On Fri, Jul 8, 2022 at 12:52 AM Sana Kazi via lists.openembedded.org
<[email protected]> wrote:
>
> Fix below listed CVEs for curl:
>
> 1.CVE-2022-32206
> Link:
> http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.81.0-1ubuntu1.3.debian.tar.xz
>
> 2.CVE-2022-32207
> Linkh:
> https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.74.0-1.3ubuntu2.3/curl_7.74.0-1.3ubuntu2.3.debian.tar.xz
>
> 3.CVE-2022-32208
> Link:
> https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.68.0-1ubuntu2.12/curl_7.68.0-1ubuntu2.12.debian.tar.xz
>
> Signed-off-by: Sana.Kazi <[email protected]>
> ---
> .../curl/curl/CVE-2022-32206.patch | 49 +++
> .../curl/curl/CVE-2022-32207.patch | 288 ++++++++++++++++++
> .../curl/curl/CVE-2022-32208.patch | 29 ++
> meta/recipes-support/curl/curl_7.69.1.bb | 3 +
> 4 files changed, 369 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32206.patch
> create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32207.patch
> create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32208.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> new file mode 100644
> index 0000000000..d3b015e435
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
> @@ -0,0 +1,49 @@
> +From 7035676c3daa4f1c3766095561f12e7a0e82c736 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Mon, 16 May 2022 16:28:13 +0200
> +Subject: [PATCH] content_encoding: return error on too many compression steps
> +
> +The max allowed steps is arbitrarily set to 5.
> +---
> + lib/content_encoding.c | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +CVE: CVE-2022-32206
> +Upstream-Status: Backport
> [http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.81.0-1ubuntu1.3.debian.tar.xz]
> +Comment: Refreshed hunks to fix patch fuzz
> +Signed-off-by: Sana Kazi <[email protected]>
> +
> +Index: curl-7.83.1/lib/content_encoding.c
> +===================================================================
> +--- curl-7.83.1.orig/lib/content_encoding.c
> ++++ curl-7.83.1/lib/content_encoding.c
> +@@ -934,6 +934,9 @@
> + return NULL;
> + }
> +
> ++/* allow no more than 5 "chained" compression steps */
> ++#define MAX_ENCODE_STACK 5
> ++
> + /* Set-up the unencoding stack from the Content-Encoding header value.
> + * See RFC 7231 section 3.1.2.2. */
> + CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
> +@@ -941,6 +944,7 @@
> + {
> + struct Curl_easy *data = conn->data;
> + struct SingleRequest *k = &data->req;
> ++ int counter = 0;
> +
> + do {
> + const char *name;
> +@@ -975,6 +979,11 @@
> + if(!encoding)
> + encoding = &error_encoding; /* Defer error at stack use. */
> +
> ++ if(++counter >= MAX_ENCODE_STACK) {
> ++ failf(data, "Reject response due to %u content encodings",
> ++ counter);
> ++ return CURLE_BAD_CONTENT_ENCODING;
> ++ }
> + /* Stack the unencoding stage. */
> + writer = new_unencoding_writer(conn, encoding, k->writer_stack);
> + if(!writer)
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> new file mode 100644
> index 0000000000..8435dfaed0
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
> @@ -0,0 +1,288 @@
> +Backported of:
> +
> +From 3782dfda5fc4f45a19b1ce1b01ecf7206a3d304a Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Wed, 25 May 2022 10:09:53 +0200
> +Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
> +
> +---
> + lib/Makefile.inc | 4 +-
> + lib/altsvc.c | 22 +++-------
> + lib/cookie.c | 16 ++-----
> + lib/fopen.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++
> + lib/fopen.h | 28 +++++++++++++
> + 6 files changed, 152 insertions(+), 46 deletions(-)
> + create mode 100644 lib/fopen.c
> + create mode 100644 lib/fopen.h
> +
> +CVE: CVE-2022-32207
> +Upstream-Status: Backport
> [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.74.0-1.3ubuntu2.3/curl_7.74.0-1.3ubuntu2.3.debian.tar.xz]
> +Comment: Removed hsts.c as it is not present in source code and refreshed
> other hunks to fix the patch fuzz
> +Signed-off-by: Sana Kazi <[email protected]>
> +
> +diff --git a/lib/Makefile.inc b/lib/Makefile.inc
> +index 6d35704..7dac605 100644
> +--- a/lib/Makefile.inc
> ++++ b/lib/Makefile.inc
> +@@ -60,7 +60,7 @@
> + openldap.c curl_gethostname.c gopher.c idn_win32.c \
> + http_proxy.c non-ascii.c asyn-ares.c asyn-thread.c curl_gssapi.c \
> + http_ntlm.c curl_ntlm_wb.c curl_ntlm_core.c curl_sasl.c rand.c \
> +- curl_multibyte.c hostcheck.c conncache.c dotdot.c \
> ++ curl_multibyte.c hostcheck.c conncache.c dotdot.c fopen.c
> \
> + x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \
> + mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \
> + doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c
> +@@ -79,7 +79,7 @@
> + rtsp.h curl_threads.h warnless.h curl_hmac.h curl_rtmp.h \
> + curl_gethostname.h gopher.h http_proxy.h non-ascii.h asyn.h \
> + http_ntlm.h curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h \
> +- curl_sasl.h curl_multibyte.h hostcheck.h conncache.h \
> ++ curl_sasl.h curl_multibyte.h hostcheck.h conncache.h fopen.h \
> + curl_setup_once.h multihandle.h setup-vms.h dotdot.h \
> + x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \
> + curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \
> +diff --git a/lib/altsvc.c b/lib/altsvc.c
> +index 4ab77fd..97249b2 100644
> +--- a/lib/altsvc.c
> ++++ b/lib/altsvc.c
> +@@ -34,7 +34,7 @@
> + #include "parsedate.h"
> + #include "sendf.h"
> + #include "warnless.h"
> +-#include "rand.h"
> ++#include "fopen.h"
> + #include "rename.h"
> +
> + /* The last 3 #include files should be in this order */
> +@@ -326,8 +326,7 @@
> + struct curl_llist_element *n;
> + CURLcode result = CURLE_OK;
> + FILE *out;
> +- char *tempstore;
> +- unsigned char randsuffix[9];
> ++ char *tempstore = NULL;
> +
> + if(!altsvc)
> + /* no cache activated */
> +@@ -341,16 +340,8 @@
> + /* marked as read-only, no file or zero length file name */
> + return CURLE_OK;
> +
> +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
> +- return CURLE_FAILED_INIT;
> +-
> +- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
> +- if(!tempstore)
> +- return CURLE_OUT_OF_MEMORY;
> +-
> +- out = fopen(tempstore, FOPEN_WRITETEXT);
> +- if(!out)
> +- result = CURLE_WRITE_ERROR;
> ++ result = Curl_fopen(data, file, &out, &tempstore);
> ++ if(!result) {
> + else {
> + fputs("# Your alt-svc cache. https://curl.haxx.se/docs/alt-svc.html\n";
> + "# This file was generated by libcurl! Edit at your own risk.\n",
> +@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
> + break;
> + }
> + fclose(out);
> +- if(!result && Curl_rename(tempstore, file))
> ++ if(!result && tempstore && Curl_rename(tempstore, file))
> + result = CURLE_WRITE_ERROR;
> +
> +- if(result)
> ++ if(result && tempstore)
> + unlink(tempstore);
> + }
> + free(tempstore);
> +diff --git a/lib/cookie.c b/lib/cookie.c
> +index 1d1bf9b..2dc6314 100644
> +--- a/lib/cookie.c
> ++++ b/lib/cookie.c
> +@@ -99,6 +99,7 @@ Example set of cookies:
> + #include "parsedate.h"
> + #include "rand.h"
> + #include "rename.h"
> ++#include "fopen.h"
> +
> + /* The last 3 #include files should be in this order */
> + #include "curl_printf.h"
> +@@ -1524,17 +1524,8 @@
> + use_stdout = TRUE;
> + }
> + else {
> +- unsigned char randsuffix[9];
> +-
> +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
