curl: Secuirty fix CVE-2016-0755

CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use (From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378) hand applied changed to url.c (From OE-Core rev: e479ec9e6cbd34f3a7a56a170aaabcc4229f1959) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-05 08:58:42 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-03 11:11:40 +0000
commit: 854c2e724d0aeb19f390e3ac2e7b40c94b2d383b (patch)
tree: 4beaf52334d588ec70426dd6a12c1f0ec9c35836
parent: 8ca73f8fa4ff7f9edb101ee563e5547d3edc46cb (diff)
download: poky-854c2e724d0aeb19f390e3ac2e7b40c94b2d383b.tar.gz
2 files changed, 135 insertions, 1 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-0755.patch b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
new file mode 100644
index 0000000000..f67b9fc661
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
@@ -0,0 +1,133 @@
+From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 13 Jan 2016 11:05:51 +0200
+Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials
+Proxy NTLM authentication should compare credentials when
+re-using a connection similar to host authentication, as it
+authenticate the connection.
+Example:
+curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+  --proxy-ntlm --next -x http://proxy:port http://host/
+    [-U fake_user:fake_pwd --proxy-ntlm]
+CVE-2016-0755
+Bug: http://curl.haxx.se/docs/adv_20160127A.html
+Upstream-Status: Backport
+http://curl.haxx.se/CVE-2016-0755.patch
+CVE: CVE-2016-0755
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+Index: curl-7.40.0/lib/url.c
+===================================================================
+--- curl-7.40.0.orig/lib/url.c
+++ curl-7.40.0/lib/url.c
+@@ -3043,11 +3043,16 @@ ConnectionExists(struct SessionHandle *d
+   struct connectdata *check;
+   struct connectdata *chosen = 0;
+   bool canPipeline = IsPipeliningPossible(data, needle);
+-  bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
+-                       (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
+-    (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
+   struct connectbundle *bundle;
+ 
+  bool wantNTLMhttp = ((data->state.authhost.want &
+                      (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+                      (needle->handler->protocol & PROTO_FAMILY_HTTP));
+  bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
+                           ((data->state.authproxy.want &
+                           (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+                           (needle->handler->protocol & PROTO_FAMILY_HTTP)));
+
+   *force_reuse = FALSE;
+ 
+   /* We can't pipe if the site is blacklisted */
+@@ -3076,9 +3081,6 @@ ConnectionExists(struct SessionHandle *d
+     curr = bundle->conn_list->head;
+     while(curr) {
+       bool match = FALSE;
+-#if defined(USE_NTLM)
+-      bool credentialsMatch = FALSE;
+-#endif
+       size_t pipeLen;
+ 
+       /*
+@@ -3183,18 +3185,14 @@ ConnectionExists(struct SessionHandle *d
+           continue;
+       }
+ 
+-      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+-         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+-        /* This protocol requires credentials per connection or is HTTP+NTLM,
+      if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+           /* one of them was different */
+           continue;
+         }
+-#if defined(USE_NTLM)
+-        credentialsMatch = TRUE;
+-#endif
+       }
+ 
+       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+@@ -3253,20 +3251,43 @@ ConnectionExists(struct SessionHandle *d
+            possible. (Especially we must not reuse the same connection if
+            partway through a handshake!) */
+         if(wantNTLMhttp) {
+-          if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
+-            chosen = check;
+          if(!strequal(needle->user, check->user) ||
+             !strequal(needle->passwd, check->passwd))
+            continue;
+        }
+        else if(check->ntlm.state != NTLMSTATE_NONE) {
