream-Status: Backport [61275672b46d9abb32857404] Missing Signed-off-by: Please submit a V2 Thanks! Steve > +--- > + lib/cookie.c | 13 +------------ > + lib/cookie.h | 7 ++----- > + lib/easy.c | 4 +--- > + 3 files changed, 4 insertions(+), 20 deletions(-) > + > +diff --git a/lib/cookie.c b/lib/cookie.c > +index 68054e1c4..a378f28e1 100644 > +--- a/lib/cookie.c > ++++ b/lib/cookie.c > +@@ -114,7 +114,6 @@ static void freecookie(struct Cookie *co) > + free(co->name); > + free(co->value); > + free(co->maxage); > +- free(co->version); > + free(co); > + } > + > +@@ -641,11 +640,7 @@ Curl_cookie_add(struct Curl_easy *data, > + } > + } > + else if(strcasecompare("version", name)) { > +- strstore(&co->version, whatptr); > +- if(!co->version) { > +- badcookie = TRUE; > +- break; > +- } > ++ /* just ignore */ > + } > + else if(strcasecompare("max-age", name)) { > + /* Defined in RFC2109: > +@@ -1042,7 +1037,6 @@ Curl_cookie_add(struct Curl_easy *data, > + free(clist->path); > + free(clist->spath); > + free(clist->expirestr); > +- free(clist->version); > + free(clist->maxage); > + > + *clist = *co; /* then store all the new data */ > +@@ -1111,9 +1105,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, > + c = calloc(1, sizeof(struct CookieInfo)); > + if(!c) > + return NULL; /* failed to get memory */ > +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ > +- if(!c->filename) > +- goto fail; /* failed to get memory */ > + } > + else { > + /* we got an already existing one, use that */ > +@@ -1241,7 +1232,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) > + CLONE(name); > + CLONE(value); > + CLONE(maxage); > +- CLONE(version); > + d->expires = src->expires; > + d->tailmatch = src->tailmatch; > + d->secure = src->secure; > +@@ -1457,7 +1447,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) > + { > + if(c) { > + unsigned int i; > +- free(c->filename); > + for(i = 0; i < COOKIE_HASH_SIZE; i++) > + Curl_cookie_freelist(c->cookies[i]); > + free(c); /* free the base struct as well */ > +diff --git a/lib/cookie.h b/lib/cookie.h > +index b3865e601..2e667cda0 100644 > +--- a/lib/cookie.h > ++++ b/lib/cookie.h > +@@ -36,8 +36,6 @@ struct Cookie { > + char *expirestr; /* the plain text version */ > + bool tailmatch; /* whether we do tail-matching of the domain name */ > + > +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ > +- char *version; /* Version = <value> */ > + char *maxage; /* Max-Age = <value> */ > + > + bool secure; /* whether the 'secure' keyword was used */ > +@@ -54,15 +52,14 @@ struct Cookie { > + #define COOKIE_PREFIX__SECURE (1<<0) > + #define COOKIE_PREFIX__HOST (1<<1) > + > +-#define COOKIE_HASH_SIZE 256 > ++#define COOKIE_HASH_SIZE 63 > + > + struct CookieInfo { > + /* linked list of cookies we know of */ > + struct Cookie *cookies[COOKIE_HASH_SIZE]; > + > +- char *filename; /* file we read from/write to */ > + bool running; /* state info, for cookie adding information */ > +- long numcookies; /* number of cookies in the "jar" */ > ++ int numcookies; /* number of cookies in the "jar" */ > + bool newsession; /* new session, discard session cookies on load */ > + int lastct; /* last creation-time used in the jar */ > + }; > +diff --git a/lib/easy.c b/lib/easy.c > +index b648e80c1..cdca0fb03 100644 > +--- a/lib/easy.c > ++++ b/lib/easy.c > +@@ -840,9 +840,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) > + if(data->cookies) { > + /* If cookies are enabled in the parent handle, we enable them > + in the clone as well! */ > +- outcurl->cookies = Curl_cookie_init(data, > +- data->cookies->filename, > +- outcurl->cookies, > ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, > + data->set.cookiesession); > + if(!outcurl->cookies) > + goto fail; > +-- > +2.39.2 > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > index 4012776613..0141b780ee 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -54,6 +54,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2023-28320-fol1.patch \ > file://CVE-2023-32001.patch \ > file://CVE-2023-38545.patch \ > + file://CVE-2023-38546.patch \ > " > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > -- > 2.39.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#188977): https://lists.openembedded.org/g/openembedded-core/message/188977 > Mute This Topic: https://lists.openembedded.org/mt/101913150/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch new file mode 100644 index 0000000000..21887d58a3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch @@ -0,0 +1,131 @@ +From 7b67721f12cbe6ed1a41e7332f3b5a7186a5e23f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH] cookie: remove unnecessary struct fields +To: libcurl development <curl-library@cool.haxx.se> + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +This patch taken from Debian's 7.64.0-4+deb10u7 package which applied with +only a little fuzz. + +CVE: CVE-2023-38546 +Upstream-Status: Backport [61275672b46d9abb32857404] +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 7 ++----- + lib/easy.c | 4 +--- + 3 files changed, 4 insertions(+), 20 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 68054e1c4..a378f28e1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -114,7 +114,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -641,11 +640,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* Defined in RFC2109: +@@ -1042,7 +1037,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1111,9 +1105,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + } + else { + /* we got an already existing one, use that */ +@@ -1241,7 +1232,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1457,7 +1447,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index b3865e601..2e667cda0 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,8 +36,6 @@ struct Cookie { + char *expirestr; /* the plain text version */ + bool tailmatch; /* whether we do tail-matching of the domain name */ + +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = <value> */ + char *maxage; /* Max-Age = <value> */ + + bool secure; /* whether the 'secure' keyword was used */ +@@ -54,15 +52,14 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; + +- char *filename; /* file we read from/write to */ + bool running; /* state info, for cookie adding information */ +- long numcookies; /* number of cookies in the "jar" */ ++ int numcookies; /* number of cookies in the "jar" */ + bool newsession; /* new session, discard session cookies on load */ + int lastct; /* last creation-time used in the jar */ + }; +diff --git a/lib/easy.c b/lib/easy.c +index b648e80c1..cdca0fb03 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -840,9 +840,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; +-- +2.39.2 + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 4012776613..0141b780ee 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -54,6 +54,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2023-28320-fol1.patch \ file://CVE-2023-32001.patch \ file://CVE-2023-38545.patch \ + file://CVE-2023-38546.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"