> +- return 2;
> +-
> +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
> +- if(!tempstore)
> +- return 1;
> +-
> +- out = fopen(tempstore, FOPEN_WRITETEXT);
> +- if(!out)
> ++ error = Curl_fopen(data, filename, &out, &tempstore);
> ++ if(error)
> + goto error;
> + }
> +
> +@@ -1581,7 +1572,7 @@
> + if(!use_stdout) {
> + fclose(out);
> + out = NULL;
> +- if(Curl_rename(tempstore, filename)) {
> ++ if(tempstore && Curl_rename(tempstore, filename)) {
> + unlink(tempstore);
> + goto error;
> + }
> +diff --git a/lib/fopen.c b/lib/fopen.c
> +new file mode 100644
> +index 0000000..92dc31d
> +--- /dev/null
> ++++ b/lib/fopen.c
> +@@ -0,0 +1,106 @@
> ++/***************************************************************************
> ++ * _ _ ____ _
> ++ * Project ___| | | | _ \| |
> ++ * / __| | | | |_) | |
> ++ * | (__| |_| | _ <| |___
> ++ * \___|\___/|_| \_\_____|
> ++ *
> ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <[email protected]>, et al.
> ++ *
> ++ * This software is licensed as described in the file COPYING, which
> ++ * you should have received as part of this distribution. The terms
> ++ * are also available at https://curl.se/docs/copyright.html.
> ++ *
> ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> ++ * copies of the Software, and permit persons to whom the Software is
> ++ * furnished to do so, under the terms of the COPYING file.
> ++ *
> ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> ++ * KIND, either express or implied.
> ++ *
> ++
> ***************************************************************************/
> ++
> ++#include "curl_setup.h"
> ++
> ++#if !defined(CURL_DISABLE_COOKIES) && !defined(CURL_DISABLE_ALTSVC) && \
> ++ !defined(CURL_DISABLE_HSTS)
> ++
> ++#ifdef HAVE_FCNTL_H
> ++#include <fcntl.h>
> ++#endif
> ++
> ++#include "urldata.h"
> ++#include "rand.h"
> ++#include "fopen.h"
> ++/* The last 3 #include files should be in this order */
> ++#include "curl_printf.h"
> ++#include "curl_memory.h"
> ++#include "memdebug.h"
> ++
> ++/*
> ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
> ++ * to the final name when completed. If there is an existing file using this
> ++ * name at the time of the open, this function will clone the mode from that
> ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is
> ++ * written.
> ++ */
> ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
> ++ FILE **fh, char **tempname)
> ++{
> ++ CURLcode result = CURLE_WRITE_ERROR;
> ++ unsigned char randsuffix[9];
> ++ char *tempstore = NULL;
> ++ struct_stat sb, nsb;
> ++ int fd = -1;
> ++ *tempname = NULL;
> ++
> ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
> ++ /* a non-regular file, fallback to direct fopen() */
> ++ *fh = fopen(filename, FOPEN_WRITETEXT);
> ++ if(*fh)
> ++ return CURLE_OK;
> ++ goto fail;
> ++ }
> ++
> ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
> ++ if(result)
> ++ goto fail;
> ++
> ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
> ++ if(!tempstore) {
> ++ result = CURLE_OUT_OF_MEMORY;
> ++ goto fail;
> ++ }
> ++
> ++ result = CURLE_WRITE_ERROR;
> ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
> ++ if(fd == -1)
> ++ goto fail;
> ++
> ++ if((fstat(fd, &nsb) != -1) &&
> ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
> ++ /* if the user and group are the same, clone the original mode */
> ++ if(fchmod(fd, sb.st_mode) == -1)
This fails on the autobuilder meta-mingw test with:
../../curl-7.69.1/lib/fopen.c: In function 'Curl_fopen':
../../curl-7.69.1/lib/fopen.c:83:8: error: implicit declaration of
function 'fchmod'; did you mean 'chmod'?
