diff options
author | Armin Kuster <akuster@mvista.com> | 2016-02-05 08:58:42 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-03-03 11:11:40 +0000 |
commit | 854c2e724d0aeb19f390e3ac2e7b40c94b2d383b (patch) | |
tree | 4beaf52334d588ec70426dd6a12c1f0ec9c35836 | |
parent | 8ca73f8fa4ff7f9edb101ee563e5547d3edc46cb (diff) | |
download | poky-854c2e724d0aeb19f390e3ac2e7b40c94b2d383b.tar.gz |
curl: Secuirty fix CVE-2016-0755
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use
(From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378)
hand applied changed to url.c
(From OE-Core rev: e479ec9e6cbd34f3a7a56a170aaabcc4229f1959)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2016-0755.patch | 133 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.40.0.bb | 3 |
2 files changed, 135 insertions, 1 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-0755.patch b/meta/recipes-support/curl/curl/CVE-2016-0755.patch new file mode 100644 index 0000000000..f67b9fc661 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2016-0755.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001 | ||
2 | From: Isaac Boukris <iboukris@gmail.com> | ||
3 | Date: Wed, 13 Jan 2016 11:05:51 +0200 | ||
4 | Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials | ||
5 | |||
6 | Proxy NTLM authentication should compare credentials when | ||
7 | re-using a connection similar to host authentication, as it | ||
8 | authenticate the connection. | ||
9 | |||
10 | Example: | ||
11 | curl -v -x http://proxy:port http://host/ -U good_user:good_pwd | ||
12 | --proxy-ntlm --next -x http://proxy:port http://host/ | ||
13 | [-U fake_user:fake_pwd --proxy-ntlm] | ||
14 | |||
15 | CVE-2016-0755 | ||
16 | |||
17 | Bug: http://curl.haxx.se/docs/adv_20160127A.html | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | http://curl.haxx.se/CVE-2016-0755.patch | ||
21 | |||
22 | CVE: CVE-2016-0755 | ||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++---------------------- | ||
27 | 1 file changed, 40 insertions(+), 22 deletions(-) | ||
28 | |||
29 | Index: curl-7.40.0/lib/url.c | ||
30 | =================================================================== | ||
31 | --- curl-7.40.0.orig/lib/url.c | ||
32 | +++ curl-7.40.0/lib/url.c | ||
33 | @@ -3043,11 +3043,16 @@ ConnectionExists(struct SessionHandle *d | ||
34 | struct connectdata *check; | ||
35 | struct connectdata *chosen = 0; | ||
36 | bool canPipeline = IsPipeliningPossible(data, needle); | ||
37 | - bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) || | ||
38 | - (data->state.authhost.want & CURLAUTH_NTLM_WB)) && | ||
39 | - (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE; | ||
40 | struct connectbundle *bundle; | ||
41 | |||
42 | + bool wantNTLMhttp = ((data->state.authhost.want & | ||
43 | + (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && | ||
44 | + (needle->handler->protocol & PROTO_FAMILY_HTTP)); | ||
45 | + bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd && | ||
46 | + ((data->state.authproxy.want & | ||
47 | + (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && | ||
48 | + (needle->handler->protocol & PROTO_FAMILY_HTTP))); | ||
49 | + | ||
50 | *force_reuse = FALSE; | ||
51 | |||
52 | /* We can't pipe if the site is blacklisted */ | ||
53 | @@ -3076,9 +3081,6 @@ ConnectionExists(struct SessionHandle *d | ||
54 | curr = bundle->conn_list->head; | ||
55 | while(curr) { | ||
56 | bool match = FALSE; | ||
57 | -#if defined(USE_NTLM) | ||
58 | - bool credentialsMatch = FALSE; | ||
59 | -#endif | ||
60 | size_t pipeLen; | ||
61 | |||
62 | /* | ||
63 | @@ -3183,18 +3185,14 @@ ConnectionExists(struct SessionHandle *d | ||
