diff options
author | Mike Crowe <mac@mcrowe.com> | 2021-09-17 17:14:33 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-30 00:02:22 +0100 |
commit | 33d7811e07e0b5d9fca6fdc0414ecbad181c73b6 (patch) | |
tree | 8df9b86a3baa77ffa5d9f61cb8497302329d8193 | |
parent | a1ad0499b43350368369ccd0f14abb8e89f358d3 (diff) | |
download | poky-33d7811e07e0b5d9fca6fdc0414ecbad181c73b6.tar.gz |
curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945
curl v7.79.0 contained fixes for three CVEs:
The description of CVE-2021-22945[1] contains:
> This flaw was introduced in commit 2522903b79 but since MQTT support
> was marked 'experimental' then and not enabled in the build by default
> until curl 7.73.0 (October 14, 2020) we count that as the first flawed
> version.
which I believe means that curl v7.69.1 is not vulnerable.
curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3].
These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches
applied without conflicts, but I used devtool to regenerate them to
avoid fuzz warnings.
[1] https://curl.se/docs/CVE-2021-22945.html
[2] https://curl.se/docs/CVE-2021-22946.html
[3] https://curl.se/docs/CVE-2021-22947.html
(From OE-Core rev: b9b343704afc28a6182f699ef17943afacd482a8)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch | 86 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22946.patch | 328 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22947.patch | 352 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.69.1.bb | 5 |
4 files changed, 770 insertions, 1 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch new file mode 100644 index 0000000000..4afd755149 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001 | ||
4 | From: Daniel Stenberg <daniel@haxx.se> | ||
5 | Date: Mon, 21 Sep 2020 09:15:51 +0200 | ||
6 | Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy" | ||
7 | |||
8 | When using HTTPS proxy, SSL is used but not in the view of the FTP | ||
9 | protocol handler itself so separate the connection's use of SSL from the | ||
10 | FTP control connection's sue. | ||
11 | |||
12 | Reported-by: Mingtao Yang | ||
13 | Fixes #5523 | ||
14 | Closes #6006 | ||
15 | |||
16 | Upstream-Status: backport from 7.68.0-1ubuntu2.7 | ||
17 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
18 | --- | ||
19 | lib/ftp.c | 13 ++++++------- | ||
20 | lib/urldata.h | 1 + | ||
21 | 2 files changed, 7 insertions(+), 7 deletions(-) | ||
22 | |||
23 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
24 | index 3382772..677527f 100644 | ||
25 | --- a/lib/ftp.c | ||
26 | +++ b/lib/ftp.c | ||
27 | @@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn) | ||
28 | { | ||
29 | CURLcode result = CURLE_OK; | ||
30 | |||
31 | - if(conn->ssl[FIRSTSOCKET].use) { | ||
32 | + if(conn->bits.ftp_use_control_ssl) { | ||
33 | /* PBSZ = PROTECTION BUFFER SIZE. | ||
34 | |||
35 | The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says: | ||
36 | @@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
37 | } | ||
38 | #endif | ||
39 | |||
40 | - if(data->set.use_ssl && | ||
41 | - (!conn->ssl[FIRSTSOCKET].use || | ||
42 | - (conn->bits.proxy_ssl_connected[FIRSTSOCKET] && | ||
43 | - !conn->proxy_ssl[FIRSTSOCKET].use))) { | ||
44 | - /* We don't have a SSL/TLS connection yet, but FTPS is | ||
45 | + if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) { | ||
46 | + /* We don't have a SSL/TLS control connection yet, but FTPS is | ||
47 | requested. Try a FTPS connection now */ | ||
48 | |||
49 | ftpc->count3 = 0; | ||
50 | @@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
