curl: fix CVE-2023-38545

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. (From OE-Core rev: 44971c945a615d07c91100f514377f7247796334) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-10-13 09:20:55 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-11-01 05:01:25 -1000
commit: e9a74270774d1cfe8997ded4542558adbc5f4bad (patch)
tree: 1746fba9582884e67c6c060cee29316d8970677d
parent: 6f022adb5c7e3588812d20da5b91832496bbfe2b (diff)
download: poky-e9a74270774d1cfe8997ded4542558adbc5f4bad.tar.gz
2 files changed, 134 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
new file mode 100644
index 0000000000..c198d29c04
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,133 @@
+From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+Upstream-Status: Backport [https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147]
+CVE: CVE-2023-38545
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/socks.c             |  8 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test722      | 64 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test722
+diff --git a/lib/socks.c b/lib/socks.c
+index a014aa6..2215c02 100644
+--- a/lib/socks.c
+++ b/lib/socks.c
+@@ -536,9 +536,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
+      failf(data, "SOCKS5: the destination hostname is too long to be "
+            "resolved remotely by the proxy.");
+      return CURLPX_LONG_HOSTNAME;
+     }
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -879,7 +879,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
+       socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3064b39..47117b6 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -99,7 +99,7 @@ test670 test671 test672 test673 test674 test675 test676 test677 test678 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
+test718 test719 test720 test721 test722 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test722 b/tests/data/test722
+new file mode 100644
+index 0000000..05bcf28
+--- /dev/null
+++ b/tests/data/test722
+@@ -0,0 +1,64 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+SOCKS5
+SOCKS5h
+followlocation
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+# The hostname in this redirect is 256 characters and too long (> 255) for
+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
+<data>
+HTTP/1.1 301 Moved Permanently
+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
+Content-Length: 0
+Connection: close
+
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+proxy
+</features>
+<server>
+http
+socks5
+</server>
+ <name>
+SOCKS5h with HTTP redirect to hostname too long
+ </name>
+ <command>
+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+97
+</errorcode>
+# the error message is verified because error code CURLE_PROXY (97) may be
+# returned for any number of reasons and we need to make sure it is
+# specifically for the reason below so that we know the check is working.
+<stderr mode="text">
+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
+</stderr>
+</verify>
+</testcase>
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index af52ecad13..86a3a84332 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2023-28322-1.patch \
           file://CVE-2023-28322-2.patch \
           file://CVE-2023-32001.patch \
+           file://CVE-2023-38545.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-10-13 09:20:55 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-11-01 05:01:25 -1000
commit	e9a74270774d1cfe8997ded4542558adbc5f4bad (patch)
tree	1746fba9582884e67c6c060cee29316d8970677d
parent	6f022adb5c7e3588812d20da5b91832496bbfe2b (diff)
download	poky-e9a74270774d1cfe8997ded4542558adbc5f4bad.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch new file mode 100644 index 0000000000..c198d29c04 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,133 @@
		1	From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
		2	From: Jay Satiro <raysatiro@yahoo.com>
		3	Date: Wed, 11 Oct 2023 07:34:19 +0200
		4	Subject: [PATCH] socks: return error if hostname too long for remote resolve
		5
		6	Prior to this change the state machine attempted to change the remote
		7	resolve to a local resolve if the hostname was longer than 255
		8	characters. Unfortunately that did not work as intended and caused a
		9	security issue.
