Details of vulnerabilities are available below: CVE-2014-3613: http://curl.haxx.se/docs/adv_20140910A.html CVE-2014-3620: http://curl.haxx.se/docs/adv_20140910B.html
Signed-off-by: Maxin B. John <[email protected]> --- meta/recipes-support/curl/curl/CVE-2014-3613.patch | 214 +++++++++++++++++++++ meta/recipes-support/curl/curl/CVE-2014-3620.patch | 54 ++++++ meta/recipes-support/curl/curl_7.37.1.bb | 2 + 3 files changed, 270 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2014-3613.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2014-3620.patch diff --git a/meta/recipes-support/curl/curl/CVE-2014-3613.patch b/meta/recipes-support/curl/curl/CVE-2014-3613.patch new file mode 100644 index 0000000..e335826 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3613.patch @@ -0,0 +1,214 @@ +From 545e322cc8c383ccdfb4ad85a1634c2b719a1adf Mon Sep 17 00:00:00 2001 +From: Tim Ruehsen <[email protected]> +Date: Tue, 19 Aug 2014 21:01:28 +0200 +Subject: [PATCH] cookies: only use full host matches for hosts used as IP address + +By not detecting and rejecting domain names for partial literal IP +addresses properly when parsing received HTTP cookies, libcurl can be +fooled to both send cookies to wrong sites and to allow arbitrary sites +to set cookies for others. + +CVE-2014-3613 + +Upstream-Status: Backport + +Bug: http://curl.haxx.se/docs/adv_20140910A.html + +Signed-off-by: Tim Ruehsen <[email protected]> +Signed-off-by: Maxin B. John <[email protected]> +--- +diff -Naur curl-7.37.1-orig/lib/cookie.c curl-7.37.1/lib/cookie.c +--- curl-7.37.1-orig/lib/cookie.c 2014-06-11 19:52:29.000000000 +0200 ++++ curl-7.37.1/lib/cookie.c 2014-09-30 15:14:50.230809427 +0200 +@@ -95,6 +95,7 @@ + #include "strtoofft.h" + #include "rawstr.h" + #include "curl_memrchr.h" ++#include "inet_pton.h" + + /* The last #include file should be: */ + #include "memdebug.h" +@@ -319,6 +320,28 @@ + } + } + ++/* ++ * Return true if the given string is an IP(v4|v6) address. ++ */ ++static bool isip(const char *domain) ++{ ++ struct in_addr addr; ++#ifdef ENABLE_IPV6 ++ struct in6_addr addr6; ++#endif ++ ++ if(Curl_inet_pton(AF_INET, domain, &addr) ++#ifdef ENABLE_IPV6 ++ || Curl_inet_pton(AF_INET6, domain, &addr6) ++#endif ++ ) { ++ /* domain name given as IP address */ ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ + /**************************************************************************** + * + * Curl_cookie_add() +@@ -439,24 +462,27 @@ + } + } + else if(Curl_raw_equal("domain", name)) { ++ bool is_ip; ++ + /* Now, we make sure that our host is within the given domain, + or the given domain is not valid and thus cannot be set. */ + + if('.' == whatptr[0]) + whatptr++; /* ignore preceding dot */ + +- if(!domain || tailmatch(whatptr, domain)) { +- const char *tailptr=whatptr; +- if(tailptr[0] == '.') +- tailptr++; +- strstore(&co->domain, tailptr); /* don't prefix w/dots +- internally */ ++ is_ip = isip(domain ? domain : whatptr); ++ ++ if(!domain ++ || (is_ip && !strcmp(whatptr, domain)) ++ || (!is_ip && tailmatch(whatptr, domain))) { ++ strstore(&co->domain, whatptr); + if(!co->domain) { + badcookie = TRUE; + break; + } +- co->tailmatch=TRUE; /* we always do that if the domain name was +- given */ ++ if(!is_ip) ++ co->tailmatch=TRUE; /* we always do that if the domain name was ++ given */ + } + else { + /* we did not get a tailmatch and then the attempted set domain +@@ -968,6 +994,7 @@ + time_t now = time(NULL); + struct Cookie *mainco=NULL; + size_t matches = 0; ++ bool is_ip; + + if(!c || !c->cookies) + return NULL; /* no cookie struct or no cookies in the struct */ +@@ -975,6 +1002,9 @@ + /* at first, remove expired cookies */ + remove_expired(c); + ++ /* check if host is an IP(v4|v6) address */ ++ is_ip = isip(host); ++ + co = c->cookies; + + while(co) { +@@ -986,8 +1016,8 @@ + + /* now check if the domain is correct */ + if(!co->domain || +- (co->tailmatch && tailmatch(co->domain, host)) || +- (!co->tailmatch && Curl_raw_equal(host, co->domain)) ) { ++ (co->tailmatch && !is_ip && tailmatch(co->domain, host)) || ++ ((!co->tailmatch || is_ip) && Curl_raw_equal(host, co->domain)) ) { + /* the right part of the host matches the domain stuff in the + cookie data */ + +diff -Naur curl-7.37.1-orig/tests/data/test1105 curl-7.37.1/tests/data/test1105 +--- curl-7.37.1-orig/tests/data/test1105 2014-06-11 19:52:29.000000000 +0200 ++++ curl-7.37.1/tests/data/test1105 2014-09-30 15:14:50.230809427 +0200 +@@ -59,8 +59,7 @@ + # This file was generated by libcurl! Edit at your own risk. + + 127.0.0.1 FALSE /we/want/ FALSE 0 foobar name +-.127.0.0.1 TRUE "/silly/" FALSE 0 mismatch this +-.0.0.1 TRUE / FALSE 0 partmatch present ++127.0.0.1 FALSE "/silly/" FALSE 0 mismatch this + </file> + </verify> + </testcase> +diff -Naur curl-7.37.1-orig/tests/data/test31 curl-7.37.1/tests/data/test31 +--- curl-7.37.1-orig/tests/data/test31 2014-06-11 19:52:30.000000000 +0200 ++++ curl-7.37.1/tests/data/test31 2014-09-30 15:14:50.234809255 +0200 +@@ -95,34 +95,34 @@ + # http://curl.haxx.se/docs/http-cookies.html + # This file was generated by libcurl! Edit at your own risk. + +-.127.0.0.1 TRUE /silly/ FALSE 0 ismatch this +-.127.0.0.1 TRUE /overwrite FALSE 0 overwrite this2 +-.127.0.0.1 TRUE /secure1/ TRUE 0 sec1value secure1 +-.127.0.0.1 TRUE /secure2/ TRUE 0 sec2value secure2 +-.127.0.0.1 TRUE /secure3/ TRUE 0 sec3value secure3 +-.127.0.0.1 TRUE /secure4/ TRUE 0 sec4value secure4 +-.127.0.0.1 TRUE /secure5/ TRUE 0 sec5value secure5 +-.127.0.0.1 TRUE /secure6/ TRUE 0 sec6value secure6 +-.127.0.0.1 TRUE /secure7/ TRUE 0 sec7value secure7 +-.127.0.0.1 TRUE /secure8/ TRUE 0 sec8value secure8 +-.127.0.0.1 TRUE /secure9/ TRUE 0 secure very1 +-#HttpOnly_.127.0.0.1 TRUE /p1/ FALSE 0 httpo1 value1 +-#HttpOnly_.127.0.0.1 TRUE /p2/ FALSE 0 httpo2 value2 +-#HttpOnly_.127.0.0.1 TRUE /p3/ FALSE 0 httpo3 value3 +-#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httpo4 value4 +-#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httponly myvalue1 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec myvalue2 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec2 myvalue3 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec3 myvalue4 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec4 myvalue5 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec5 myvalue6 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec6 myvalue7 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec7 myvalue8 +-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec8 myvalue9 +-.127.0.0.1 TRUE / FALSE 0 partmatch present ++127.0.0.1 FALSE /silly/ FALSE 0 ismatch this ++127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2 ++127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1 ++127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2 ++127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3 ++127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4 ++127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5 ++127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6 ++127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7 ++127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8 ++127.0.0.1 FALSE /secure9/ TRUE 0 secure very1 ++#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1 ++#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2 ++#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3 ++#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4 ++#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8 ++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9 ++127.0.0.1 FALSE / FALSE 0 partmatch present + 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value + #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir +-.