51 | result = Curl_ssl_connect(conn, FIRSTSOCKET); | ||
52 | if(!result) { | ||
53 | conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ | ||
54 | + conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ | ||
55 | result = ftp_state_user(conn); | ||
56 | } | ||
57 | } | ||
58 | @@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn) | ||
59 | * | ||
60 | */ | ||
61 | static CURLcode ftp_connect(struct connectdata *conn, | ||
62 | - bool *done) /* see description above */ | ||
63 | + bool *done) /* see description above */ | ||
64 | { | ||
65 | CURLcode result; | ||
66 | struct ftp_conn *ftpc = &conn->proto.ftpc; | ||
67 | @@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn, | ||
68 | result = Curl_ssl_connect(conn, FIRSTSOCKET); | ||
69 | if(result) | ||
70 | return result; | ||
71 | + conn->bits.ftp_use_control_ssl = TRUE; | ||
72 | } | ||
73 | |||
74 | Curl_pp_init(pp); /* init the generic pingpong data */ | ||
75 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
76 | index ff2d686..d1fb4a9 100644 | ||
77 | --- a/lib/urldata.h | ||
78 | +++ b/lib/urldata.h | ||
79 | @@ -461,6 +461,7 @@ struct ConnectBits { | ||
80 | EPRT doesn't work we disable it for the forthcoming | ||
81 | requests */ | ||
82 | BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */ | ||
83 | + BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */ | ||
84 | #endif | ||
85 | BIT(netrc); /* name+password provided by netrc */ | ||
86 | BIT(userpwd_in_url); /* name+password found in url */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch new file mode 100644 index 0000000000..98032d8b78 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch | |||
@@ -0,0 +1,328 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001 | ||
4 | From: Patrick Monnerat <patrick@monnerat.net> | ||
5 | Date: Wed, 8 Sep 2021 11:56:22 +0200 | ||
6 | Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd | ||
7 | |||
8 | In imap and pop3, check if TLS is required even when capabilities | ||
9 | request has failed. | ||
10 | |||
11 | In ftp, ignore preauthentication (230 status of server greeting) if TLS | ||
12 | is required. | ||
13 | |||
14 | Bug: https://curl.se/docs/CVE-2021-22946.html | ||
15 | Upstream-Status: backport from 7.68.0-1ubuntu2.7 | ||
16 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
17 | CVE: CVE-2021-22946 | ||
18 | --- | ||
19 | lib/ftp.c | 9 ++++--- | ||
20 | lib/imap.c | 24 ++++++++---------- | ||
21 | lib/pop3.c | 33 +++++++++++------------- | ||
22 | tests/data/Makefile.inc | 2 ++ | ||
23 | tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ | ||
24 | tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ | ||
25 | tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ | ||
26 | 7 files changed, 195 insertions(+), 36 deletions(-) | ||
27 | create mode 100644 tests/data/test984 | ||
28 | create mode 100644 tests/data/test985 | ||
29 | create mode 100644 tests/data/test986 | ||
30 | |||
31 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
32 | index 677527f..91b43d8 100644 | ||
33 | --- a/lib/ftp.c | ||
34 | +++ b/lib/ftp.c | ||
35 | @@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
36 | /* we have now received a full FTP server response */ | ||
37 | switch(ftpc->state) { | ||
38 | case FTP_WAIT220: | ||
39 | - if(ftpcode == 230) | ||
40 | - /* 230 User logged in - already! */ | ||
41 | - return ftp_state_user_resp(conn, ftpcode, ftpc->state); | ||
42 | + if(ftpcode == 230) { | ||
43 | + /* 230 User logged in - already! Take as 220 if TLS required. */ | ||
44 | + if(data->set.use_ssl <= CURLUSESSL_TRY || | ||
45 | + conn->bits.ftp_use_control_ssl) | ||
46 | + return ftp_state_user_resp(conn, ftpcode, ftpc->state); | ||
47 | + } | ||
48 | else if(ftpcode != 220) { | ||
49 | failf(data, "Got a %03d ftp-server response when 220 was expected", | ||
50 | ftpcode); | ||
51 | diff --git a/lib/imap.c b/lib/imap.c | ||
52 | index 66172bd..9880ce1 100644 | ||
53 | --- a/lib/imap.c | ||
54 | +++ b/lib/imap.c | ||
55 | @@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn, | ||
56 | line += wordlen; | ||
57 | } | ||
58 | } | ||
59 | - else if(imapcode == IMAP_RESP_OK) { | ||
60 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
61 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
62 | - if(imapc->tls_supported) | ||
63 | - /* Switch to TLS connection now */ | ||
64 | - result = imap_perform_starttls(conn); | ||
65 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
66 | - /* Fallback and carry on with authentication */ | ||
67 | - result = imap_perform_authentication(conn); | ||
68 | - else { | ||
69 | - failf(data, "STARTTLS not supported."); | ||
70 | - result = CURLE_USE_SSL_FAILED; | ||
71 | - } | ||
72 | + else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
73 | + /* PREAUTH is not compatible with STARTTLS. */ | ||
74 | + if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { | ||
75 | + /* Switch to TLS connection now */ | ||
76 | + result = imap_perform_starttls(conn); | ||
77 | } | ||
78 | - else | ||
79 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
80 | result = imap_perform_authentication(conn); | ||
81 | + else { | ||
82 | + failf(data, "STARTTLS not available."); | ||
83 | + result = CURLE_USE_SSL_FAILED; | ||
84 | + } | ||
85 | } | ||
86 | else | ||
87 | result = imap_perform_authentication(conn); | ||
88 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
89 | index 57c1373..145b2b4 100644 | ||
90 | --- a/lib/pop3.c | ||
91 | +++ b/lib/pop3.c | ||
92 | @@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code, | ||
93 | } | ||
94 | } | ||
95 | } | ||
96 | - else if(pop3code == '+') { | ||
97 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
98 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
99 | - if(pop3c->tls_supported) | ||
100 | - /* Switch to TLS connection now */ | ||
101 | - result = pop3_perform_starttls(conn); | ||
102 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
103 | - /* Fallback and carry on with authentication */ | ||
104 | - result = pop3_perform_authentication(conn); | ||
105 | - else { | ||
106 | - failf(data, "STLS not supported."); | ||
107 | - result = CURLE_USE_SSL_FAILED; | ||
108 | - } | ||
109 | - } | ||
110 | - else | ||
111 | - result = pop3_perform_authentication(conn); | ||
112 | - } | ||
113 | else { | ||
114 | /* Clear text is supported when CAPA isn't recognised */ | ||
115 | - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
116 | + if(pop3code != '+') | ||
117 | + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
118 | |||
119 | - result = pop3_perform_authentication(conn); | ||
120 | + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) | ||
121 | + result = pop3_perform_authentication(conn); | ||
122 | + else if(pop3code == '+' && pop3c->tls_supported) | ||
123 | + /* Switch to TLS connection now */ | ||
124 | + result = pop3_perform_starttls(conn); | ||
125 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
126 | + /* Fallback and carry on with authentication */ | ||
127 | + result = pop3_perform_authentication(conn); | ||
128 | + else { | ||
129 | + failf(data, "STLS not supported."); | ||
130 | + result = CURLE_USE_SSL_FAILED; | ||
131 | + } | ||
132 | } | ||
133 | |||
134 | return result; | ||
135 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
136 | index f9535a6..0fa6799 100644 | ||
137 | --- a/tests/data/Makefile.inc | ||
138 | +++ b/tests/data/Makefile.inc | ||
139 | @@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ | ||
140 | test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
141 | test963 test964 test965 test966 test967 test968 test969 \ | ||
142 | \ | ||
143 | +test984 test985 test986 \ | ||
144 | +\ | ||
145 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
146 | test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ | ||
147 | test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ | ||
148 | diff --git a/tests/data/test984 b/tests/data/test984 | ||
149 | new file mode 100644 | ||
150 | index 0000000..e573f23 | ||
151 | --- /dev/null | ||
152 | +++ b/tests/data/test984 | ||
153 | @@ -0,0 +1,56 @@ | ||
154 | +<testcase> | ||
155 | +<info> | ||
156 | +<keywords> | ||
157 | +IMAP | ||
158 | +STARTTLS | ||
159 | +</keywords> | ||
160 | +</info> | ||
161 | + | ||
162 | +# | ||
163 | +# Server-side | ||
164 | +<reply> | ||
165 | +<servercmd> | ||
166 | +REPLY CAPABILITY A001 BAD Not implemented | ||
167 | +</servercmd> | ||
168 | +</reply> | ||
169 | + | ||
170 | +# | ||
171 | +# Client-side | ||
172 | +<client> | ||
173 | +<features> | ||
174 | +SSL | ||
175 | +</features> | ||
176 | +<server> | ||
177 | +imap | ||
178 | +</server> | ||
179 | + <name> | ||
180 | +IMAP require STARTTLS with failing capabilities | ||
181 | + </name> | ||
182 | + <command> | ||
183 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd | ||
184 | +</command> | ||
185 | +<file name="log/upload%TESTNUMBER"> | ||
186 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
187 | +From: Fred Foobar <foobar@example.COM> | ||
188 | +Subject: afternoon meeting | ||
189 | +To: joe@example.com | ||
190 | +Message-Id: <B27397-0100000@example.COM> | ||
191 | +MIME-Version: 1.0 | ||
192 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
193 | + | ||
194 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
195 | +</file> | ||
196 | +</client> | ||
197 | + | ||
198 | +# | ||
199 | +# Verify data after the test has been "shot" | ||
200 | +<verify> | ||
201 | +# 64 is CURLE_USE_SSL_FAILED | ||
202 | +<errorcode> | ||
203 | +64 | ||
204 | +</errorcode> | ||
205 | +<protocol> | ||
206 | +A001 CAPABILITY | ||
207 | +</protocol> | ||
208 | +</verify> | ||
209 | +</testcase> | ||
210 | diff --git a/tests/data/test985 b/tests/data/test985 | ||
211 | new file mode 100644 | ||
212 | index 0000000..d0db4aa | ||
213 | --- /dev/null | ||
214 | +++ b/tests/data/test985 | ||
215 | @@ -0,0 +1,54 @@ | ||
216 | +<testcase> | ||
217 | +<info> | ||
218 | +<keywords> | ||
219 | +POP3 | ||
220 | +STARTTLS | ||
221 | +</keywords> | ||
222 | +</info> | ||
223 | + | ||
224 | +# | ||
225 | +# Server-side | ||
226 | +<reply> | ||
227 | +<servercmd> | ||
228 | +REPLY CAPA -ERR Not implemented | ||
229 | +</servercmd> | ||
230 | +<data nocheck="yes"> | ||
231 | +From: me@somewhere | ||
232 | +To: fake@nowhere | ||
233 | + | ||
234 | +body | ||
235 | + | ||
236 | +-- | ||
237 | + yours sincerely | ||
238 | +</data> | ||
239 | +</reply> | ||
240 | + | ||
241 | +# | ||
242 | +# Client-side | ||
243 | +<client> | ||
244 | +<features> | ||
245 | +SSL | ||
246 | +</features> | ||
247 | +<server> | ||
248 | +pop3 | ||
249 | +</server> | ||
250 | + <name> | ||
251 | +POP3 require STARTTLS with failing capabilities | ||
252 | + </name> | ||
253 | + <command> | ||
254 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd | ||
