mirror of
https://git.yoctoproject.org/poky
synced 2026-05-30 00:20:08 +00:00
curl: Security Advisory - curl - CVE-2017-1000254
Porting patch from <https://github.com/curl/curl/commit/ 5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254. (From OE-Core rev: 08f8d5db06647b94f96d655100c358047682dd2f) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Li Zhou
Richard Purdie
@@ -0,0 +1,138 @@
|
|||||||
|
From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Li Zhou <li.zhou@windriver.com>
|
||||||
|
Date: Mon, 23 Oct 2017 00:26:50 -0700
|
||||||
|
Subject: [PATCH] FTP: zero terminate the entry path even on bad input
|
||||||
|
|
||||||
|
... a single double quote could leave the entry path buffer without a zero
|
||||||
|
terminating byte. CVE-2017-1000254
|
||||||
|
|
||||||
|
Test 1152 added to verify.
|
||||||
|
|
||||||
|
Reported-by: Max Dymond
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_20171004.html
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2017-1000254
|
||||||
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||||
|
---
|
||||||
|
lib/ftp.c | 7 ++++--
|
||||||
|
tests/data/Makefile.inc | 2 ++
|
||||||
|
tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 68 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 tests/data/test1152
|
||||||
|
|
||||||
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
|
index 5edec37..493dbf9 100644
|
||||||
|
--- a/lib/ftp.c
|
||||||
|
+++ b/lib/ftp.c
|
||||||
|
@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||||
|
const size_t buf_size = data->set.buffer_size;
|
||||||
|
char *dir;
|
||||||
|
char *store;
|
||||||
|
+ bool entry_extracted = FALSE;
|
||||||
|
|
||||||
|
dir = malloc(nread + 1);
|
||||||
|
if(!dir)
|
||||||
|
@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
/* end of path */
|
||||||
|
- *store = '\0'; /* zero terminate */
|
||||||
|
+ entry_extracted = TRUE;
|
||||||
|
break; /* get out of this loop */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||||
|
store++;
|
||||||
|
ptr++;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+ *store = '\0'; /* zero terminate */
|
||||||
|
+ }
|
||||||
|
+ if(entry_extracted) {
|
||||||
|
/* If the path name does not look like an absolute path (i.e.: it
|
||||||
|
does not start with a '/'), we probably need some server-dependent
|
||||||
|
adjustments. For example, this is the case when connecting to
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 7adbee6..5284654 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
|
||||||
|
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
|
||||||
|
test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
|
||||||
|
test1144 test1145 test1146 \
|
||||||
|
+test1152 \
|
||||||
|
+\
|
||||||
|
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
|
||||||
|
test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
|
||||||
|
test1216 test1217 test1218 test1219 \
|
||||||
|
diff --git a/tests/data/test1152 b/tests/data/test1152
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..aa8c0a7
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test1152
|
||||||
|
@@ -0,0 +1,61 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+FTP
|
||||||
|
+PASV
|
||||||
|
+LIST
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+REPLY PWD 257 "just one
|
||||||
|
+</servercmd>
|
||||||
|
+
|
||||||
|
+# When doing LIST, we get the default list output hard-coded in the test
|
||||||
|
+# FTP server
|
||||||
|
+<data mode="text">
|
||||||
|
+total 20
|
||||||
|
+drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
|
||||||
|
+drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
|
||||||
|
+drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
|
||||||
|
+-r--r--r-- 1 0 1 35 Jul 16 1996 README
|
||||||
|
+lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
|
||||||
|
+dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
|
||||||
|
+drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
|
||||||
|
+dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
|
||||||
|
+drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
|
||||||
|
+dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
|
||||||
|
+</data>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+FTP with uneven quote in PWD response
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+ftp://%HOSTIP:%FTPPORT/test-1152/
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+USER anonymous
|
||||||
|
+PASS ftp@example.com
|
||||||
|
+PWD
|
||||||
|
+CWD test-1152
|
||||||
|
+EPSV
|
||||||
|
+TYPE A
|
||||||
|
+LIST
|
||||||
|
+QUIT
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
||||||
@@ -10,6 +10,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
|
|||||||
file://CVE-2017-1000099.patch \
|
file://CVE-2017-1000099.patch \
|
||||||
file://CVE-2017-1000100.patch \
|
file://CVE-2017-1000100.patch \
|
||||||
file://CVE-2017-1000101.patch \
|
file://CVE-2017-1000101.patch \
|
||||||
|
file://CVE-2017-1000254.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
# curl likes to set -g0 in CFLAGS, so we stop it
|
# curl likes to set -g0 in CFLAGS, so we stop it
|
||||||
|
|||||||
Reference in New Issue
Block a user