curl: Fix CVE-2021-22924 and CVE-2021-22925

curl v7.78 contained fixes for five CVEs: CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink" so these fixes are unnecessary. CVE-2021-22926[3] only affects builds for MacOS. CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close enough that the patch for CVE-2021-22924 applies without conflicts.. [1] https://curl.se/docs/CVE-2021-22922.html [2] https://curl.se/docs/CVE-2021-22923.html [3] https://curl.se/docs/CVE-2021-22926.html [4] https://curl.se/docs/CVE-2021-22924.html [5] https://curl.se/docs/CVE-2021-22925.html (From OE-Core rev: 3631da82b3542df1c1e4bbd499fc2dbe67f5f3ec) Signed-off-by: Mike Crowe <mac@mcrowe.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mike Crowe <mac@mcrowe.com> 2021-08-04 18:05:52 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-10 11:14:11 +0100
commit: 462de8f86f25b482145853ccbb5601fde28ab7da (patch)
tree: 829dd3c1769f12e6c058d21726d0377e08072562
parent: 02476f72f47b328ce53734da11baf4d68a0b44f2 (diff)
download: poky-462de8f86f25b482145853ccbb5601fde28ab7da.tar.gz
3 files changed, 272 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
new file mode 100644
index 0000000000..68fde45ddf
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,226 @@
+Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and
+ case sensitivity CVE-2021-22924
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+CVE: CVE-2021-22924
+Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/url.c          |  5 +++--
+ lib/urldata.h      |  2 +-
+ lib/vtls/gtls.c    | 10 +++++-----
+ lib/vtls/nss.c     |  4 ++--
+ lib/vtls/openssl.c | 12 ++++++------
+ lib/vtls/vtls.c    | 23 ++++++++++++++++++-----
+ 6 files changed, 35 insertions(+), 21 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66aed..eebad8d32 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
+   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+  data->set.proxy_ssl.primary.issuercert =
+    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.proxy_ssl.primary.random_file =
+     data->set.str[STRING_SSL_RANDOM_FILE];
+@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ 
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index fbb8b645e..615fbf369 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -224,6 +224,7 @@ struct ssl_primary_config {
+   long version_max;      /* max supported version the client wants to use*/
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
+  char *issuercert;      /* optional issuer certificate filename */
+   char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+@@ -240,7 +241,6 @@ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+-  char *issuercert;/* optional issuer certificate filename */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert; /* client certificate file name */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 46e149c7d..8c051024f 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn,
+   if(!chainp) {
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+-       SSL_SET_OPTION(issuercert)) {
+       SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn,
+        gnutls_x509_crt_t format */
+     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
+     gnutls_x509_crt_init(&x509_issuer);
+-    issuerp = load_file(SSL_SET_OPTION(issuercert));
+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+     gnutls_x509_crt_deinit(x509_issuer);
+     unload_file(issuerp);
+     if(rc <= 0) {
+       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+       gnutls_x509_crt_deinit(x509_cert);
+       return CURLE_SSL_ISSUER_ERROR;
+     }
+     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+   }
+ 
+   size = sizeof(certbuf);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index ef51b0d91..375c78b1b 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+   if(result)
+     goto error;
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
+  if(SSL_CONN_CONFIG(issuercert)) {
+     SECStatus ret = SECFailure;
+-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+     if(nickname) {
+       /* we support only nicknames in case of issuercert for now */
+       ret = check_issuer_cert(BACKEND->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 64f43605a..7e81fd3a0 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn,
+        deallocating the certificate. */
+ 
+     /* e.g. match issuer name with provided issuer certificate */
+-    if(SSL_SET_OPTION(issuercert)) {
+    if(SSL_CONN_CONFIG(issuercert)) {
+       fp = BIO_new(BIO_s_file());
+       if(fp == NULL) {
+         failf(data,
+@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn,
+         return CURLE_OUT_OF_MEMORY;
+       }
+ 
+-      if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
+      if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+         if(strict)
+           failf(data, "SSL: Unable to open issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(BACKEND->server_cert);
+         BACKEND->server_cert = NULL;
+@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(!issuer) {
+         if(strict)
+           failf(data, "SSL: Unable to read issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(BACKEND->server_cert);
+@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
+         if(strict)
+           failf(data, "SSL: Certificate issuer check failed (%s)",
+-                SSL_SET_OPTION(issuercert));
+                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(BACKEND->server_cert);
+@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn,
+       }
+ 
+       infof(data, " SSL certificate issuer check ok (%s)\n",
+-            SSL_SET_OPTION(issuercert));
+            SSL_CONN_CONFIG(issuercert));
+       BIO_free(fp);
+       X509_free(issuer);
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index aaf73ef8f..8c681da14 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -82,6 +82,16 @@
+   else                                       \
+     dest->var = NULL;
+ 
+static bool safecmp(char *a, char *b)
+{
+  if(a && b)
+    return !strcmp(a, b);
+  else if(!a && !b)
+    return TRUE; /* match */
+  return FALSE; /* no match */
+}
+
+
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config* data,
+                         struct ssl_primary_config* needle)
+@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
+     safecmp(data->CApath, needle->CApath) &&
+     safecmp(data->CAfile, needle->CAfile) &&
+     safecmp(data->issuercert, needle->issuercert) &&
+     safecmp(data->clientcert, needle->clientcert) &&
+     safecmp(data->random_file, needle->random_file) &&
+     safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ 
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
+  CLONE_STRING(issuercert);
+   CLONE_STRING(clientcert);
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
+ {
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->CAfile);
+  Curl_safefree(sslc->issuercert);
+   Curl_safefree(sslc->clientcert);
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+-- 
+2.30.2
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
new file mode 100644
index 0000000000..13b55f76be
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,43 @@
+Subject: [PATCH] telnet: fix option parser to not send uninitialized
+ contents CVE-2021-22925
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+CVE: CVE-2021-22925
+Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 4bf4c652c..3347ad6d1 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
+          int rv;
+          char sep[2] = "";
+          varval[0] = 0;
+          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
+          if(rv == 1)
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+                             "%c%s", CURL_NEW_ENV_VAR, varname);
+          else if(rv >= 2)
+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
+                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
+-- 
+2.30.2
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 9b510bcf9f..21c673feda 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -20,6 +20,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://CVE-2021-22876.patch \
           file://CVE-2021-22890.patch \
           file://CVE-2021-22898.patch \
+           file://CVE-2021-22924.patch \
+           file://CVE-2021-22925.patch \
 "
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
@@ -27,6 +29,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926"
 inherit autotools pkgconfig binconfig multilib_header
author	Mike Crowe <mac@mcrowe.com>	2021-08-04 18:05:52 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-10 11:14:11 +0100
commit	462de8f86f25b482145853ccbb5601fde28ab7da (patch)
tree	829dd3c1769f12e6c058d21726d0377e08072562
parent	02476f72f47b328ce53734da11baf4d68a0b44f2 (diff)
download	poky-462de8f86f25b482145853ccbb5601fde28ab7da.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..68fde45ddf --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,226 @@
		1	Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and
		2	case sensitivity CVE-2021-22924
		3
		4	Reported-by: Harry Sintonen
		5	Bug: https://curl.se/docs/CVE-2021-22924.html
		6	CVE: CVE-2021-22924
		7	Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
		8	Signed-off-by: Mike Crowe <mac@mcrowe.com>
		9	---
		10	lib/url.c \| 5 +++--
		11	lib/urldata.h \| 2 +-
		12	lib/vtls/gtls.c \| 10 +++++-----
		13	lib/vtls/nss.c \| 4 ++--
		14	lib/vtls/openssl.c \| 12 ++++++------
		15	lib/vtls/vtls.c \| 23 ++++++++++++++++++-----
		16	6 files changed, 35 insertions(+), 21 deletions(-)
		17
		18	diff --git a/lib/url.c b/lib/url.c
		19	index 47fc66aed..eebad8d32 100644
		20	--- a/lib/url.c
		21	+++ b/lib/url.c
		22	@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data,
		23	data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
		24	data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
		25	data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
		26	+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
		27	+ data->set.proxy_ssl.primary.issuercert =
		28	+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
		29	data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
		30	data->set.proxy_ssl.primary.random_file =
		31	data->set.str[STRING_SSL_RANDOM_FILE];
		32	@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data,
		33
		34	data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
		35	data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