255 | + </command> | ||
256 | +</client> | ||
257 | + | ||
258 | +# | ||
259 | +# Verify data after the test has been "shot" | ||
260 | +<verify> | ||
261 | +# 64 is CURLE_USE_SSL_FAILED | ||
262 | +<errorcode> | ||
263 | +64 | ||
264 | +</errorcode> | ||
265 | +<protocol> | ||
266 | +CAPA | ||
267 | +</protocol> | ||
268 | +</verify> | ||
269 | +</testcase> | ||
270 | diff --git a/tests/data/test986 b/tests/data/test986 | ||
271 | new file mode 100644 | ||
272 | index 0000000..a709437 | ||
273 | --- /dev/null | ||
274 | +++ b/tests/data/test986 | ||
275 | @@ -0,0 +1,53 @@ | ||
276 | +<testcase> | ||
277 | +<info> | ||
278 | +<keywords> | ||
279 | +FTP | ||
280 | +STARTTLS | ||
281 | +</keywords> | ||
282 | +</info> | ||
283 | + | ||
284 | +# | ||
285 | +# Server-side | ||
286 | +<reply> | ||
287 | +<servercmd> | ||
288 | +REPLY welcome 230 Welcome | ||
289 | +REPLY AUTH 500 unknown command | ||
290 | +</servercmd> | ||
291 | +</reply> | ||
292 | + | ||
293 | +# Client-side | ||
294 | +<client> | ||
295 | +<features> | ||
296 | +SSL | ||
297 | +</features> | ||
298 | +<server> | ||
299 | +ftp | ||
300 | +</server> | ||
301 | + <name> | ||
302 | +FTP require STARTTLS while preauthenticated | ||
303 | + </name> | ||
304 | +<file name="log/test%TESTNUMBER.txt"> | ||
305 | +data | ||
306 | + to | ||
307 | + see | ||
308 | +that FTPS | ||
309 | +works | ||
310 | + so does it? | ||
311 | +</file> | ||
312 | + <command> | ||
313 | +--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret | ||
314 | +</command> | ||
315 | +</client> | ||
316 | + | ||
317 | +# Verify data after the test has been "shot" | ||
318 | +<verify> | ||
319 | +# 64 is CURLE_USE_SSL_FAILED | ||
320 | +<errorcode> | ||
321 | +64 | ||
322 | +</errorcode> | ||
323 | +<protocol> | ||
324 | +AUTH SSL | ||
325 | +AUTH TLS | ||
326 | +</protocol> | ||
327 | +</verify> | ||
328 | +</testcase> | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch new file mode 100644 index 0000000000..070a328e27 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch | |||
@@ -0,0 +1,352 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001 | ||
4 | From: Patrick Monnerat <patrick@monnerat.net> | ||
5 | Date: Tue, 7 Sep 2021 13:26:42 +0200 | ||
6 | Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response | ||
7 | pipelining | ||
8 | |||
9 | If a server pipelines future responses within the STARTTLS response, the | ||
10 | former are preserved in the pingpong cache across TLS negotiation and | ||
11 | used as responses to the encrypted commands. | ||
12 | |||
13 | This fix detects pipelined STARTTLS responses and rejects them with an | ||
14 | error. | ||
15 | |||
16 | Bug: https://curl.se/docs/CVE-2021-22947.html | ||
17 | Upstream-Status: backport from 7.68.0-1ubuntu2.7 | ||
18 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
19 | CVE: CVE-2021-22947 | ||
20 | |||
21 | --- | ||
22 | lib/ftp.c | 3 +++ | ||
23 | lib/imap.c | 4 +++ | ||
24 | lib/pop3.c | 4 +++ | ||
25 | lib/smtp.c | 4 +++ | ||
26 | tests/data/Makefile.inc | 2 ++ | ||
27 | tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ | ||
28 | tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ | ||
29 | tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ | ||
30 | tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ | ||
31 | 9 files changed, 237 insertions(+) | ||
32 | create mode 100644 tests/data/test980 | ||
33 | create mode 100644 tests/data/test981 | ||
34 | create mode 100644 tests/data/test982 | ||
35 | create mode 100644 tests/data/test983 | ||
36 | |||
37 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