+          /* Connection is using NTLM auth but we don't want NTLM */
+          continue;
+        }
+ 
+        /* Same for Proxy NTLM authentication */
+        if(wantProxyNTLMhttp) {
+          if(!strequal(needle->proxyuser, check->proxyuser) ||
+             !strequal(needle->proxypasswd, check->proxypasswd))
+            continue;
+        }
+        else if(check->proxyntlm.state != NTLMSTATE_NONE) {
+          /* Proxy connection is using NTLM auth but we don't want NTLM */
+          continue;
+        }
+
+        if(wantNTLMhttp || wantProxyNTLMhttp) {
+          /* Credentials are already checked, we can use this connection */
+          chosen = check;
+
+          if((wantNTLMhttp &&
+             (check->ntlm.state != NTLMSTATE_NONE)) ||
+              (wantProxyNTLMhttp &&
+               (check->proxyntlm.state != NTLMSTATE_NONE))) {
+             /* We must use this connection, no other */
+             *force_reuse = TRUE;
+             break;
+           }
+-          else if(credentialsMatch)
+-            /* this is a backup choice */
+-            chosen = check;
+
+          /* Continue look up for a better connection */
+           continue;
+         }
+ #endif
+-
+         if(canPipeline) {
+           /* We can pipeline if we want to. Let's continue looking for
+              the optimal connection to use, i.e the shortest pipe that is not
diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb
index 01c201e18a..7fa3274091 100644
--- a/meta/recipes-support/curl/curl_7.40.0.bb
+++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 # from mucking around with debug options
 #
 SRC_URI += " file://configure_ac.patch \
-             file://CVE-2016-0754.patch"
+             file://CVE-2016-0754.patch \
+             file://CVE-2016-0755.patch"
 SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9"
 SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba"
author	Armin Kuster <akuster@mvista.com>	2016-02-05 08:58:42 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-03 11:11:40 +0000
commit	854c2e724d0aeb19f390e3ac2e7b40c94b2d383b (patch)
tree	4beaf52334d588ec70426dd6a12c1f0ec9c35836
parent	8ca73f8fa4ff7f9edb101ee563e5547d3edc46cb (diff)
download	poky-854c2e724d0aeb19f390e3ac2e7b40c94b2d383b.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2016-0755.patch b/meta/recipes-support/curl/curl/CVE-2016-0755.patch new file mode 100644 index 0000000000..f67b9fc661 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
@@ -0,0 +1,133 @@
		1	From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001
		2	From: Isaac Boukris <iboukris@gmail.com>
		3	Date: Wed, 13 Jan 2016 11:05:51 +0200
		4	Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials
		5
		6	Proxy NTLM authentication should compare credentials when
		7	re-using a connection similar to host authentication, as it
		8	authenticate the connection.
		9
		10	Example:
		11	curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
		12	--proxy-ntlm --next -x http://proxy:port http://host/
		13	[-U fake_user:fake_pwd --proxy-ntlm]
		14
		15	CVE-2016-0755
		16
		17	Bug: http://curl.haxx.se/docs/adv_20160127A.html
		18
		19	Upstream-Status: Backport
		20	http://curl.haxx.se/CVE-2016-0755.patch
		21
		22	CVE: CVE-2016-0755
		23	Signed-off-by: Armin Kuster <akuster@mvista.com>
		24
		25	---
		26	lib/url.c \| 62 ++++++++++++++++++++++++++++++++++++++++----------------------
		27	1 file changed, 40 insertions(+), 22 deletions(-)
		28
		29	Index: curl-7.40.0/lib/url.c
		30	===================================================================
		31	--- curl-7.40.0.orig/lib/url.c
		32	+++ curl-7.40.0/lib/url.c
		33	@@ -3043,11 +3043,16 @@ ConnectionExists(struct SessionHandle *d
		34	struct connectdata *check;
		35	struct connectdata *chosen = 0;
		36	bool canPipeline = IsPipeliningPossible(data, needle);
		37	- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) \|\|
		38	- (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
		39	- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
