* [Buildroot] [PATCH] libcurl: apply upstream security patch
@ 2017-04-11 17:56 Baruch Siach
2017-04-12 19:14 ` Thomas Petazzoni
0 siblings, 1 reply; 3+ messages in thread
From: Baruch Siach @ 2017-04-11 17:56 UTC (permalink / raw)
To: buildroot
CVE-2017-7407: --write-out out of buffer read
https://curl.haxx.se/docs/adv_20170403.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/libcurl/0001-CVE-2017-7407.patch | 61 ++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
create mode 100644 package/libcurl/0001-CVE-2017-7407.patch
diff --git a/package/libcurl/0001-CVE-2017-7407.patch b/package/libcurl/0001-CVE-2017-7407.patch
new file mode 100644
index 000000000000..3a9fa487a8e1
--- /dev/null
+++ b/package/libcurl/0001-CVE-2017-7407.patch
@@ -0,0 +1,61 @@
+From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH] CVE-2017-7407: fixed
+
+Bug: https://curl.haxx.se/docs/adv_20170403.html
+
+Reported-by: Brian Carpenter
+[baruch: remove tests]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Patch status: based on upstream suggested patch[1] that combines commits
+1890d59905414ab and 8e65877870c1.
+
+[1] https://curl.haxx.se/CVE-2017-7407.patch
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 2fb77742a..5d92bd278 100644
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -3,11 +3,11 @@
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+ char *stringp = NULL;
+ long longinfo;
+ double doubleinfo;
+
+ while(ptr && *ptr) {
+- if('%' == *ptr) {
++ if('%' == *ptr && ptr[1]) {
+ if('%' == ptr[1]) {
+ /* an escaped %-letter */
+ fputc('%', stream);
+ ptr += 2;
+ }
+@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+ fputc(ptr[1], stream);
+ ptr += 2;
+ }
+ }
+ }
+- else if('\\' == *ptr) {
++ else if('\\' == *ptr && ptr[1]) {
+ switch(ptr[1]) {
+ case 'r':
+ fputc('\r', stream);
+ break;
+ case 'n':
+-- 2.11.0
+
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] libcurl: apply upstream security patch
2017-04-11 17:56 [Buildroot] [PATCH] libcurl: apply upstream security patch Baruch Siach
@ 2017-04-12 19:14 ` Thomas Petazzoni
2017-04-24 19:22 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Petazzoni @ 2017-04-12 19:14 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 11 Apr 2017 20:56:12 +0300, Baruch Siach wrote:
> CVE-2017-7407: --write-out out of buffer read
>
> https://curl.haxx.se/docs/adv_20170403.html
>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
> package/libcurl/0001-CVE-2017-7407.patch | 61 ++++++++++++++++++++++++++++++++
> 1 file changed, 61 insertions(+)
> create mode 100644 package/libcurl/0001-CVE-2017-7407.patch
Applied to master, thanks.
Peter: we want this one in the LTS branch I believe.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] libcurl: apply upstream security patch
2017-04-12 19:14 ` Thomas Petazzoni
@ 2017-04-24 19:22 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-04-24 19:22 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes:
> Hello,
> On Tue, 11 Apr 2017 20:56:12 +0300, Baruch Siach wrote:
>> CVE-2017-7407: --write-out out of buffer read
>>
>> https://curl.haxx.se/docs/adv_20170403.html
>>
>> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
>> ---
>> package/libcurl/0001-CVE-2017-7407.patch | 61 ++++++++++++++++++++++++++++++++
>> 1 file changed, 61 insertions(+)
>> create mode 100644 package/libcurl/0001-CVE-2017-7407.patch
> Applied to master, thanks.
> Peter: we want this one in the LTS branch I believe.
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-04-24 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-11 17:56 [Buildroot] [PATCH] libcurl: apply upstream security patch Baruch Siach
2017-04-12 19:14 ` Thomas Petazzoni
2017-04-24 19:22 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.