		10
		11	Upstream-Status: Backport [https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147]
		12
		13	CVE: CVE-2023-38545
		14
		15	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		16	---
		17	lib/socks.c \| 8 +++---
		18	tests/data/Makefile.inc \| 2 +-
		19	tests/data/test722 \| 64 +++++++++++++++++++++++++++++++++++++++++
		20	3 files changed, 69 insertions(+), 5 deletions(-)
		21	create mode 100644 tests/data/test722
		22
		23	diff --git a/lib/socks.c b/lib/socks.c
		24	index a014aa6..2215c02 100644
		25	--- a/lib/socks.c
		26	+++ b/lib/socks.c
		27	@@ -536,9 +536,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
		28
		29	/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
		30	if(!socks5_resolve_local && hostname_len > 255) {
		31	- infof(data, "SOCKS5: server resolving disabled for hostnames of "
		32	- "length > 255 [actual len=%zu]", hostname_len);
		33	- socks5_resolve_local = TRUE;
		34	+ failf(data, "SOCKS5: the destination hostname is too long to be "
		35	+ "resolved remotely by the proxy.");
		36	+ return CURLPX_LONG_HOSTNAME;
		37	}
		38
		39	if(auth & ~(CURLAUTH_BASIC \| CURLAUTH_GSSAPI))
		40	@@ -879,7 +879,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
		41	}
		42	else {
		43	socksreq[len++] = 3;
		44	- socksreq[len++] = (char) hostname_len; /* one byte address length */
		45	+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
		46	memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
		47	len += hostname_len;
		48	}
		49	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		50	index 3064b39..47117b6 100644
		51	--- a/tests/data/Makefile.inc
		52	+++ b/tests/data/Makefile.inc
		53	@@ -99,7 +99,7 @@ test670 test671 test672 test673 test674 test675 test676 test677 test678 \
		54	\
		55	test700 test701 test702 test703 test704 test705 test706 test707 test708 \
		56	test709 test710 test711 test712 test713 test714 test715 test716 test717 \
		57	-test718 test719 test720 test721 \
		58	+test718 test719 test720 test721 test722 \
		59	\
		60	test800 test801 test802 test803 test804 test805 test806 test807 test808 \
		61	test809 test810 test811 test812 test813 test814 test815 test816 test817 \
		62	diff --git a/tests/data/test722 b/tests/data/test722
		63	new file mode 100644
		64	index 0000000..05bcf28
		65	--- /dev/null
		66	+++ b/tests/data/test722
		67	@@ -0,0 +1,64 @@
		68	+<testcase>
		69	+<info>
		70	+<keywords>
		71	+HTTP
		72	+HTTP GET
		73	+SOCKS5
		74	+SOCKS5h
		75	+followlocation
		76	+</keywords>
		77	+</info>
		78	+
		79	+#
		80	+# Server-side
		81	+<reply>
		82	+# The hostname in this redirect is 256 characters and too long (> 255) for
		83	+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
		84	+<data>
		85	+HTTP/1.1 301 Moved Permanently
		86	+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
		87	+Content-Length: 0
		88	+Connection: close
		89	+
		90	+</data>
		91	+</reply>
		92	+
		93	+#
		94	+# Client-side
		95	+<client>
		96	+<features>
		97	+proxy
		98	+</features>
		99	+<server>
		100	+http
		101	+socks5
		102	+</server>
		103	+ <name>
		104	+SOCKS5h with HTTP redirect to hostname too long
		105	+ </name>
		106	+ <command>
		107	+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
		108	+</command>
		109	+</client>
		110	+
		111	+#
		112	+# Verify data after the test has been "shot"
		113	+<verify>
		114	+<protocol crlf="yes">
		115	+GET /%TESTNUMBER HTTP/1.1
		116	+Host: %HOSTIP:%HTTPPORT
		117	+User-Agent: curl/%VERSION
		118	+Accept: /
		119	+
		120	+</protocol>
		121	+<errorcode>
		122	+97
		123	+</errorcode>
		124	+# the error message is verified because error code CURLE_PROXY (97) may be
		125	+# returned for any number of reasons and we need to make sure it is
		126	+# specifically for the reason below so that we know the check is working.
		127	+<stderr mode="text">
		128	+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
		129	+</stderr>
		130	+</verify>
		131	+</testcase>
		132	--
		133	2.40.0


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index af52ecad13..86a3a84332 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
52	file://CVE-2023-28322-1.patch \	52	file://CVE-2023-28322-1.patch \
53	file://CVE-2023-28322-2.patch \	53	file://CVE-2023-28322-2.patch \
54	file://CVE-2023-32001.patch \	54	file://CVE-2023-32001.patch \
		55	file://CVE-2023-38545.patch \
55	"	56	"
56	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	57	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
57		58