		36	- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
		37	- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
		38	data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
		39	data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
		40	data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
		41	diff --git a/lib/urldata.h b/lib/urldata.h
		42	index fbb8b645e..615fbf369 100644
		43	--- a/lib/urldata.h
		44	+++ b/lib/urldata.h
		45	@@ -224,6 +224,7 @@ struct ssl_primary_config {
		46	long version_max; /* max supported version the client wants to use*/
		47	char CApath; / certificate dir (doesn't work on windows) */
		48	char CAfile; / certificate to verify peer against */
		49	+ char issuercert; / optional issuer certificate filename */
		50	char *clientcert;
		51	char random_file; / path to file containing "random" data */
		52	char egdsocket; / path to file containing the EGD daemon socket */
		53	@@ -240,7 +241,6 @@ struct ssl_config_data {
		54	struct ssl_primary_config primary;
		55	long certverifyresult; /* result from the certificate verification */
		56	char CRLfile; / CRL to check certificate revocation */
		57	- char issuercert;/ optional issuer certificate filename */
		58	curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
		59	void fsslctxp; / parameter for call back */
		60	char cert; / client certificate file name */
		61	diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
		62	index 46e149c7d..8c051024f 100644
		63	--- a/lib/vtls/gtls.c
		64	+++ b/lib/vtls/gtls.c
		65	@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn,
		66	if(!chainp) {
		67	if(SSL_CONN_CONFIG(verifypeer) \|\|
		68	SSL_CONN_CONFIG(verifyhost) \|\|
		69	- SSL_SET_OPTION(issuercert)) {
		70	+ SSL_CONN_CONFIG(issuercert)) {
		71	#ifdef USE_TLS_SRP
		72	if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
		73	&& SSL_SET_OPTION(username) != NULL
		74	@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn,
		75	gnutls_x509_crt_t format */
		76	gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
		77
		78	- if(SSL_SET_OPTION(issuercert)) {
		79	+ if(SSL_CONN_CONFIG(issuercert)) {
		80	gnutls_x509_crt_init(&x509_issuer);
		81	- issuerp = load_file(SSL_SET_OPTION(issuercert));
		82	+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
		83	gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
		84	rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
		85	gnutls_x509_crt_deinit(x509_issuer);
		86	unload_file(issuerp);
		87	if(rc <= 0) {
		88	failf(data, "server certificate issuer check failed (IssuerCert: %s)",
		89	- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
		90	+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
		91	gnutls_x509_crt_deinit(x509_cert);
		92	return CURLE_SSL_ISSUER_ERROR;
		93	}
		94	infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
		95	- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
		96	+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
		97	}
		98
		99	size = sizeof(certbuf);
		100	diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
		101	index ef51b0d91..375c78b1b 100644
		102	--- a/lib/vtls/nss.c
		103	+++ b/lib/vtls/nss.c
		104	@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
		105	if(result)
		106	goto error;
		107
		108	- if(SSL_SET_OPTION(issuercert)) {
		109	+ if(SSL_CONN_CONFIG(issuercert)) {
		110	SECStatus ret = SECFailure;
		111	- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
		112	+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
		113	if(nickname) {
		114	/* we support only nicknames in case of issuercert for now */
		115	ret = check_issuer_cert(BACKEND->handle, nickname);
		116	diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
		117	index 64f43605a..7e81fd3a0 100644
		118	--- a/lib/vtls/openssl.c
		119	+++ b/lib/vtls/openssl.c
		120	@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn,
		121	deallocating the certificate. */
		122
		123	/* e.g. match issuer name with provided issuer certificate */
		124	- if(SSL_SET_OPTION(issuercert)) {
		125	+ if(SSL_CONN_CONFIG(issuercert)) {
		126	fp = BIO_new(BIO_s_file());
		127	if(fp == NULL) {
		128	failf(data,
		129	@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn,
		130	return CURLE_OUT_OF_MEMORY;
		131	}
		132
		133	- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
		134	+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
		135	if(strict)
		136	failf(data, "SSL: Unable to open issuer cert (%s)",
		137	- SSL_SET_OPTION(issuercert));
		138	+ SSL_CONN_CONFIG(issuercert));
		139	BIO_free(fp);
		140	X509_free(BACKEND->server_cert);
		141	BACKEND->server_cert = NULL;
		142	@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn,
		143	if(!issuer) {
		144	if(strict)
		145	failf(data, "SSL: Unable to read issuer cert (%s)",
		146	- SSL_SET_OPTION(issuercert));
		147	+ SSL_CONN_CONFIG(issuercert));
		148	BIO_free(fp);
		149	X509_free(issuer);
		150	X509_free(BACKEND->server_cert);
		151	@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn,
		152	if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
		153	if(strict)
		154	failf(data, "SSL: Certificate issuer check failed (%s)",
		155	- SSL_SET_OPTION(issuercert));
		156	+ SSL_CONN_CONFIG(issuercert));
		157	BIO_free(fp);
