summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-05 16:58:42 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-03 11:11:40 (GMT)
commit854c2e724d0aeb19f390e3ac2e7b40c94b2d383b (patch)
tree4beaf52334d588ec70426dd6a12c1f0ec9c35836
parent8ca73f8fa4ff7f9edb101ee563e5547d3edc46cb (diff)
downloadpoky-854c2e724d0aeb19f390e3ac2e7b40c94b2d383b.tar.gz
curl: Secuirty fix CVE-2016-0755
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use (From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378) hand applied changed to url.c (From OE-Core rev: e479ec9e6cbd34f3a7a56a170aaabcc4229f1959) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-0755.patch133
-rw-r--r--meta/recipes-support/curl/curl_7.40.0.bb3
2 files changed, 135 insertions, 1 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-0755.patch b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
new file mode 100644
index 0000000..f67b9fc
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
@@ -0,0 +1,133 @@
1From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001
2From: Isaac Boukris <iboukris@gmail.com>
3Date: Wed, 13 Jan 2016 11:05:51 +0200
4Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials
5
6Proxy NTLM authentication should compare credentials when
7re-using a connection similar to host authentication, as it
8authenticate the connection.
9
10Example:
11curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
12 --proxy-ntlm --next -x http://proxy:port http://host/
13 [-U fake_user:fake_pwd --proxy-ntlm]
14
15CVE-2016-0755
16
17Bug: http://curl.haxx.se/docs/adv_20160127A.html
18
19Upstream-Status: Backport
20http://curl.haxx.se/CVE-2016-0755.patch
21
22CVE: CVE-2016-0755
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24
25---
26 lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++----------------------
27 1 file changed, 40 insertions(+), 22 deletions(-)
28
29Index: curl-7.40.0/lib/url.c
30===================================================================
31--- curl-7.40.0.orig/lib/url.c
32+++ curl-7.40.0/lib/url.c
33@@ -3043,11 +3043,16 @@ ConnectionExists(struct SessionHandle *d
34 struct connectdata *check;
35 struct connectdata *chosen = 0;
36 bool canPipeline = IsPipeliningPossible(data, needle);
37- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
38- (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
39- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
40 struct connectbundle *bundle;
41
42+ bool wantNTLMhttp = ((data->state.authhost.want &
43+ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
44+ (needle->handler->protocol & PROTO_FAMILY_HTTP));
45+ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
46+ ((data->state.authproxy.want &
47+ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
48+ (needle->handler->protocol & PROTO_FAMILY_HTTP)));
49+
50 *force_reuse = FALSE;
51
52 /* We can't pipe if the site is blacklisted */
53@@ -3076,9 +3081,6 @@ ConnectionExists(struct SessionHandle *d
54 curr = bundle->conn_list->head;
55 while(curr) {
56 bool match = FALSE;
57-#if defined(USE_NTLM)
58- bool credentialsMatch = FALSE;
59-#endif
60 size_t pipeLen;
61
62 /*
63@@ -3183,18 +3185,14 @@ ConnectionExists(struct SessionHandle *d
64 continue;
65 }
66
67- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
68- (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
69- /* This protocol requires credentials per connection or is HTTP+NTLM,
70+ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
71+ /* This protocol requires credentials per connection,
72 so verify that we're using the same name and password as well */
73 if(!strequal(needle->user, check->user) ||
74 !strequal(needle->passwd, check->passwd)) {
75 /* one of them was different */
76 continue;
77 }
78-#if defined(USE_NTLM)
79- credentialsMatch = TRUE;
80-#endif
81 }
82
83 if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
84@@ -3253,20 +3251,43 @@ ConnectionExists(struct SessionHandle *d
85 possible. (Especially we must not reuse the same connection if
86 partway through a handshake!) */
87 if(wantNTLMhttp) {
88- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
89- chosen = check;
90+ if(!strequal(needle->user, check->user) ||
91+ !strequal(needle->passwd, check->passwd))
92+ continue;
93+ }
94+ else if(check->ntlm.state != NTLMSTATE_NONE) {
95+ /* Connection is using NTLM auth but we don't want NTLM */
96+ continue;
97+ }
98
99+ /* Same for Proxy NTLM authentication */
100+ if(wantProxyNTLMhttp) {
101+ if(!strequal(needle->proxyuser, check->proxyuser) ||
102+ !strequal(needle->proxypasswd, check->proxypasswd))
103+ continue;
104+ }
105+ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
106+ /* Proxy connection is using NTLM auth but we don't want NTLM */
107+ continue;
108+ }
109+
110+ if(wantNTLMhttp || wantProxyNTLMhttp) {
111+ /* Credentials are already checked, we can use this connection */
112+ chosen = check;
113+
114+ if((wantNTLMhttp &&
115+ (check->ntlm.state != NTLMSTATE_NONE)) ||
116+ (wantProxyNTLMhttp &&
117+ (check->proxyntlm.state != NTLMSTATE_NONE))) {
118 /* We must use this connection, no other */
119 *force_reuse = TRUE;
120 break;
121 }
122- else if(credentialsMatch)
123- /* this is a backup choice */
124- chosen = check;
125+
126+ /* Continue look up for a better connection */
127 continue;
128 }
129 #endif
130-
131 if(canPipeline) {
132 /* We can pipeline if we want to. Let's continue looking for
133 the optimal connection to use, i.e the shortest pipe that is not
diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb
index 01c201e..7fa3274 100644
--- a/meta/recipes-support/curl/curl_7.40.0.bb
+++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
17# from mucking around with debug options 17# from mucking around with debug options
18# 18#
19SRC_URI += " file://configure_ac.patch \ 19SRC_URI += " file://configure_ac.patch \
20 file://CVE-2016-0754.patch" 20 file://CVE-2016-0754.patch \
21 file://CVE-2016-0755.patch"
21 22
22SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9" 23SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9"
23SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba" 24SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba"