curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled

The upstream patch for CVE-2023-27534 does three things:
1) creates new path with dynbuf(dynamic buffer)
2) solves the tilde error which causes CVE-2023-27534
3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.

dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
This patch completes the 3rd task of the patch which was implemented without using dynbuf

Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644 (file)
index 0000000..46c57af
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
+From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
+From: Eric Vigeant <evigeant@gmail.com>
+Date: Wed, 2 Nov 2022 11:47:09 -0400
+Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
+
+When using SFTP and a path relative to the user home, do not add a
+trailing '/' to the user home dir if it already ends with one.
+
+Closes #9844
+
+CVE: CVE-2023-27534
+Note:
+- The upstream patch for CVE-2023-27534 does three things:
+1) creates new path with dynbuf(dynamic buffer)
+2) solves the tilde error which causes CVE-2023-27534
+3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
+- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
+- This patch completes the 3rd task of the patch which was implemented without using dynbuf
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..40b92ee 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+       /* It is referenced to the home directory, so strip the
+          leading '/' */
+       memcpy(real_path, homedir, homelen);
+-      real_path[homelen] = '/';
+-      real_path[homelen + 1] = '\0';
++      /* Only add a trailing '/' if homedir does not end with one */
++      if(homelen == 0 || real_path[homelen - 1] != '/') {
++        real_path[homelen] = '/';
++        homelen++;
++        real_path[homelen] = '\0';
++      }
+       if(working_path_len > 3) {
+-        memcpy(real_path + homelen + 1, working_path + 3,
++        memcpy(real_path + homelen, working_path + 3,
+                1 + working_path_len -3);
+       }
+     }
+-- 
+2.24.4
+

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
index aeeffd5feab52e9d5961376c4ceb5ad40132c79c..3ecd18129039829520d2d59c6aee6790752ee4cf 100644 (file)
--- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 9 Mar 2023 16:22:11 +0100
 Subject: [PATCH] curl_path: create the new path with dynbuf
 
+Closes #10729
+
 CVE: CVE-2023-27534
-Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+Note: This patch is needed to backport CVE-2023-27534
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
 
 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
- lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
- 1 file changed, 35 insertions(+), 36 deletions(-)
+ lib/curl_path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/lib/curl_path.c b/lib/curl_path.c
-index f429634..e17db4b 100644
+index 40b92ee..598c5dd 100644
 --- a/lib/curl_path.c
 +++ b/lib/curl_path.c
-@@ -30,6 +30,8 @@
- #include "escape.h"
- #include "memdebug.h"
- 
-+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
-+
- /* figure out the path to work with in this particular request */
- CURLcode Curl_getworkingpath(struct connectdata *conn,
-                              char *homedir,  /* when SFTP is used */
-@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
-                                              real path to work with */
- {
-   struct Curl_easy *data = conn->data;
--  char *real_path = NULL;
-   char *working_path;
-   size_t working_path_len;
-+  struct dynbuf npath;
-   CURLcode result =
-     Curl_urldecode(data, data->state.up.path, 0, &working_path,
-                    &working_path_len, FALSE);
-   if(result)
-     return result;
- 
-+  /* new path to switch to in case we need to */
-+  Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
-+
-   /* Check for /~/, indicating relative to the user's home directory */
--  if(conn->handler->protocol & CURLPROTO_SCP) {
--    real_path = malloc(working_path_len + 1);
--    if(real_path == NULL) {
-+  if((data->conn->handler->protocol & CURLPROTO_SCP) &&
-+     (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
-+    /* It is referenced to the home directory, so strip the leading '/~/' */
-+    if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
-       free(working_path);
-       return CURLE_OUT_OF_MEMORY;
-     }
--    if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
--      /* It is referenced to the home directory, so strip the leading '/~/' */
--      memcpy(real_path, working_path + 3, working_path_len - 2);
--    else
--      memcpy(real_path, working_path, 1 + working_path_len);
+@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+       memcpy(real_path, working_path, 1 + working_path_len);
    }
--  else if(conn->handler->protocol & CURLPROTO_SFTP) {
+   else if(conn->handler->protocol & CURLPROTO_SFTP) {
 -    if((working_path_len > 1) && (working_path[1] == '~')) {
--      size_t homelen = strlen(homedir);
--      real_path = malloc(homelen + working_path_len + 1);
--      if(real_path == NULL) {
--        free(working_path);
--        return CURLE_OUT_OF_MEMORY;
--      }
--      /* It is referenced to the home directory, so strip the
--         leading '/' */
--      memcpy(real_path, homedir, homelen);
--      real_path[homelen] = '/';
--      real_path[homelen + 1] = '\0';
--      if(working_path_len > 3) {
--        memcpy(real_path + homelen + 1, working_path + 3,
--               1 + working_path_len -3);
--      }
-+  else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
-+          (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
-+    size_t len;
-+    const char *p;
-+    int copyfrom = 3;
-+    if(Curl_dyn_add(&npath, homedir)) {
-+      free(working_path);
-+      return CURLE_OUT_OF_MEMORY;
-     }
--    else {
--      real_path = malloc(working_path_len + 1);
--      if(real_path == NULL) {
--        free(working_path);
--        return CURLE_OUT_OF_MEMORY;
--      }
--      memcpy(real_path, working_path, 1 + working_path_len);
-+    /* Copy a separating '/' if homedir does not end with one */
-+    len = Curl_dyn_len(&npath);
-+    p = Curl_dyn_ptr(&npath);
-+    if(len && (p[len-1] != '/'))
-+      copyfrom = 2;
-+
-+    if(Curl_dyn_addn(&npath,
-+                     &working_path[copyfrom], working_path_len - copyfrom)) {
-+      free(working_path);
-+      return CURLE_OUT_OF_MEMORY;
-     }
-   }
- 
--  free(working_path);
-+  if(Curl_dyn_len(&npath)) {
-+    free(working_path);
- 
--  /* store the pointer for the caller to receive */
--  *path = real_path;
-+    /* store the pointer for the caller to receive */
-+    *path = Curl_dyn_ptr(&npath);
-+  }
-+  else
-+    *path = working_path;
- 
-   return CURLE_OK;
- }
++    if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+       size_t homelen = strlen(homedir);
+       real_path = malloc(homelen + working_path_len + 1);
+       if(real_path == NULL) {
 -- 
-2.25.1
+2.24.4
 

diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 32d18ddb3ab6e58f9fb349356250603b592a9a5c..13ec11709946db7d7157da47b4f1aca8cf96cb00 100644 (file)
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-35260.patch \
            file://CVE-2022-43552.patch \
            file://CVE-2023-23916.patch \
+           file://CVE-2023-27534-pre1.patch \
            file://CVE-2023-27534.patch \
            file://CVE-2023-27538.patch \
            file://CVE-2023-27533.patch \