Hi Siddharth, Thanks for this, but I think we need a better shortlog and commit message explaining why we need this additional patch.
Could you send a v3? Thanks! Steve On Thu, May 11, 2023 at 11:28 AM Siddharth <sdo...@mvista.com> wrote: > > Upstream-Status: Backport from > [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > > Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com> > Signed-off-by: Siddharth Doshi <sdo...@mvista.com> > --- > .../curl/curl/CVE-2023-27534-pre1.patch | 44 +++++++ > .../curl/curl/CVE-2023-27534.patch | 122 +++--------------- > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 3 files changed, 61 insertions(+), 106 deletions(-) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > new file mode 100644 > index 0000000000..98b25a2fe5 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch > @@ -0,0 +1,44 @@ > +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 > +From: Eric Vigeant <evige...@gmail.com> > +Date: Wed, 2 Nov 2022 11:47:09 -0400 > +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one > + > +When using SFTP and a path relative to the user home, do not add a > +trailing '/' to the user home dir if it already ends with one. > + > +Closes #9844 > + > +CVE: CVE-2023-27534 > +Note: This patch is needed to backport CVE-2023-27534 > +Upstream-Status: Backport from > [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] > + > +Signed-off-by: Siddharth Doshi <sdo...@mvista.com> > +--- > + lib/curl_path.c | 10 +++++++--- > + 1 file changed, 7 insertions(+), 3 deletions(-) > + > +diff --git a/lib/curl_path.c b/lib/curl_path.c > +index f429634..40b92ee 100644 > +--- a/lib/curl_path.c > ++++ b/lib/curl_path.c > +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > + /* It is referenced to the home directory, so strip the > + leading '/' */ > + memcpy(real_path, homedir, homelen); > +- real_path[homelen] = '/'; > +- real_path[homelen + 1] = '\0'; > ++ /* Only add a trailing '/' if homedir does not end with one */ > ++ if(homelen == 0 || real_path[homelen - 1] != '/') { > ++ real_path[homelen] = '/'; > ++ homelen++; > ++ real_path[homelen] = '\0'; > ++ } > + if(working_path_len > 3) { > +- memcpy(real_path + homelen + 1, working_path + 3, > ++ memcpy(real_path + homelen, working_path + 3, > + 1 + working_path_len -3); > + } > + } > +-- > +2.24.4 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch > b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > index aeeffd5fea..3ecd181290 100644 > --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch > +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch > @@ -3,121 +3,31 @@ From: Daniel Stenberg <dan...@haxx.se> > Date: Thu, 9 Mar 2023 16:22:11 +0100 > Subject: [PATCH] curl_path: create the new path with dynbuf > > +Closes #10729 > + > CVE: CVE-2023-27534 > -Upstream-Status: Backport > [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > +Note: This patch is needed to backport CVE-2023-27534 > +Upstream-Status: Backport from > [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] > > Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com> > +Signed-off-by: Siddharth Doshi <sdo...@mvista.com> > --- > - lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- > - 1 file changed, 35 insertions(+), 36 deletions(-) > + lib/curl_path.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/curl_path.c b/lib/curl_path.c > -index f429634..e17db4b 100644 > +index 40b92ee..598c5dd 100644 > --- a/lib/curl_path.c > +++ b/lib/curl_path.c > -@@ -30,6 +30,8 @@ > - #include "escape.h" > - #include "memdebug.h" > - > -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ > -+ > - /* figure out the path to work with in this particular request */ > - CURLcode Curl_getworkingpath(struct connectdata *conn, > - char *homedir, /* when SFTP is used */ > -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > - real path to work with */ > - { > - struct Curl_easy *data = conn->data; > -- char *real_path = NULL; > - char *working_path; > - size_t working_path_len; > -+ struct dynbuf npath; > - CURLcode result = > - Curl_urldecode(data, data->state.up.path, 0, &working_path, > - &working_path_len, FALSE); > - if(result) > - return result; > - > -+ /* new path to switch to in case we need to */ > -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); > -+ > - /* Check for /~/, indicating relative to the user's home directory */ > -- if(conn->handler->protocol & CURLPROTO_SCP) { > -- real_path = malloc(working_path_len + 1); > -- if(real_path == NULL) { > -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && > -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { > -+ /* It is referenced to the home directory, so strip the leading '/~/' */ > -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { > - free(working_path); > - return CURLE_OUT_OF_MEMORY; > - } > -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) > -- /* It is referenced to the home directory, so strip the leading '/~/' > */ > -- memcpy(real_path, working_path + 3, working_path_len - 2); > -- else > -- memcpy(real_path, working_path, 1 + working_path_len); > +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, > + memcpy(real_path, working_path, 1 + working_path_len); > } > -- else if(conn->handler->protocol & CURLPROTO_SFTP) { > + else if(conn->handler->protocol & CURLPROTO_SFTP) { > - if((working_path_len > 1) && (working_path[1] == '~')) { > -- size_t homelen = strlen(homedir); > -- real_path = malloc(homelen + working_path_len + 1); > -- if(real_path == NULL) { > -- free(working_path); > -- return CURLE_OUT_OF_MEMORY; > -- } > -- /* It is referenced to the home directory, so strip the > -- leading '/' */ > -- memcpy(real_path, homedir, homelen); > -- real_path[homelen] = '/'; > -- real_path[homelen + 1] = '\0'; > -- if(working_path_len > 3) { > -- memcpy(real_path + homelen + 1, working_path + 3, > -- 1 + working_path_len -3); > -- } > -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && > -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > -+ size_t len; > -+ const char *p; > -+ int copyfrom = 3; > -+ if(Curl_dyn_add(&npath, homedir)) { > -+ free(working_path); > -+ return CURLE_OUT_OF_MEMORY; > - } > -- else { > -- real_path = malloc(working_path_len + 1); > -- if(real_path == NULL) { > -- free(working_path); > -- return CURLE_OUT_OF_MEMORY; > -- } > -- memcpy(real_path, working_path, 1 + working_path_len); > -+ /* Copy a separating '/' if homedir does not end with one */ > -+ len = Curl_dyn_len(&npath); > -+ p = Curl_dyn_ptr(&npath); > -+ if(len && (p[len-1] != '/')) > -+ copyfrom = 2; > -+ > -+ if(Curl_dyn_addn(&npath, > -+ &working_path[copyfrom], working_path_len - copyfrom)) > { > -+ free(working_path); > -+ return CURLE_OUT_OF_MEMORY; > - } > - } > - > -- free(working_path); > -+ if(Curl_dyn_len(&npath)) { > -+ free(working_path); > - > -- /* store the pointer for the caller to receive */ > -- *path = real_path; > -+ /* store the pointer for the caller to receive */ > -+ *path = Curl_dyn_ptr(&npath); > -+ } > -+ else > -+ *path = working_path; > - > - return CURLE_OK; > - } > ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { > + size_t homelen = strlen(homedir); > + real_path = malloc(homelen + working_path_len + 1); > + if(real_path == NULL) { > -- > -2.25.1 > +2.24.4 > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > b/meta/recipes-support/curl/curl_7.69.1.bb > index 32d18ddb3a..13ec117099 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 > \ > file://CVE-2022-35260.patch \ > file://CVE-2022-43552.patch \ > file://CVE-2023-23916.patch \ > + file://CVE-2023-27534-pre1.patch \ > file://CVE-2023-27534.patch \ > file://CVE-2023-27538.patch \ > file://CVE-2023-27533.patch \ > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181159): https://lists.openembedded.org/g/openembedded-core/message/181159 Mute This Topic: https://lists.openembedded.org/mt/98837360/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
