mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

curl: Fix CVE-2023-28319

Browse Source 
Add patch to fix CVE-2023-28319

UAF in SSH sha256 fingerprint check

libcurl offers a feature to verify an SSH server's public key using
a SHA 256hash. When this check fails, libcurl would free the memory
for the fingerprintbefore it returns an error message containing the
(now freed) hash.

This flaw risks inserting sensitive heap-based data into the error
message that might be shown to users or otherwise get
leaked and revealed.

Link: https://curl.se/docs/CVE-2023-28319.html

(From OE-Core rev: f7d6751828683ac2adbf140e77dbf7454cfa8eb1)

Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Bhabu Bindu
2023-05-29 17:02:43 +05:30
committed by Steve Sakoman
parent 2afcf3e39f
commit 8f3b0b8e9b
2 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/curl/curl/CVE-2023-28319.patch
+33
View File
@@ -0,0 +1,33 @@
From 8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 8 May 2023 14:33:54 +0200
Subject: [PATCH] libssh2: free fingerprint better
Reported-by: Wei Chong Tan
Closes #11088
CVE: CVE-2023-28319
Upstream-Status: Backport [https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c]
Comments: Hunks Refreshed
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
---
lib/vssh/libssh2.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index bfcc94e160178..dd39a844c646b 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -695,11 +695,10 @@
*/
if((pub_pos != b64_pos) ||
Curl_strncasecompare(fingerprint_b64, pubkey_sha256, pub_pos) != 1) {
- free(fingerprint_b64);
-
failf(data,
"Denied establishing ssh session: mismatch sha256 fingerprint. "
"Remote %s is not equal to %s", fingerprint_b64, pubkey_sha256);
+ free(fingerprint_b64);
state(data, SSH_SESSION_FREE);
sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
return sshc->actualcode;
meta/recipes-support/curl/curl_7.82.0.bb
+1
View File
@@ -45,6 +45,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-27535-pre1.patch \ file://CVE-2023-27535-pre1.patch \
file://CVE-2023-27535_and_CVE-2023-27538.patch \ file://CVE-2023-27535_and_CVE-2023-27538.patch \
file://CVE-2023-27536.patch \ file://CVE-2023-27536.patch \
file://CVE-2023-28319.patch \
" "
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"