Hi Team,
Please revert the changes of curl: CVE-2023-27534 SFTP path ~ resolving
discrepancy as of now.
My apologies for the delay in reply.
Regards,
Hitendra
On 17/05/23 00:08, Abdurrahman Hussain (fib) wrote:
Hi Hitendra,
Any update on this? This should be reverted since the dynbuf APIs are
not available in curl 7.69.
Regards,
Abdurrahman
*From:* [email protected]
<[email protected]> *On Behalf Of *Hitendra
Prajapati
*Sent:* Friday, May 12, 2023 4:26 AM
*To:* Steve Sakoman <[email protected]>
*Cc:* [email protected]
*Subject:* Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP
path ~ resolving discrepancy
Hi Steve,
I'll look into this issue by enabling the package at my end and send
the possible solution if any.
Regards,
Hitendra
On 11/05/23 20:15, Steve Sakoman wrote:
Hi Hitendra,
There's been a bug filed against this patch (build failure when when
curl is configured with `libssh2` i.e. PACKAGECONFIG_append = "
libssh2"):
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15114
Could you investigate and advise whether there is an easy fix or
whether we should revert?
Thanks,
Steve
On Fri, Apr 14, 2023 at 12:55 AM Hitendra Prajapati
<[email protected]> <mailto:[email protected]> wrote:
Upstream-Status: Backport
fromhttps://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
Signed-off-by: Hitendra Prajapati<[email protected]>
<mailto:[email protected]>
---
.../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 124 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch
b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
new file mode 100644
index 0000000000..aeeffd5fea
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,123 @@
+From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg<[email protected]> <mailto:[email protected]>
+Date: Thu, 9 Mar 2023 16:22:11 +0100
+Subject: [PATCH] curl_path: create the new path with dynbuf
+
+CVE: CVE-2023-27534
+Upstream-Status: Backport
[https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+
+Signed-off-by: Hitendra Prajapati<[email protected]>
<mailto:[email protected]>
+---
+ lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 36 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..e17db4b 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -30,6 +30,8 @@
+ #include "escape.h"
+ #include "memdebug.h"
+
++#define MAX_SSHPATH_LEN 100000 /* arbitrary */
++
+ /* figure out the path to work with in this particular request */
+ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ char *homedir, /* when SFTP is used */
+@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata
*conn,
+ real path to work with */
+ {
+ struct Curl_easy *data = conn->data;
+- char *real_path = NULL;
+ char *working_path;
+ size_t working_path_len;
++ struct dynbuf npath;
+ CURLcode result =
+ Curl_urldecode(data, data->state.up.path, 0, &working_path,
+ &working_path_len, FALSE);
+ if(result)
+ return result;
+
++ /* new path to switch to in case we need to */
++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
++
+ /* Check for /~/, indicating relative to the user's home directory
*/
+- if(conn->handler->protocol & CURLPROTO_SCP) {
+- real_path = malloc(working_path_len + 1);
+- if(real_path == NULL) {
++ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
++ /* It is referenced to the home directory, so strip the leading
'/~/' */
++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3))
{
+ free(working_path);
+ return CURLE_OUT_OF_MEMORY;
+ }
+- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
+- /* It is referenced to the home directory, so strip the leading
'/~/' */
+- memcpy(real_path, working_path + 3, working_path_len - 2);
+- else
+- memcpy(real_path, working_path, 1 + working_path_len);
+ }
+- else if(conn->handler->protocol & CURLPROTO_SFTP) {
+- if((working_path_len > 1) && (working_path[1] == '~')) {
+- size_t homelen = strlen(homedir);
+- real_path = malloc(homelen + working_path_len + 1);
+- if(real_path == NULL) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
+- }
+- /* It is referenced to the home directory, so strip the
+- leading '/' */
+- memcpy(real_path, homedir, homelen);
+- real_path[homelen] = '/';
+- real_path[homelen + 1] = '\0';
+- if(working_path_len > 3) {
+- memcpy(real_path + homelen + 1, working_path + 3,
+- 1 + working_path_len -3);
+- }
++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
++ size_t len;
++ const char *p;
++ int copyfrom = 3;
++ if(Curl_dyn_add(&npath, homedir)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
+ }
+- else {
+- real_path = malloc(working_path_len + 1);
+- if(real_path == NULL) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
+- }
+- memcpy(real_path, working_path, 1 + working_path_len);
++ /* Copy a separating '/' if homedir does not end with one */
++ len = Curl_dyn_len(&npath);
++ p = Curl_dyn_ptr(&npath);
++ if(len && (p[len-1] != '/'))
++ copyfrom = 2;
++
++ if(Curl_dyn_addn(&npath,
++ &working_path[copyfrom], working_path_len -
copyfrom)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
+ }
+ }
+
+- free(working_path);
++ if(Curl_dyn_len(&npath)) {
++ free(working_path);
+
+- /* store the pointer for the caller to receive */
+- *path = real_path;
++ /* store the pointer for the caller to receive */
++ *path = Curl_dyn_ptr(&npath);
++ }
++ else
++ *path = working_path;
+
+ return CURLE_OK;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..fddf15e3ff 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -42,6 +42,7 @@ SRC_URI ="https://curl.haxx.se/download/curl-${PV}.tar.bz2
\
<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
file://CVE-2022-32221.patch
\<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
file://CVE-2022-35260.patch
\<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
file://CVE-2022-43552.patch
\<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
+ file://CVE-2023-27534.patch
\<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
"
<https://curl.haxx.se/download/curl-$%7bPV%7d.tar.bz2/file:/CVE-2022-32221.patch/file:/CVE-2022-35260.patch/file:/CVE-2022-43552.patch/+file:/CVE-2023-27534.patch/>
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.25.1
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181445):
https://lists.openembedded.org/g/openembedded-core/message/181445
Mute This Topic: https://lists.openembedded.org/mt/98259554/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
