code.ossystems Code Review - openembedded-core.git/commit

author	Mike Crowe <mac@mcrowe.com>
	Fri, 17 Sep 2021 16:14:33 +0000 (17:14 +0100)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 24 Sep 2021 14:27:46 +0000 (04:27 -1000)
commit	b9b343704afc28a6182f699ef17943afacd482a8
tree	6388bc09bf1aa17d51d267de46017522b51b7ffd	tree \| snapshot
parent	ddcdb9baec74391844d5e3cf3c891d63d2eef865	commit \| diff

curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945

curl v7.79.0 contained fixes for three CVEs:

The description of CVE-2021-22945[1] contains:
> This flaw was introduced in commit 2522903b79 but since MQTT support
> was marked 'experimental' then and not enabled in the build by default
> until curl 7.73.0 (October 14, 2020) we count that as the first flawed
> version.

which I believe means that curl v7.69.1 is not vulnerable.

curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3].
These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches
applied without conflicts, but I used devtool to regenerate them to
avoid fuzz warnings.

[1] https://curl.se/docs/CVE-2021-22945.html
[2] https://curl.se/docs/CVE-2021-22946.html
[3] https://curl.se/docs/CVE-2021-22947.html

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl/CVE-2021-22946.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl/CVE-2021-22947.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl_7.69.1.bb		diff \| blob \| history