poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch - openbmc/openbmc - Gitiles

 From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
 From: Eric Vigeant <evigeant@gmail.com>
 Date: Wed, 2 Nov 2022 11:47:09 -0400
 Subject: [PATCH] cur_path: do not add '/' if homedir ends with one

 When using SFTP and a path relative to the user home, do not add a
 trailing '/' to the user home dir if it already ends with one.

 Closes #9844

 CVE: CVE-2023-27534
 Note:
 - The upstream patch for CVE-2023-27534 does three things:
 1) creates new path with dynbuf(dynamic buffer)
 2) solves the tilde error which causes CVE-2023-27534
 3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
 - dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
 - This patch completes the 3rd task of the patch which was implemented without using dynbuf
 Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]

 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
  lib/curl_path.c | 10 +++++++---
  1 file changed, 7 insertions(+), 3 deletions(-)

 diff --git a/lib/curl_path.c b/lib/curl_path.c
 index f429634..40b92ee 100644
 --- a/lib/curl_path.c
 +++ b/lib/curl_path.c
 @@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
        /* It is referenced to the home directory, so strip the
           leading '/' */
        memcpy(real_path, homedir, homelen);
 -      real_path[homelen] = '/';
 -      real_path[homelen + 1] = '\0';
 +      /* Only add a trailing '/' if homedir does not end with one */
 +      if(homelen == 0 || real_path[homelen - 1] != '/') {
 +        real_path[homelen] = '/';
 +        homelen++;
 +        real_path[homelen] = '\0';
 +      }
        if(working_path_len > 3) {
 -        memcpy(real_path + homelen + 1, working_path + 3,
 +        memcpy(real_path + homelen, working_path + 3,
                 1 + working_path_len -3);
        }
      }
 --
 2.24.4
	From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
	From: Eric Vigeant <evigeant@gmail.com>
	Date: Wed, 2 Nov 2022 11:47:09 -0400
	Subject: [PATCH] cur_path: do not add '/' if homedir ends with one

	When using SFTP and a path relative to the user home, do not add a
	trailing '/' to the user home dir if it already ends with one.

	Closes #9844

	CVE: CVE-2023-27534
	Note:
	- The upstream patch for CVE-2023-27534 does three things:
	1) creates new path with dynbuf(dynamic buffer)
	2) solves the tilde error which causes CVE-2023-27534
	3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
	- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
	- This patch completes the 3rd task of the patch which was implemented without using dynbuf
	Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]

	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	---
	lib/curl_path.c \| 10 +++++++---
	1 file changed, 7 insertions(+), 3 deletions(-)

	diff --git a/lib/curl_path.c b/lib/curl_path.c
	index f429634..40b92ee 100644
	--- a/lib/curl_path.c
	+++ b/lib/curl_path.c
	@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
	/* It is referenced to the home directory, so strip the
	leading '/' */
	memcpy(real_path, homedir, homelen);
	- real_path[homelen] = '/';
	- real_path[homelen + 1] = '\0';
	+ /* Only add a trailing '/' if homedir does not end with one */
	+ if(homelen == 0 \|\| real_path[homelen - 1] != '/') {
	+ real_path[homelen] = '/';
	+ homelen++;
	+ real_path[homelen] = '\0';
	+ }
	if(working_path_len > 3) {
	- memcpy(real_path + homelen + 1, working_path + 3,
	+ memcpy(real_path + homelen, working_path + 3,
	1 + working_path_len -3);
	}
	}
	--
	2.24.4