From: Muminul Islam <muis...@microsoft.com> Signed-off-by: Muminul Islam <muis...@microsoft.com> [Fixup for thud context] Signed-off-by: Armin Kuster <akuster...@gmail.com> --- meta/recipes-support/curl/curl/CVE-2019-5482.patch | 68 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.61.0.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2019-5482.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch new file mode 100644 index 0000000..91b1866 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch @@ -0,0 +1,68 @@ +From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001 +From: Thomas Vegas <> +Date: Sat, 31 Aug 2019 17:30:51 +0200 +Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is + received +Reply-To: muis...@microsoft.com + +Fixes potential buffer overflow from 'recvfrom()', should the server +return an OACK without blksize. + +Bug: https://curl.haxx.se/docs/CVE-2019-5482.html + +CVE: CVE-2019-5482 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muis...@microsoft.com> +--- + lib/tftp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index 064eef318..2c148e3e1 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + { + tftp_state_data_t *state; + int blksize; ++ int need_blksize; + + blksize = TFTP_BLKSIZE_DEFAULT; + +@@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + return CURLE_TFTP_ILLEGAL; + } + ++ need_blksize = blksize; ++ /* default size is the fallback when no OACK is received */ ++ if(need_blksize < TFTP_BLKSIZE_DEFAULT) ++ need_blksize = TFTP_BLKSIZE_DEFAULT; ++ + if(!state->rpacket.data) { +- state->rpacket.data = calloc(1, blksize + 2 + 2); ++ state->rpacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->rpacket.data) + return CURLE_OUT_OF_MEMORY; + } + + if(!state->spacket.data) { +- state->spacket.data = calloc(1, blksize + 2 + 2); ++ state->spacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->spacket.data) + return CURLE_OUT_OF_MEMORY; +@@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + state->sockfd = state->conn->sock[FIRSTSOCKET]; + state->state = TFTP_STATE_START; + state->error = TFTP_ERR_NONE; +- state->blksize = blksize; ++ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ + state->requested_blksize = blksize; + + ((struct sockaddr *)&state->local_addr)->sa_family = +-- +2.23.0 + diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb index c1e4342..cd880f9 100644 --- a/meta/recipes-support/curl/curl_7.61.0.bb +++ b/meta/recipes-support/curl/curl_7.61.0.bb @@ -16,6 +16,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2018-16890.patch \ file://CVE-2019-3822.patch \ file://CVE-2019-3823.patch \ + file://CVE-2019-5482.patch \ " SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