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes ++127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes + </file> + </verify> + </testcase> +diff -Naur curl-7.37.1-orig/tests/data/test8 curl-7.37.1/tests/data/test8 +--- curl-7.37.1-orig/tests/data/test8 2014-06-11 19:52:30.000000000 +0200 ++++ curl-7.37.1/tests/data/test8 2014-09-30 15:14:50.234809255 +0200 +@@ -42,7 +42,8 @@ + Set-Cookie: cookie=yes; path=/we; + Set-Cookie: cookie=perhaps; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; +-Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; ++Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; ++Set-Cookie: partialip=nono; domain=.0.0.1; + + </file> + <precheck> diff --git a/meta/recipes-support/curl/curl/CVE-2014-3620.patch b/meta/recipes-support/curl/curl/CVE-2014-3620.patch new file mode 100644 index 0000000..d8cb719 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2014-3620.patch @@ -0,0 +1,54 @@ +From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Tue, 19 Aug 2014 21:11:20 +0200 +Subject: [PATCH] cookies: reject incoming cookies set for TLDs + +libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus +making them apply broader than cookies are allowed. This can allow arbitrary +sites to set cookies that then would get sent to a different and unrelated +site or domain. + +CVE-2014-3620 + +Upstream-Status: Backport + +URL: http://curl.haxx.se/docs/adv_20140910B.html + +Signed-off-by: Daniel Stenberg <[email protected]> +Reported-by: Tim Ruehsen <[email protected]> +Signed-off-by: Maxin B. John <[email protected]> +--- +diff -Naur curl-7.37.1-origin/lib/cookie.c curl-7.37.1/lib/cookie.c +--- curl-7.37.1-origin/lib/cookie.c 2014-09-30 17:21:20.305412353 +0200 ++++ curl-7.37.1/lib/cookie.c 2014-09-30 17:22:24.474668328 +0200 +@@ -463,6 +463,7 @@ + } + else if(Curl_raw_equal("domain", name)) { + bool is_ip; ++ const char *dotp; + + /* Now, we make sure that our host is within the given domain, + or the given domain is not valid and thus cannot be set. */ +@@ -472,6 +473,11 @@ + + is_ip = isip(domain ? domain : whatptr); + ++ /* check for more dots */ ++ dotp = strchr(whatptr, '.'); ++ if(!dotp) ++ domain=":"; ++ + if(!domain + || (is_ip && !strcmp(whatptr, domain)) + || (!is_ip && tailmatch(whatptr, domain))) { +diff -Naur curl-7.37.1-origin/tests/data/test61 curl-7.37.1/tests/data/test61 +--- curl-7.37.1-origin/tests/data/test61 2014-06-11 19:52:30.000000000 +0200 ++++ curl-7.37.1/tests/data/test61 2014-09-30 17:23:35.171645055 +0200 +@@ -23,6 +23,7 @@ + Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure + Set-Cookie: test5=name; domain=anything.com; path=/ ; secure + Set-Cookie: fake=fooledyou; domain=..com; path=/; ++Set-Cookie: supercookie=fooledyou; domain=.com; path=/; + Content-Length: 4 + + boo diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb index e2852e3..0f4aab9 100644 --- a/meta/recipes-support/curl/curl_7.37.1.bb +++ b/meta/recipes-support/curl/curl_7.37.1.bb @@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=7;md5=3a34942f4ae3fbf1a303160714e66 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://pkgconfig_fix.patch \ + file://CVE-2014-3613.patch \ + file://CVE-2014-3620.patch \ " # curl likes to set -g0 in CFLAGS, so we stop it -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