		158	X509_free(issuer);
		159	X509_free(BACKEND->server_cert);
		160	@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn,
		161	}
		162
		163	infof(data, " SSL certificate issuer check ok (%s)\n",
		164	- SSL_SET_OPTION(issuercert));
		165	+ SSL_CONN_CONFIG(issuercert));
		166	BIO_free(fp);
		167	X509_free(issuer);
		168	}
		169	diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
		170	index aaf73ef8f..8c681da14 100644
		171	--- a/lib/vtls/vtls.c
		172	+++ b/lib/vtls/vtls.c
		173	@@ -82,6 +82,16 @@
		174	else \
		175	dest->var = NULL;
		176
		177	+static bool safecmp(char a, char b)
		178	+{
		179	+ if(a && b)
		180	+ return !strcmp(a, b);
		181	+ else if(!a && !b)
		182	+ return TRUE; /* match */
		183	+ return FALSE; /* no match */
		184	+}
		185	+
		186	+
		187	bool
		188	Curl_ssl_config_matches(struct ssl_primary_config* data,
		189	struct ssl_primary_config* needle)
		190	@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
		191	(data->verifypeer == needle->verifypeer) &&
		192	(data->verifyhost == needle->verifyhost) &&
		193	(data->verifystatus == needle->verifystatus) &&
		194	- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
		195	- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
		196	- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
		197	- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
		198	- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
		199	+ safecmp(data->CApath, needle->CApath) &&
		200	+ safecmp(data->CAfile, needle->CAfile) &&
		201	+ safecmp(data->issuercert, needle->issuercert) &&
		202	+ safecmp(data->clientcert, needle->clientcert) &&
		203	+ safecmp(data->random_file, needle->random_file) &&
		204	+ safecmp(data->egdsocket, needle->egdsocket) &&
		205	Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
		206	Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
		207	Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
		208	@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
		209
		210	CLONE_STRING(CApath);
		211	CLONE_STRING(CAfile);
		212	+ CLONE_STRING(issuercert);
		213	CLONE_STRING(clientcert);
		214	CLONE_STRING(random_file);
		215	CLONE_STRING(egdsocket);
		216	@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
		217	{
		218	Curl_safefree(sslc->CApath);
		219	Curl_safefree(sslc->CAfile);
		220	+ Curl_safefree(sslc->issuercert);
		221	Curl_safefree(sslc->clientcert);
		222	Curl_safefree(sslc->random_file);
		223	Curl_safefree(sslc->egdsocket);
		224	--
		225	2.30.2
		226


diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..13b55f76be --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,43 @@
		1	Subject: [PATCH] telnet: fix option parser to not send uninitialized
		2	contents CVE-2021-22925
		3
		4	Reported-by: Red Hat Product Security
		5	Bug: https://curl.se/docs/CVE-2021-22925.html
		6	CVE: CVE-2021-22925
		7	Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
		8	Signed-off-by: Mike Crowe <mac@mcrowe.com>
		9	---
		10	lib/telnet.c \| 17 +++++++++++------
		11	1 file changed, 11 insertions(+), 6 deletions(-)
		12
		13	diff --git a/lib/telnet.c b/lib/telnet.c
		14	index 4bf4c652c..3347ad6d1 100644
		15	--- a/lib/telnet.c
		16	+++ b/lib/telnet.c
		17	@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
		18	size_t tmplen = (strlen(v->data) + 1);
		19	/* Add the variable only if it fits */
		20	if(len + tmplen < (int)sizeof(temp)-6) {
		21	- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
		22	- msnprintf((char *)&temp[len], sizeof(temp) - len,
		23	- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
		24	- CURL_NEW_ENV_VALUE, varval);
		25	- len += tmplen;
		26	- }
		27	+ int rv;
		28	+ char sep[2] = "";
		29	+ varval[0] = 0;
		30	+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
		31	+ if(rv == 1)
		32	+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
		33	+ "%c%s", CURL_NEW_ENV_VAR, varname);
		34	+ else if(rv >= 2)
		35	+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
		36	+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
		37	+ CURL_NEW_ENV_VALUE, varval);
		38	}
		39	}
		40	msnprintf((char *)&temp[len], sizeof(temp) - len,
		41	--
		42	2.30.2
		43


diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 9b510bcf9f..21c673feda 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -20,6 +20,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
20	file://CVE-2021-22876.patch \	20	file://CVE-2021-22876.patch \
21	file://CVE-2021-22890.patch \	21	file://CVE-2021-22890.patch \
22	file://CVE-2021-22898.patch \	22	file://CVE-2021-22898.patch \
		23	file://CVE-2021-22924.patch \
		24	file://CVE-2021-22925.patch \
23	"	25	"
24		26
25	SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"	27	SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
@@ -27,6 +29,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5
27		29
28	# Curl has used many names over the years...	30	# Curl has used many names over the years...
29	CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"	31	CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
		32	CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926"
30		33
31	inherit autotools pkgconfig binconfig multilib_header	34	inherit autotools pkgconfig binconfig multilib_header
32		35