38 | index 91b43d8..31a34e8 100644 | ||
39 | --- a/lib/ftp.c | ||
40 | +++ b/lib/ftp.c | ||
41 | @@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
42 | case FTP_AUTH: | ||
43 | /* we have gotten the response to a previous AUTH command */ | ||
44 | |||
45 | + if(pp->cache_size) | ||
46 | + return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ | ||
47 | + | ||
48 | /* RFC2228 (page 5) says: | ||
49 | * | ||
50 | * If the server is willing to accept the named security mechanism, | ||
51 | diff --git a/lib/imap.c b/lib/imap.c | ||
52 | index 9880ce1..0ca700f 100644 | ||
53 | --- a/lib/imap.c | ||
54 | +++ b/lib/imap.c | ||
55 | @@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn, | ||
56 | |||
57 | (void)instate; /* no use for this yet */ | ||
58 | |||
59 | + /* Pipelining in response is forbidden. */ | ||
60 | + if(data->conn->proto.imapc.pp.cache_size) | ||
61 | + return CURLE_WEIRD_SERVER_REPLY; | ||
62 | + | ||
63 | if(imapcode != IMAP_RESP_OK) { | ||
64 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
65 | failf(data, "STARTTLS denied"); | ||
66 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
67 | index 145b2b4..8a2d52e 100644 | ||
68 | --- a/lib/pop3.c | ||
69 | +++ b/lib/pop3.c | ||
70 | @@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn, | ||
71 | |||
72 | (void)instate; /* no use for this yet */ | ||
73 | |||
74 | + /* Pipelining in response is forbidden. */ | ||
75 | + if(data->conn->proto.pop3c.pp.cache_size) | ||
76 | + return CURLE_WEIRD_SERVER_REPLY; | ||
77 | + | ||
78 | if(pop3code != '+') { | ||
79 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
80 | failf(data, "STARTTLS denied"); | ||
81 | diff --git a/lib/smtp.c b/lib/smtp.c | ||
82 | index e187287..66183e2 100644 | ||
83 | --- a/lib/smtp.c | ||
84 | +++ b/lib/smtp.c | ||
85 | @@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn, | ||
86 | |||
87 | (void)instate; /* no use for this yet */ | ||
88 | |||
89 | + /* Pipelining in response is forbidden. */ | ||
90 | + if(data->conn->proto.smtpc.pp.cache_size) | ||
91 | + return CURLE_WEIRD_SERVER_REPLY; | ||
92 | + | ||
93 | if(smtpcode != 220) { | ||
94 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
95 | failf(data, "STARTTLS denied, code %d", smtpcode); | ||
96 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
97 | index 0fa6799..60e8176 100644 | ||
98 | --- a/tests/data/Makefile.inc | ||
99 | +++ b/tests/data/Makefile.inc | ||
100 | @@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ | ||
101 | test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
102 | test963 test964 test965 test966 test967 test968 test969 \ | ||
103 | \ | ||
104 | +test980 test981 test982 test983 \ | ||
105 | +\ | ||
106 | test984 test985 test986 \ | ||
107 | \ | ||
108 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
109 | diff --git a/tests/data/test980 b/tests/data/test980 | ||
110 | new file mode 100644 | ||
111 | index 0000000..97567f8 | ||
112 | --- /dev/null | ||
113 | +++ b/tests/data/test980 | ||
114 | @@ -0,0 +1,52 @@ | ||
115 | +<testcase> | ||
116 | +<info> | ||
117 | +<keywords> | ||
118 | +SMTP | ||
119 | +STARTTLS | ||
120 | +</keywords> | ||
121 | +</info> | ||
122 | + | ||
123 | +# | ||
124 | +# Server-side | ||
125 | +<reply> | ||
126 | +<servercmd> | ||
127 | +CAPA STARTTLS | ||
128 | +AUTH PLAIN | ||
129 | +REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted | ||
130 | +REPLY AUTH 535 5.7.8 Authentication credentials invalid | ||
131 | +</servercmd> | ||
132 | +</reply> | ||
133 | + | ||
134 | +# | ||
135 | +# Client-side | ||
136 | +<client> | ||
137 | +<features> | ||
138 | +SSL | ||
139 | +</features> | ||
140 | +<server> | ||
141 | +smtp | ||
142 | +</server> | ||
143 | + <name> | ||
144 | +SMTP STARTTLS pipelined server response | ||
145 | + </name> | ||
146 | +<stdin> | ||
147 | +mail body | ||
148 | +</stdin> | ||
149 | + <command> | ||
150 | +smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - | ||
151 | +</command> | ||
152 | +</client> | ||
153 | + | ||
154 | +# | ||
155 | +# Verify data after the test has been "shot" | ||
156 | +<verify> | ||
157 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
158 | +<errorcode> | ||
159 | +8 | ||
160 | +</errorcode> | ||
161 | +<protocol> | ||
162 | +EHLO %TESTNUMBER | ||
163 | +STARTTLS | ||
164 | +</protocol> | ||
165 | +</verify> | ||
166 | +</testcase> | ||
167 | diff --git a/tests/data/test981 b/tests/data/test981 | ||
168 | new file mode 100644 | ||
169 | index 0000000..2b98ce4 | ||
170 | --- /dev/null | ||
171 | +++ b/tests/data/test981 | ||
172 | @@ -0,0 +1,59 @@ | ||
173 | +<testcase> | ||
174 | +<info> | ||
175 | +<keywords> | ||
176 | +IMAP | ||
177 | +STARTTLS | ||
178 | +</keywords> | ||
179 | +</info> | ||
180 | + | ||
181 | +# | ||
182 | +# Server-side | ||
183 | +<reply> | ||
184 | +<servercmd> | ||
185 | +CAPA STARTTLS | ||
186 | +REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted | ||
187 | +REPLY LOGIN A003 BAD Authentication credentials invalid | ||
188 | +</servercmd> | ||
189 | +</reply> | ||
190 | + | ||
191 | +# | ||
192 | +# Client-side | ||
193 | +<client> | ||
194 | +<features> | ||
195 | +SSL | ||
196 | +</features> | ||
197 | +<server> | ||
198 | +imap | ||
199 | +</server> | ||
200 | + <name> | ||
201 | +IMAP STARTTLS pipelined server response | ||
202 | + </name> | ||
203 | + <command> | ||
204 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl | ||
205 | +</command> | ||
206 | +<file name="log/upload%TESTNUMBER"> | ||
207 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
208 | +From: Fred Foobar <foobar@example.COM> | ||
209 | +Subject: afternoon meeting | ||
210 | +To: joe@example.com | ||
211 | +Message-Id: <B27397-0100000@example.COM> | ||
212 | +MIME-Version: 1.0 | ||
213 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
214 | + | ||
215 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
216 | +</file> | ||
217 | +</client> | ||
218 | + | ||
219 | +# | ||
220 | +# Verify data after the test has been "shot" | ||
221 | +<verify> | ||
222 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
223 | +<errorcode> | ||
224 | +8 | ||
225 | +</errorcode> | ||
226 | +<protocol> | ||
227 | +A001 CAPABILITY | ||
228 | +A002 STARTTLS | ||
229 | +</protocol> | ||
230 | +</verify> | ||
231 | +</testcase> | ||
232 | diff --git a/tests/data/test982 b/tests/data/test982 | ||
233 | new file mode 100644 | ||
234 | index 0000000..9e07cc0 | ||
235 | --- /dev/null | ||
236 | +++ b/tests/data/test982 | ||
237 | @@ -0,0 +1,57 @@ | ||
238 | +<testcase> | ||
239 | +<info> | ||
240 | +<keywords> | ||
241 | +POP3 | ||
242 | +STARTTLS | ||
243 | +</keywords> | ||
244 | +</info> | ||
245 | + | ||
246 | +# | ||
247 | +# Server-side | ||
248 | +<reply> | ||
249 | +<servercmd> | ||
250 | +CAPA STLS USER | ||
251 | +REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated | ||
252 | +REPLY PASS -ERR Authentication credentials invalid | ||
253 | +</servercmd> | ||
254 | +<data nocheck="yes"> | ||
255 | +From: me@somewhere | ||
256 | +To: fake@nowhere | ||
257 | + | ||
258 | +body | ||
259 | + | ||
260 | +-- | ||
261 | + yours sincerely | ||
262 | +</data> | ||
263 | +</reply> | ||
264 | + | ||
