Re: [OE-core][kirkstone][PATCH] curl: Fix for CVE-2024-9681

Tue, 12 Nov 2024 06:10:16 -0800 

Thanks for letting me know.

Hi Steve,
Please ignore my patch as Peter already submitted it.

Thanks & Regards,
Vijay

On Tue, Nov 12, 2024 at 7:17 PM Marko, Peter <[email protected]>
wrote:

> This patch was already submitted.
> See https://lists.openembedded.org/g/openembedded-core/message/206904
>
> Peter
>
> > -----Original Message-----
> > From: [email protected] <openembedded-
> > [email protected]> On Behalf Of Vijay Anusuri via
> > lists.openembedded.org
> > Sent: Tuesday, November 12, 2024 14:34
> > To: [email protected]
> > Cc: Vijay Anusuri <[email protected]>
> > Subject: [OE-core][kirkstone][PATCH] curl: Fix for CVE-2024-9681
> >
> > From: Vijay Anusuri <[email protected]>
> >
> > Ref: https://curl.se/docs/CVE-2024-9681.html
> >
> > Upstream-Commit:
> >
> https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313
> > 316
> >
> > Signed-off-by: Vijay Anusuri <[email protected]>
> > ---
> >  .../curl/curl/CVE-2024-9681.patch             | 88 +++++++++++++++++++
> >  meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
> >  2 files changed, 89 insertions(+)
> >  create mode 100644 meta/recipes-support/curl/curl/CVE-2024-9681.patch
> >
> > diff --git a/meta/recipes-support/curl/curl/CVE-2024-9681.patch
> > b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
> > new file mode 100644
> > index 0000000000..1ba373a1c4
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2024-9681.patch
> > @@ -0,0 +1,88 @@
> > +From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00
> > 2001
> > +From: Daniel Stenberg <[email protected]>
> > +Date: Wed, 9 Oct 2024 10:04:35 +0200
> > +Subject: [PATCH] hsts: improve subdomain handling
> > +
> > +- on load, only replace existing HSTS entries if there is a full host
> > +  match
> > +
> > +- on matching, prefer a full host match and secondary the longest tail
> > +  subdomain match
> > +
> > +Closes #15210
> > +
> > +Upstream-Status: Backport
> > [
> https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb988731
> > 3316]
> > +CVE: CVE-2024-9681
> > +Signed-off-by: Vijay Anusuri <[email protected]>
> > +---
> > + lib/hsts.c          | 14 ++++++++++----
> > + tests/data/test1660 |  2 +-
> > + 2 files changed, 11 insertions(+), 5 deletions(-)
> > +
> > +diff --git a/lib/hsts.c b/lib/hsts.c
> > +index 08e15dc..06d2edf 100644
> > +--- a/lib/hsts.c
> > ++++ b/lib/hsts.c
> > +@@ -247,12 +247,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const
> char
> > *hostname,
> > + struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
> > +                            bool subdomain)
> > + {
> > ++  struct stsentry *bestsub = NULL;
> > +   if(h) {
> > +     char buffer[MAX_HSTS_HOSTLEN + 1];
> > +     time_t now = time(NULL);
> > +     size_t hlen = strlen(hostname);
> > +     struct Curl_llist_element *e;
> > +     struct Curl_llist_element *n;
> > ++    size_t blen = 0;
> > +
> > +     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
> > +       return NULL;
> > +@@ -277,15 +279,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const
> char
> > *hostname,
> > +         if(ntail < hlen) {
> > +           size_t offs = hlen - ntail;
> > +           if((hostname[offs-1] == '.') &&
> > +-             Curl_strncasecompare(&hostname[offs], sts->host, ntail))
> > +-            return sts;
> > ++             Curl_strncasecompare(&hostname[offs], sts->host, ntail) &&
> > ++         (ntail > blen)) {
> > ++            /* save the tail match with the longest tail */
> > ++            bestsub = sts;
> > ++            blen = ntail;
> > ++      }
> > +         }
> > +       }
> > +       if(Curl_strcasecompare(hostname, sts->host))
> > +         return sts;
> > +     }
> > +   }
> > +-  return NULL; /* no match */
> > ++  return bestsub;
> > + }
> > +
> > + /*
> > +@@ -447,7 +453,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
> > +     e = Curl_hsts(h, p, subdomain);
> > +     if(!e)
> > +       result = hsts_create(h, p, subdomain, expires);
> > +-    else {
> > ++    else if(Curl_strcasecompare(p, e->host)) {
> > +       /* the same host name, use the largest expire time */
> > +       if(expires > e->expires)
> > +         e->expires = expires;
> > +diff --git a/tests/data/test1660 b/tests/data/test1660
> > +index cbbcf75..662026b 100644
> > +--- a/tests/data/test1660
> > ++++ b/tests/data/test1660
> > +@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
> > + Input 12: error 43
> > + Input 13: error 43
> > + Input 14: error 43
> > +-3.example.com [example.com]: 1569905261 includeSubDomains
> > ++3.example.com [3.example.com]: 1569905261 includeSubDomains
> > + 3.example.com [example.com]: 1569905261 includeSubDomains
> > + foo.example.com [example.com]: 1569905261 includeSubDomains
> > + 'foo.xample.com' is not HSTS
> > +--
> > +2.25.1
> > +
> > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-
> > support/curl/curl_7.82.0.bb
> > index ba3abadac9..cda42da4d3 100644
> > --- a/meta/recipes-support/curl/curl_7.82.0.bb
> > +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> > @@ -62,6 +62,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
> >             file://CVE-2024-7264_2.patch \
> >             file://CVE-2024-8096.patch \
> >             file://0001-url-free-old-conn-better-on-reuse.patch \
> > +           file://CVE-2024-9681.patch \
> >             "
> >  SRC_URI[sha256sum] =
> > "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
> >
> > --
> > 2.25.1
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#207056): 
https://lists.openembedded.org/g/openembedded-core/message/207056
Mute This Topic: https://lists.openembedded.org/mt/109534779/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to