		40	struct connectbundle *bundle;
		41
		42	+ bool wantNTLMhttp = ((data->state.authhost.want &
		43	+ (CURLAUTH_NTLM \| CURLAUTH_NTLM_WB)) &&
		44	+ (needle->handler->protocol & PROTO_FAMILY_HTTP));
		45	+ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
		46	+ ((data->state.authproxy.want &
		47	+ (CURLAUTH_NTLM \| CURLAUTH_NTLM_WB)) &&
		48	+ (needle->handler->protocol & PROTO_FAMILY_HTTP)));
		49	+
		50	*force_reuse = FALSE;
		51
		52	/* We can't pipe if the site is blacklisted */
		53	@@ -3076,9 +3081,6 @@ ConnectionExists(struct SessionHandle *d
		54	curr = bundle->conn_list->head;
		55	while(curr) {
		56	bool match = FALSE;
		57	-#if defined(USE_NTLM)
		58	- bool credentialsMatch = FALSE;
		59	-#endif
		60	size_t pipeLen;
		61
		62	/*
		63	@@ -3183,18 +3185,14 @@ ConnectionExists(struct SessionHandle *d
		64	continue;
		65	}
		66
		67	- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) \|\|
		68	- (wantNTLMhttp \|\| check->ntlm.state != NTLMSTATE_NONE)) {
		69	- /* This protocol requires credentials per connection or is HTTP+NTLM,
		70	+ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
		71	+ /* This protocol requires credentials per connection,
		72	so verify that we're using the same name and password as well */
		73	if(!strequal(needle->user, check->user) \|\|
		74	!strequal(needle->passwd, check->passwd)) {
		75	/* one of them was different */
		76	continue;
		77	}
		78	-#if defined(USE_NTLM)
		79	- credentialsMatch = TRUE;
		80	-#endif
		81	}
		82
		83	if(!needle->bits.httpproxy \|\| needle->handler->flags&PROTOPT_SSL \|\|
		84	@@ -3253,20 +3251,43 @@ ConnectionExists(struct SessionHandle *d
		85	possible. (Especially we must not reuse the same connection if
		86	partway through a handshake!) */
		87	if(wantNTLMhttp) {
		88	- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
		89	- chosen = check;
		90	+ if(!strequal(needle->user, check->user) \|\|
		91	+ !strequal(needle->passwd, check->passwd))
		92	+ continue;
		93	+ }
		94	+ else if(check->ntlm.state != NTLMSTATE_NONE) {
		95	+ /* Connection is using NTLM auth but we don't want NTLM */
		96	+ continue;
		97	+ }
		98
		99	+ /* Same for Proxy NTLM authentication */
		100	+ if(wantProxyNTLMhttp) {
		101	+ if(!strequal(needle->proxyuser, check->proxyuser) \|\|
		102	+ !strequal(needle->proxypasswd, check->proxypasswd))
		103	+ continue;
		104	+ }
		105	+ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
		106	+ /* Proxy connection is using NTLM auth but we don't want NTLM */
		107	+ continue;
		108	+ }
		109	+
		110	+ if(wantNTLMhttp \|\| wantProxyNTLMhttp) {
		111	+ /* Credentials are already checked, we can use this connection */
		112	+ chosen = check;
		113	+
		114	+ if((wantNTLMhttp &&
		115	+ (check->ntlm.state != NTLMSTATE_NONE)) \|\|
		116	+ (wantProxyNTLMhttp &&
		117	+ (check->proxyntlm.state != NTLMSTATE_NONE))) {
		118	/* We must use this connection, no other */
		119	*force_reuse = TRUE;
		120	break;
		121	}
		122	- else if(credentialsMatch)
		123	- /* this is a backup choice */
		124	- chosen = check;
		125	+
		126	+ /* Continue look up for a better connection */
		127	continue;
		128	}
		129	#endif
		130	-
		131	if(canPipeline) {
		132	/* We can pipeline if we want to. Let's continue looking for
		133	the optimal connection to use, i.e the shortest pipe that is not


diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb index 01c201e18a..7fa3274091 100644 --- a/meta/recipes-support/curl/curl_7.40.0.bb +++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
17	# from mucking around with debug options	17	# from mucking around with debug options
18	#	18	#
19	SRC_URI += " file://configure_ac.patch \	19	SRC_URI += " file://configure_ac.patch \
20	file://CVE-2016-0754.patch"	20	file://CVE-2016-0754.patch \
		21	file://CVE-2016-0755.patch"
21		22
22	SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9"	23	SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9"
23	SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba"	24	SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba"