* [PATCH] curl: Security Advisory - curl - CVE-2017-1000254
@ 2017-10-23 7:44 Li Zhou
2017-10-23 10:29 ` Alexander Kanavin
0 siblings, 1 reply; 4+ messages in thread
From: Li Zhou @ 2017-10-23 7:44 UTC (permalink / raw)
To: openembedded-core
Porting patch from <https://github.com/curl/curl/commit/
5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
.../curl/curl/CVE-2017-1000254.patch | 138 +++++++++++++++++++++
meta/recipes-support/curl/curl_7.54.1.bb | 1 +
2 files changed, 139 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2017-1000254.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
new file mode 100644
index 0000000..2b0798b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
@@ -0,0 +1,138 @@
+From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 23 Oct 2017 00:26:50 -0700
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+
+Upstream-Status: Backport
+CVE: CVE-2017-1000254
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ lib/ftp.c | 7 ++++--
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 5edec37..493dbf9 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ const size_t buf_size = data->set.buffer_size;
+ char *dir;
+ char *store;
++ bool entry_extracted = FALSE;
+
+ dir = malloc(nread + 1);
+ if(!dir)
+@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ }
+ else {
+ /* end of path */
+- *store = '\0'; /* zero terminate */
++ entry_extracted = TRUE;
+ break; /* get out of this loop */
+ }
+ }
+@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ store++;
+ ptr++;
+ }
+-
++ *store = '\0'; /* zero terminate */
++ }
++ if(entry_extracted) {
+ /* If the path name does not look like an absolute path (i.e.: it
+ does not start with a '/'), we probably need some server-dependent
+ adjustments. For example, this is the case when connecting to
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7adbee6..5284654 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 \
++test1152 \
++\
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1152 b/tests/data/test1152
+new file mode 100644
+index 0000000..aa8c0a7
+--- /dev/null
++++ b/tests/data/test1152
+@@ -0,0 +1,61 @@
++<testcase>
++<info>
++<keywords>
++FTP
++PASV
++LIST
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY PWD 257 "just one
++</servercmd>
++
++# When doing LIST, we get the default list output hard-coded in the test
++# FTP server
++<data mode="text">
++total 20
++drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
++drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
++drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
++-r--r--r-- 1 0 1 35 Jul 16 1996 README
++lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
++dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
++drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
++dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
++drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
++dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++ftp
++</server>
++ <name>
++FTP with uneven quote in PWD response
++ </name>
++ <command>
++ftp://%HOSTIP:%FTPPORT/test-1152/
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD test-1152
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++</verify>
++</testcase>
+--
+2.11.0
+
diff --git a/meta/recipes-support/curl/curl_7.54.1.bb b/meta/recipes-support/curl/curl_7.54.1.bb
index 04aeee7..838c482 100644
--- a/meta/recipes-support/curl/curl_7.54.1.bb
+++ b/meta/recipes-support/curl/curl_7.54.1.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2017-1000099.patch \
file://CVE-2017-1000100.patch \
file://CVE-2017-1000101.patch \
+ file://CVE-2017-1000254.patch \
"
# curl likes to set -g0 in CFLAGS, so we stop it
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] curl: Security Advisory - curl - CVE-2017-1000254
2017-10-23 7:44 [PATCH] curl: Security Advisory - curl - CVE-2017-1000254 Li Zhou
@ 2017-10-23 10:29 ` Alexander Kanavin
2017-10-25 4:40 ` akuster808
0 siblings, 1 reply; 4+ messages in thread
From: Alexander Kanavin @ 2017-10-23 10:29 UTC (permalink / raw)
To: Li Zhou, openembedded-core
On 10/23/2017 10:44 AM, Li Zhou wrote:
> Porting patch from <https://github.com/curl/curl/commit/
> 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254.
It's better to update to latest version (7.56) instead of backporting
patches, please do that.
Alex
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] curl: Security Advisory - curl - CVE-2017-1000254
2017-10-23 10:29 ` Alexander Kanavin
@ 2017-10-25 4:40 ` akuster808
2017-10-25 11:18 ` Alexander Kanavin
0 siblings, 1 reply; 4+ messages in thread
From: akuster808 @ 2017-10-25 4:40 UTC (permalink / raw)
To: Alexander Kanavin, Li Zhou, openembedded-core
On 10/23/2017 03:29 AM, Alexander Kanavin wrote:
> On 10/23/2017 10:44 AM, Li Zhou wrote:
>> Porting patch from <https://github.com/curl/curl/commit/
>> 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254.
>
> It's better to update to latest version (7.56) instead of backporting
> patches, please do that.
Then these should be stagged for Rocko. Work has been done.
- Armin
>
> Alex
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] curl: Security Advisory - curl - CVE-2017-1000254
2017-10-25 4:40 ` akuster808
@ 2017-10-25 11:18 ` Alexander Kanavin
0 siblings, 0 replies; 4+ messages in thread
From: Alexander Kanavin @ 2017-10-25 11:18 UTC (permalink / raw)
To: akuster808, Li Zhou, openembedded-core
On 10/25/2017 07:40 AM, akuster808 wrote:
>
>
> On 10/23/2017 03:29 AM, Alexander Kanavin wrote:
>> On 10/23/2017 10:44 AM, Li Zhou wrote:
>>> Porting patch from <https://github.com/curl/curl/commit/
>>> 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254.
>>
>> It's better to update to latest version (7.56) instead of backporting
>> patches, please do that.
>
> Then these should be stagged for Rocko. Work has been done.
Only if master is also fixed at the same time (or sooner) - there cannot
be a situation where something is fixed in rocko, but not in master. I'm
fine if it's via CVE backports, but I would prefer a version upgrade.
Alex
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-10-25 11:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-23 7:44 [PATCH] curl: Security Advisory - curl - CVE-2017-1000254 Li Zhou
2017-10-23 10:29 ` Alexander Kanavin
2017-10-25 4:40 ` akuster808
2017-10-25 11:18 ` Alexander Kanavin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.