[-Werror=implicit-function-declaration]
83 | if(fchmod(fd, sb.st_mode) == -1)
| ^~~~~~
| chmod
Full log here:
https://errors.yoctoproject.org/Errors/Details/660046/
Steve
> ++ goto fail;
> ++ }
> ++
> ++ *fh = fdopen(fd, FOPEN_WRITETEXT);
> ++ if(!*fh)
> ++ goto fail;
> ++
> ++ *tempname = tempstore;
> ++ return CURLE_OK;
> ++
> ++fail:
> ++ if(fd != -1) {
> ++ close(fd);
> ++ unlink(tempstore);
> ++ }
> ++
> ++ free(tempstore);
> ++
> ++ *tempname = NULL;
> ++ return result;
> ++}
> ++
> ++#endif /* ! disabled */
> +diff --git a/lib/fopen.h b/lib/fopen.h
> +new file mode 100644
> +index 0000000..1020f3c
> +--- /dev/null
> ++++ b/lib/fopen.h
> +@@ -0,0 +1,28 @@
> ++#ifndef HEADER_CURL_FOPEN_H
> ++#define HEADER_CURL_FOPEN_H
> ++/***************************************************************************
> ++ * _ _ ____ _
> ++ * Project ___| | | | _ \| |
> ++ * / __| | | | |_) | |
> ++ * | (__| |_| | _ <| |___
> ++ * \___|\___/|_| \_\_____|
> ++ *
> ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <[email protected]>, et al.
> ++ *
> ++ * This software is licensed as described in the file COPYING, which
> ++ * you should have received as part of this distribution. The terms
> ++ * are also available at https://curl.se/docs/copyright.html.
> ++ *
> ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
> ++ * copies of the Software, and permit persons to whom the Software is
> ++ * furnished to do so, under the terms of the COPYING file.
> ++ *
> ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
> ++ * KIND, either express or implied.
> ++ *
> ++
> ***************************************************************************/
> ++
> ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
> ++ FILE **fh, char **tempname);
> ++
> ++#endif
> +--
> +2.25.1
> diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> new file mode 100644
> index 0000000000..324fe874f6
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
> @@ -0,0 +1,29 @@
> +Backported from:
> +
> +From 4c3f77e871820d055a5f6c4cd7a6ac47a7f3877d Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <[email protected]>
> +Date: Thu, 9 Jun 2022 09:27:24 +0200
> +Subject: [PATCH] krb5: return error properly on decode errors
> +
> +CVE: CVE-2022-32208
> +Upstream-Status: Backport
> [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/curl/7.68.0-1ubuntu2.12/curl_7.68.0-1ubuntu2.12.debian.tar.xz]
> +Comment: No change in any hunk
> +Signed-off-by: Sana Kazi <[email protected]>
> +
> +diff --git a/lib/krb5.c b/lib/krb5.c
> +index f50287a..5b77e35 100644
> +--- a/lib/krb5.c
> ++++ b/lib/krb5.c
> +@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
> + enc.value = buf;
> + enc.length = len;
> + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
> +- if(maj != GSS_S_COMPLETE) {
> +- if(len >= 4)
> +- strcpy(buf, "599 ");
> ++ if(maj != GSS_S_COMPLETE)
> + return -1;
> +- }
> +
> + memcpy(buf, dec.value, dec.length);
> + len = curlx_uztosi(dec.length);
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> b/meta/recipes-support/curl/curl_7.69.1.bb
> index 5a597a7dd9..7b67b68f1d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -35,6 +35,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2
> \
> file://CVE-2022-27781.patch \
> file://CVE-2022-27782-1.patch \
> file://CVE-2022-27782-2.patch \
> + file://CVE-2022-32206.patch \
> + file://CVE-2022-32207.patch \
> + file://CVE-2022-32208.patch \
> "
>
> SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and
> is the property of the KPIT Technologies Ltd. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain copy, disseminate, distribute, or
> use this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#167835):
https://lists.openembedded.org/g/openembedded-core/message/167835
Mute This Topic: https://lists.openembedded.org/mt/92248712/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
