Hi Hitendra, There's been a bug filed against this patch (build failure when when curl is configured with `libssh2` i.e. PACKAGECONFIG_append = " libssh2"):
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114 Could you investigate and advise whether there is an easy fix or whether we should revert? Thanks, Steve On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati <[email protected]> wrote: > > Upstream-Status: Backport from > https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 > > Signed-off-by: Hitendra Prajapati <[email protected]> > --- > .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 2 files changed, 124 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch > b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > new file mode 100644 > index 0000000000..aeeffd5fea > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > @@ -0,0 +1,123 @@ > +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <[email protected]> > +Date: Thu, 9 Mar 2023 16:22:11 +0100 > +Subject: [PATCH] curl_path: create the new path with dynbuf > + > +CVE: CVE-2023-27534 > +Upstream-Status: Backport > [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > + > +Signed-off-by: Hitendra Prajapati <[email protected]> > +--- > + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- > + 1 file changed, 35 insertions(+), 36 deletions(-) > + > +diff --git a/lib/curl_path.c b/lib/curl_path.c > +index f429634..e17db4b 100644 > +--- a/lib/curl_path.c > ++++ b/lib/curl_path.c > +@@ -30,6 +30,8 @@ > + #include "escape.h" > + #include "memdebug.h" > + > ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ > ++ > + /* figure out the path to work with in this particular request */ > + CURLcode Curl_getworkingpath(struct connectdata *conn, > + char *homedir, /* when SFTP is used */ > +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > + real path to work with */ > + { > + struct Curl_easy *data = conn->data; > +- char *real_path = NULL; > + char *working_path; > + size_t working_path_len; > ++ struct dynbuf npath; > + CURLcode result = > + Curl_urldecode(data, data->state.up.path, 0, &working_path, > + &working_path_len, FALSE); > + if(result) > + return result; > + > ++ /* new path to switch to in case we need to */ > ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); > ++ > + /* Check for /~/, indicating relative to the user's home directory */ > +- if(conn->handler->protocol & CURLPROTO_SCP) { > +- real_path = malloc(working_path_len + 1); > +- if(real_path == NULL) { > ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && > ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { > ++ /* It is referenced to the home directory, so strip the leading '/~/' */ > ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { > + free(working_path); > + return CURLE_OUT_OF_MEMORY; > + } > +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) > +- /* It is referenced to the home directory, so strip the leading '/~/' > */ > +- memcpy(real_path, working_path + 3, working_path_len - 2); > +- else > +- memcpy(real_path, working_path, 1 + working_path_len); > + } > +- else if(conn->handler->protocol & CURLPROTO_SFTP) { > +- if((working_path_len > 1) && (working_path[1] == '~')) { > +- size_t homelen = strlen(homedir); > +- real_path = malloc(homelen + working_path_len + 1); > +- if(real_path == NULL) { > +- free(working_path); > +- return CURLE_OUT_OF_MEMORY; > +- } > +- /* It is referenced to the home directory, so strip the > +- leading '/' */ > +- memcpy(real_path, homedir, homelen); > +- real_path[homelen] = '/'; > +- real_path[homelen + 1] = '\0'; > +- if(working_path_len > 3) { > +- memcpy(real_path + homelen + 1, working_path + 3, > +- 1 + working_path_len -3); > +- } > ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && > ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > ++ size_t len; > ++ const char *p; > ++ int copyfrom = 3; > ++ if(Curl_dyn_add(&npath, homedir)) { > ++ free(working_path); > ++ return CURLE_OUT_OF_MEMORY; > + } > +- else { > +- real_path = malloc(working_path_len + 1); > +- if(real_path == NULL) { > +- free(working_path); > +- return CURLE_OUT_OF_MEMORY; > +- } > +- memcpy(real_path, working_path, 1 + working_path_len); > ++ /* Copy a separating '/' if homedir does not end with one */ > ++ len = Curl_dyn_len(&npath); > ++ p = Curl_dyn_ptr(&npath); > ++ if(len && (p[len-1] != '/')) > ++ copyfrom = 2; > ++ > ++ if(Curl_dyn_addn(&npath, > ++ &working_path[copyfrom], working_path_len - copyfrom)) > { > ++ free(working_path); > ++ return CURLE_OUT_OF_MEMORY; > + } > + } > + > +- free(working_path); > ++ if(Curl_dyn_len(&npath)) { > ++ free(working_path); > + > +- /* store the pointer for the caller to receive */ > +- *path = real_path; > ++ /* store the pointer for the caller to receive */ > ++ *path = Curl_dyn_ptr(&npath); > ++ } > ++ else > ++ *path = working_path; > + > + return CURLE_OK; > + } > +-- > +2.25.1 > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > b/meta/recipes-support/curl/curl_7.69.1.bb > index 899daf8eac..fddf15e3ff 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -42,6 +42,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 > \ > file://CVE-2022-32221.patch \ > file://CVE-2022-35260.patch \ > file://CVE-2022-43552.patch \ > + file://CVE-2023-27534.patch \ > " > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181136): https://lists.openembedded.org/g/openembedded-core/message/181136 Mute This Topic: https://lists.openembedded.org/mt/98259554/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
