diff options
author | Bhabu Bindu <bhabu.bindu@kpit.com> | 2022-11-29 09:27:18 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-07 15:02:45 +0000 |
commit | b1ea1218bd548612dfc5ef94fb5b2d15b5637bca (patch) | |
tree | d49a0ef79fe1462b21250cf0cfb833d31e6ebea6 /meta/recipes-support | |
parent | 17c2b23373127454fecbcb6162eb89c29d1cffa0 (diff) | |
download | poky-b1ea1218bd548612dfc5ef94fb5b2d15b5637bca.tar.gz |
curl: Fix CVE-2022-42916
HSTS bypass via IDN
Link: https://security-tracker.debian.org/tracker/CVE-2022-42916
(From OE-Core rev: e6796b426503477620e0e5c5c9da50352269a593)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-42916.patch | 136 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.82.0.bb | 1 |
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/meta/recipes-support/curl/curl/CVE-2022-42916.patch new file mode 100644 index 0000000000..fbc592280a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-42916.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 12 Oct 2022 10:47:59 +0200 | ||
4 | Subject: [PATCH] url: use IDN decoded names for HSTS checks | ||
5 | |||
6 | Reported-by: Hiroki Kurosawa | ||
7 | |||
8 | Closes #9791 | ||
9 | |||
10 | CVE: CVE-2022-42916 | ||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7] | ||
12 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
13 | Comments: Refreshed hunk | ||
14 | --- | ||
15 | lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- | ||
16 | 1 file changed, 47 insertions(+), 44 deletions(-) | ||
17 | |||
18 | diff --git a/lib/url.c b/lib/url.c | ||
19 | index a3be56bced9de..690c53c81a3c1 100644 | ||
20 | --- a/lib/url.c | ||
21 | +++ b/lib/url.c | ||
22 | @@ -2012,10 +2012,56 @@ | ||
23 | if(!strcasecompare("file", data->state.up.scheme)) | ||
24 | return CURLE_OUT_OF_MEMORY; | ||
25 | } | ||
26 | + hostname = data->state.up.hostname; | ||
27 | + | ||
28 | + if(hostname && hostname[0] == '[') { | ||
29 | + /* This looks like an IPv6 address literal. See if there is an address | ||
30 | + scope. */ | ||
31 | + size_t hlen; | ||
32 | + conn->bits.ipv6_ip = TRUE; | ||
33 | + /* cut off the brackets! */ | ||
34 | + hostname++; | ||
35 | + hlen = strlen(hostname); | ||
36 | + hostname[hlen - 1] = 0; | ||
37 | + | ||
38 | + zonefrom_url(uh, data, conn); | ||
39 | + } | ||
40 | + | ||
41 | + /* make sure the connect struct gets its own copy of the host name */ | ||
42 | + conn->host.rawalloc = strdup(hostname ? hostname : ""); | ||
43 | + if(!conn->host.rawalloc) | ||
44 | + return CURLE_OUT_OF_MEMORY; | ||
45 | + conn->host.name = conn->host.rawalloc; | ||
46 | + | ||
47 | + /************************************************************* | ||
48 | + * IDN-convert the hostnames | ||
49 | + *************************************************************/ | ||
50 | + result = Curl_idnconvert_hostname(data, &conn->host); | ||
51 | + if(result) | ||
52 | + return result; | ||
53 | + if(conn->bits.conn_to_host) { | ||
54 | + result = Curl_idnconvert_hostname(data, &conn->conn_to_host); | ||
55 | + if(result) | ||
56 | + return result; | ||
57 | + } | ||
58 | +#ifndef CURL_DISABLE_PROXY | ||
59 | + if(conn->bits.httpproxy) { | ||
60 | + result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); | ||
61 | + if(result) | ||
62 | + return result; | ||
63 | + } | ||
64 | + if(conn->bits.socksproxy) { | ||
65 | + result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); | ||
66 | + if(result) | ||
67 | + return result; | ||
68 | + } | ||
69 | +#endif | ||
70 | |||
71 | #ifndef CURL_DISABLE_HSTS | ||
72 | + /* HSTS upgrade */ | ||
73 | if(data->hsts && strcasecompare("http", data->state.up.scheme)) { | ||
74 | - if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { | ||
75 | + /* This MUST use the IDN decoded name */ | ||
76 | + if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { | ||
77 | char *url; | ||
78 | Curl_safefree(data->state.up.scheme); | ||
79 | uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); | ||
80 | @@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, | ||
81 | |||
82 | (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); | ||
83 | |||
84 | - hostname = data->state.up.hostname; | ||
85 | - if(hostname && hostname[0] == '[') { | ||
86 | - /* This looks like an IPv6 address literal. See if there is an address | ||
87 | - scope. */ | ||
88 | - size_t hlen; | ||
89 | - conn->bits.ipv6_ip = TRUE; | ||
90 | - /* cut off the brackets! */ | ||
91 | - hostname++; | ||
92 | - hlen = strlen(hostname); | ||
93 | - hostname[hlen - 1] = 0; | ||
94 | - | ||
95 | - zonefrom_url(uh, data, conn); | ||
96 | - } | ||
97 | - | ||
98 | - /* make sure the connect struct gets its own copy of the host name */ | ||
99 | - conn->host.rawalloc = strdup(hostname ? hostname : ""); | ||
100 | - if(!conn->host.rawalloc) | ||
101 | - return CURLE_OUT_OF_MEMORY; | ||
102 | - conn->host.name = conn->host.rawalloc; | ||
103 | - | ||
104 | #ifdef ENABLE_IPV6 | ||
105 | if(data->set.scope_id) | ||
106 | /* Override any scope that was set above. */ | ||
107 | @@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
108 | if(result) | ||
109 | goto out; | ||
110 | |||
111 | - /************************************************************* | ||
112 | - * IDN-convert the hostnames | ||
113 | - *************************************************************/ | ||
114 | - result = Curl_idnconvert_hostname(data, &conn->host); | ||
115 | - if(result) | ||
116 | - goto out; | ||
117 | - if(conn->bits.conn_to_host) { | ||
118 | - result = Curl_idnconvert_hostname(data, &conn->conn_to_host); | ||
119 | - if(result) | ||
120 | - goto out; | ||
121 | - } | ||
122 | -#ifndef CURL_DISABLE_PROXY | ||
123 | - if(conn->bits.httpproxy) { | ||
124 | - result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); | ||
125 | - if(result) | ||
126 | - goto out; | ||
127 | - } | ||
128 | - if(conn->bits.socksproxy) { | ||
129 | - result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); | ||
130 | - if(result) | ||
131 | - goto out; | ||
132 | - } | ||
133 | -#endif | ||
134 | |||
135 | /************************************************************* | ||
136 | * Check whether the host and the "connect to host" are equal. | ||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index e0099f7453..a3e29a583d 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
30 | file://CVE-2022-32208.patch \ | 30 | file://CVE-2022-32208.patch \ |
31 | file://CVE-2022-35252.patch \ | 31 | file://CVE-2022-35252.patch \ |
32 | file://CVE-2022-32221.patch \ | 32 | file://CVE-2022-32221.patch \ |
33 | file://CVE-2022-42916.patch \ | ||
33 | " | 34 | " |
34 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 35 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
35 | 36 | ||