[dunfell,03/13] curl: Fix CVE CVE-2022-35260

Message ID	fe81ee17a2dc9924178fdd98614ed9e264204492.1671202568.git.steve@sakoman.com
State	Accepted, archived
Commit	fe81ee17a2dc9924178fdd98614ed9e264204492
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.51, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/13] curl: Fix CVE CVE-2022-35260 Date: Fri, 16 Dec 2022 04:57:42 -1000 Message-Id: <fe81ee17a2dc9924178fdd98614ed9e264204492.1671202568.git.steve@sakoman.com> In-Reply-To: <cover.1671202568.git.steve@sakoman.com> References: <cover.1671202568.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/13] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 \| expand [dunfell,01/13] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 [dunfell,02/13] rpm: Fix rpm CVE CVE-2021-3521 [dunfell,03/13] curl: Fix CVE CVE-2022-35260 [dunfell,04/13] libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c [dunfell,05/13] sysstat: fix CVE-2022-39377 [dunfell,06/13] dropbear: fix CVE-2021-36369 [dunfell,07/13] golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps [dunfell,08/13] python3: Fix CVE-2022-37454 [dunfell,09/13] vim: upgrade 9.0.0820 -> 9.0.0947 [dunfell,10/13] opkg: Set correct info_dir and status_file in opkg.conf [dunfell,11/13] classes: make TOOLCHAIN more permissive for kernel [dunfell,12/13] psplash: consider the situation of psplash not exist for systemd [dunfell,13/13] oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file()

Message ID

fe81ee17a2dc9924178fdd98614ed9e264204492.1671202568.git.steve@sakoman.com

State

Accepted, archived

Commit

fe81ee17a2dc9924178fdd98614ed9e264204492

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 03/13] curl: Fix CVE CVE-2022-35260
Date: Fri, 16 Dec 2022 04:57:42 -1000
Message-Id: 
 <fe81ee17a2dc9924178fdd98614ed9e264204492.1671202568.git.steve@sakoman.com>
In-Reply-To: <cover.1671202568.git.steve@sakoman.com>
References: <cover.1671202568.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/13] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 | expand

Commit Message

Steve Sakoman Dec. 16, 2022, 2:57 p.m. UTC

From: Mathieu Dubois-Briand <mathieu.dubois-briand@hyprua.org>

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2022-35260.patch            | 68 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35260.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
new file mode 100644
index 0000000000..476c996b0a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,68 @@ 
+From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+
+Upstream-Status: Backport
+CVE: CVE-2022-35260
+Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c
+
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9789
+---
+ lib/curl_get_line.c | 4 ++--
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index c4194851ae09..4b9eea9e631c 100644
+--- a/lib/curl_get_line.c
++++ b/lib/curl_get_line.c
+@@ -28,8 +28,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
++ * Curl_get_line() makes sure to only return complete whole lines that fit in
++ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 1c9da31993c9..93239132c9d8 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -31,6 +31,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
++#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -83,7 +84,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
++    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       tok = strtok_r(netrcbuffer, " \t\n", &tok_buf);
+       if(tok && *tok == '#')
+         /* treat an initial hash as a comment line */
+@@ -169,7 +170,7 @@ static int parsenetrc(const char *host,
+ 
+         tok = strtok_r(NULL, " \t\n", &tok_buf);
+       } /* while(tok) */
+-    } /* while fgets() */
++    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 31aa9d7185..63faae6296 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -40,6 +40,7 @@  SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-32208.patch \
            file://CVE-2022-35252.patch \
            file://CVE-2022-32221.patch \
+           file://CVE-2022-35260.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"

[dunfell,03/13] curl: Fix CVE CVE-2022-35260

Commit Message

Patch