265 | +# | ||
266 | +# Client-side | ||
267 | +<client> | ||
268 | +<features> | ||
269 | +SSL | ||
270 | +</features> | ||
271 | +<server> | ||
272 | +pop3 | ||
273 | +</server> | ||
274 | + <name> | ||
275 | +POP3 STARTTLS pipelined server response | ||
276 | + </name> | ||
277 | + <command> | ||
278 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl | ||
279 | + </command> | ||
280 | +</client> | ||
281 | + | ||
282 | +# | ||
283 | +# Verify data after the test has been "shot" | ||
284 | +<verify> | ||
285 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
286 | +<errorcode> | ||
287 | +8 | ||
288 | +</errorcode> | ||
289 | +<protocol> | ||
290 | +CAPA | ||
291 | +STLS | ||
292 | +</protocol> | ||
293 | +</verify> | ||
294 | +</testcase> | ||
295 | diff --git a/tests/data/test983 b/tests/data/test983 | ||
296 | new file mode 100644 | ||
297 | index 0000000..300ec45 | ||
298 | --- /dev/null | ||
299 | +++ b/tests/data/test983 | ||
300 | @@ -0,0 +1,52 @@ | ||
301 | +<testcase> | ||
302 | +<info> | ||
303 | +<keywords> | ||
304 | +FTP | ||
305 | +STARTTLS | ||
306 | +</keywords> | ||
307 | +</info> | ||
308 | + | ||
309 | +# | ||
310 | +# Server-side | ||
311 | +<reply> | ||
312 | +<servercmd> | ||
313 | +REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete | ||
314 | +REPLY PASS 530 Login incorrect | ||
315 | +</servercmd> | ||
316 | +</reply> | ||
317 | + | ||
318 | +# Client-side | ||
319 | +<client> | ||
320 | +<features> | ||
321 | +SSL | ||
322 | +</features> | ||
323 | +<server> | ||
324 | +ftp | ||
325 | +</server> | ||
326 | + <name> | ||
327 | +FTP STARTTLS pipelined server response | ||
328 | + </name> | ||
329 | +<file name="log/test%TESTNUMBER.txt"> | ||
330 | +data | ||
331 | + to | ||
332 | + see | ||
333 | +that FTPS | ||
334 | +works | ||
335 | + so does it? | ||
336 | +</file> | ||
337 | + <command> | ||
338 | +--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP | ||
339 | +</command> | ||
340 | +</client> | ||
341 | + | ||
342 | +# Verify data after the test has been "shot" | ||
343 | +<verify> | ||
344 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
345 | +<errorcode> | ||
346 | +8 | ||
347 | +</errorcode> | ||
348 | +<protocol> | ||
349 | +AUTH SSL | ||
350 | +</protocol> | ||
351 | +</verify> | ||
352 | +</testcase> | ||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 21c673feda..d7ffb2dc50 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
@@ -22,6 +22,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
22 | file://CVE-2021-22898.patch \ | 22 | file://CVE-2021-22898.patch \ |
23 | file://CVE-2021-22924.patch \ | 23 | file://CVE-2021-22924.patch \ |
24 | file://CVE-2021-22925.patch \ | 24 | file://CVE-2021-22925.patch \ |
25 | file://CVE-2021-22946-pre1.patch \ | ||
26 | file://CVE-2021-22946.patch \ | ||
27 | file://CVE-2021-22947.patch \ | ||
25 | " | 28 | " |
26 | 29 | ||
27 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" | 30 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" |
@@ -29,7 +32,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 | |||
29 | 32 | ||
30 | # Curl has used many names over the years... | 33 | # Curl has used many names over the years... |
31 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" | 34 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" |
32 | CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926" | 35 | CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-22945" |
33 | 36 | ||
34 | inherit autotools pkgconfig binconfig multilib_header | 37 | inherit autotools pkgconfig binconfig multilib_header |
35 | 38 | ||