64 | continue; | ||
65 | } | ||
66 | |||
67 | - if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || | ||
68 | - (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { | ||
69 | - /* This protocol requires credentials per connection or is HTTP+NTLM, | ||
70 | + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { | ||
71 | + /* This protocol requires credentials per connection, | ||
72 | so verify that we're using the same name and password as well */ | ||
73 | if(!strequal(needle->user, check->user) || | ||
74 | !strequal(needle->passwd, check->passwd)) { | ||
75 | /* one of them was different */ | ||
76 | continue; | ||
77 | } | ||
78 | -#if defined(USE_NTLM) | ||
79 | - credentialsMatch = TRUE; | ||
80 | -#endif | ||
81 | } | ||
82 | |||
83 | if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || | ||
84 | @@ -3253,20 +3251,43 @@ ConnectionExists(struct SessionHandle *d | ||
85 | possible. (Especially we must not reuse the same connection if | ||
86 | partway through a handshake!) */ | ||
87 | if(wantNTLMhttp) { | ||
88 | - if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) { | ||
89 | - chosen = check; | ||
90 | + if(!strequal(needle->user, check->user) || | ||
91 | + !strequal(needle->passwd, check->passwd)) | ||
92 | + continue; | ||
93 | + } | ||
94 | + else if(check->ntlm.state != NTLMSTATE_NONE) { | ||
95 | + /* Connection is using NTLM auth but we don't want NTLM */ | ||
96 | + continue; | ||
97 | + } | ||
98 | |||
99 | + /* Same for Proxy NTLM authentication */ | ||
100 | + if(wantProxyNTLMhttp) { | ||
101 | + if(!strequal(needle->proxyuser, check->proxyuser) || | ||
102 | + !strequal(needle->proxypasswd, check->proxypasswd)) | ||
103 | + continue; | ||
104 | + } | ||
105 | + else if(check->proxyntlm.state != NTLMSTATE_NONE) { | ||
106 | + /* Proxy connection is using NTLM auth but we don't want NTLM */ | ||
107 | + continue; | ||
108 | + } | ||
109 | + | ||
110 | + if(wantNTLMhttp || wantProxyNTLMhttp) { | ||
111 | + /* Credentials are already checked, we can use this connection */ | ||
112 | + chosen = check; | ||
113 | + | ||
114 | + if((wantNTLMhttp && | ||
115 | + (check->ntlm.state != NTLMSTATE_NONE)) || | ||
116 | + (wantProxyNTLMhttp && | ||
117 | + (check->proxyntlm.state != NTLMSTATE_NONE))) { | ||
118 | /* We must use this connection, no other */ | ||
119 | *force_reuse = TRUE; | ||
120 | break; | ||
121 | } | ||
122 | - else if(credentialsMatch) | ||
123 | - /* this is a backup choice */ | ||
124 | - chosen = check; | ||
125 | + | ||
126 | + /* Continue look up for a better connection */ | ||
127 | continue; | ||
128 | } | ||
129 | #endif | ||
130 | - | ||
131 | if(canPipeline) { | ||
132 | /* We can pipeline if we want to. Let's continue looking for | ||
133 | the optimal connection to use, i.e the shortest pipe that is not | ||
diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb index 01c201e18a..7fa3274091 100644 --- a/meta/recipes-support/curl/curl_7.40.0.bb +++ b/meta/recipes-support/curl/curl_7.40.0.bb | |||
@@ -17,7 +17,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
17 | # from mucking around with debug options | 17 | # from mucking around with debug options |
18 | # | 18 | # |
19 | SRC_URI += " file://configure_ac.patch \ | 19 | SRC_URI += " file://configure_ac.patch \ |
20 | file://CVE-2016-0754.patch" | 20 | file://CVE-2016-0754.patch \ |
21 | file://CVE-2016-0755.patch" | ||
21 | 22 | ||
22 | SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9" | 23 | SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9" |
23 | SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba" | 24 | SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba" |