From 55591e63bcb21e9bd2327f9a2bc0fd55f14734d6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Fri, 1 May 2020 10:12:11 +0200 Subject: [PATCH] curl: backport fix for CVE-2019-15601 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit On Windows, refuse paths that start with \\ ... as that might cause an unexpected SMB connection to a given host name. Ref: PR#2730 Ref: https://curl.haxx.se/docs/CVE-2019-15601.html Suggested-by: Jerome Benoit Signed-off-by: Petr Štetiar --- package/network/utils/curl/Makefile | 2 +- ...Windows-refuse-paths-that-start-with.patch | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 package/network/utils/curl/patches/100-file-on-Windows-refuse-paths-that-start-with.patch diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index d4fcf1814a..1c95b9f131 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=curl PKG_VERSION:=7.66.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://dl.uxnr.de/mirror/curl/ \ diff --git a/package/network/utils/curl/patches/100-file-on-Windows-refuse-paths-that-start-with.patch b/package/network/utils/curl/patches/100-file-on-Windows-refuse-paths-that-start-with.patch new file mode 100644 index 0000000000..254d678269 --- /dev/null +++ b/package/network/utils/curl/patches/100-file-on-Windows-refuse-paths-that-start-with.patch @@ -0,0 +1,44 @@ +From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 7 Nov 2019 10:13:01 +0100 +Subject: [PATCH] file: on Windows, refuse paths that start with \\ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... as that might cause an unexpected SMB connection to a given host +name. + +Reported-by: Fernando Muñoz +CVE-2019-15601 +Bug: https://curl.haxx.se/docs/CVE-2019-15601.html + +Signed-off-by: Petr Štetiar +--- + lib/file.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/file.c b/lib/file.c +index d349cd9241cd..166931d7f1ba 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) + struct Curl_easy *data = conn->data; + char *real_path; + struct FILEPROTO *file = data->req.protop; +- int fd; ++ int fd = -1; + #ifdef DOS_FILESYSTEM + size_t i; + char *actual_path; +@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) + return CURLE_URL_MALFORMAT; + } + +- fd = open_readonly(actual_path, O_RDONLY|O_BINARY); ++ if(strncmp("\\\\", actual_path, 2)) ++ /* refuse to open path that starts with two backslashes */ ++ fd = open_readonly(actual_path, O_RDONLY|O_BINARY); + file->path = actual_path; + #else + if(memchr(real_path, 0, real_path_len)) { -- 2.30.2