diff options
author | Siddharth Doshi <sdoshi@mvista.com> | 2023-04-17 13:01:28 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-04-26 04:03:21 -1000 |
commit | 4fa1c52c9e8c4b71c41b846e6631ed2648153577 (patch) | |
tree | 9409f100f4a472a7972b687a10894f624352ce85 /meta | |
parent | be5ebd6b3f84b9f37deb5ce38467af353da0bbbf (diff) | |
download | poky-4fa1c52c9e8c4b71c41b846e6631ed2648153577.tar.gz |
curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878, https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
(From OE-Core rev: 0b35659c895e6ff2690d42f976169e4a65be07e6)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
4 files changed, 421 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000..57e1cb9e13 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch | |||
@@ -0,0 +1,196 @@ | |||
1 | From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 6 Oct 2022 00:49:10 +0200 | ||
4 | Subject: [PATCH] strcase: add and use Curl_timestrcmp | ||
5 | |||
6 | This is a strcmp() alternative function for comparing "secrets", | ||
7 | designed to take the same time no matter the content to not leak | ||
8 | match/non-match info to observers based on how fast it is. | ||
9 | |||
10 | The time this function takes is only a function of the shortest input | ||
11 | string. | ||
12 | |||
13 | Reported-by: Trail of Bits | ||
14 | |||
15 | Closes #9658 | ||
16 | |||
17 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878] | ||
18 | Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. | ||
19 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
20 | --- | ||
21 | lib/netrc.c | 6 +++--- | ||
22 | lib/strcase.c | 22 ++++++++++++++++++++++ | ||
23 | lib/strcase.h | 1 + | ||
24 | lib/url.c | 33 +++++++++++++-------------------- | ||
25 | lib/vauth/digest_sspi.c | 4 ++-- | ||
26 | lib/vtls/vtls.c | 4 ++-- | ||
27 | 6 files changed, 43 insertions(+), 27 deletions(-) | ||
28 | |||
29 | diff --git a/lib/netrc.c b/lib/netrc.c | ||
30 | index 0a4ae2c..b771b60 100644 | ||
31 | --- a/lib/netrc.c | ||
32 | +++ b/lib/netrc.c | ||
33 | @@ -140,9 +140,9 @@ static int parsenetrc(const char *host, | ||
34 | /* we are now parsing sub-keywords concerning "our" host */ | ||
35 | if(state_login) { | ||
36 | if(specific_login) { | ||
37 | - state_our_login = strcasecompare(login, tok); | ||
38 | + state_our_login = !Curl_timestrcmp(login, tok); | ||
39 | } | ||
40 | - else if(!login || strcmp(login, tok)) { | ||
41 | + else if(!login || Curl_timestrcmp(login, tok)) { | ||
42 | if(login_alloc) { | ||
43 | free(login); | ||
44 | login_alloc = FALSE; | ||
45 | @@ -158,7 +158,7 @@ static int parsenetrc(const char *host, | ||
46 | } | ||
47 | else if(state_password) { | ||
48 | if((state_our_login || !specific_login) | ||
49 | - && (!password || strcmp(password, tok))) { | ||
50 | + && (!password || Curl_timestrcmp(password, tok))) { | ||
51 | if(password_alloc) { | ||
52 | free(password); | ||
53 | password_alloc = FALSE; | ||
54 | diff --git a/lib/strcase.c b/lib/strcase.c | ||
55 | index 692a3f1..be085b3 100644 | ||
56 | --- a/lib/strcase.c | ||
57 | +++ b/lib/strcase.c | ||
58 | @@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b) | ||
59 | return !a && !b; | ||
60 | } | ||
61 | |||
62 | +/* | ||
63 | + * Curl_timestrcmp() returns 0 if the two strings are identical. The time this | ||
64 | + * function spends is a function of the shortest string, not of the contents. | ||
65 | + */ | ||
66 | +int Curl_timestrcmp(const char *a, const char *b) | ||
67 | +{ | ||
68 | + int match = 0; | ||
69 | + int i = 0; | ||
70 | + | ||
71 | + if(a && b) { | ||
72 | + while(1) { | ||
73 | + match |= a[i]^b[i]; | ||
74 | + if(!a[i] || !b[i]) | ||
75 | + break; | ||
76 | + i++; | ||
77 | + } | ||
78 | + } | ||
79 | + else | ||
80 | + return a || b; | ||
81 | + return match; | ||
82 | +} | ||
83 | + | ||
84 | /* --- public functions --- */ | ||
85 | |||
86 | int curl_strequal(const char *first, const char *second) | ||
87 | diff --git a/lib/strcase.h b/lib/strcase.h | ||
88 | index 382b80a..c6979da 100644 | ||
89 | --- a/lib/strcase.h | ||
90 | +++ b/lib/strcase.h | ||
91 | @@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); | ||
92 | void Curl_strntolower(char *dest, const char *src, size_t n); | ||
93 | |||
94 | bool Curl_safecmp(char *a, char *b); | ||
95 | +int Curl_timestrcmp(const char *first, const char *second); | ||
96 | |||
97 | #endif /* HEADER_CURL_STRCASE_H */ | ||
98 | diff --git a/lib/url.c b/lib/url.c | ||
99 | index df4377d..c397b57 100644 | ||
100 | --- a/lib/url.c | ||
101 | +++ b/lib/url.c | ||
102 | @@ -930,19 +930,10 @@ socks_proxy_info_matches(const struct proxy_info *data, | ||
103 | /* the user information is case-sensitive | ||
104 | or at least it is not defined as case-insensitive | ||
105 | see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ | ||
106 | - if(!data->user != !needle->user) | ||
107 | - return FALSE; | ||
108 | - /* curl_strequal does a case insentive comparison, so do not use it here! */ | ||
109 | - if(data->user && | ||
110 | - needle->user && | ||
111 | - strcmp(data->user, needle->user) != 0) | ||
112 | - return FALSE; | ||
113 | - if(!data->passwd != !needle->passwd) | ||
114 | - return FALSE; | ||
115 | + | ||
116 | /* curl_strequal does a case insentive comparison, so do not use it here! */ | ||
117 | - if(data->passwd && | ||
118 | - needle->passwd && | ||
119 | - strcmp(data->passwd, needle->passwd) != 0) | ||
120 | + if(Curl_timestrcmp(data->user, needle->user) || | ||
121 | + Curl_timestrcmp(data->passwd, needle->passwd)) | ||
122 | return FALSE; | ||
123 | return TRUE; | ||
124 | } | ||
125 | @@ -1341,10 +1332,10 @@ ConnectionExists(struct Curl_easy *data, | ||
126 | if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { | ||
127 | /* This protocol requires credentials per connection, | ||
128 | so verify that we're using the same name and password as well */ | ||
129 | - if(strcmp(needle->user, check->user) || | ||
130 | - strcmp(needle->passwd, check->passwd) || | ||
131 | - !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || | ||
132 | - !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
133 | + if(Curl_timestrcmp(needle->user, check->user) || | ||
134 | + Curl_timestrcmp(needle->passwd, check->passwd) || | ||
135 | + Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || | ||
136 | + Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
137 | /* one of them was different */ | ||
138 | continue; | ||
139 | } | ||
140 | @@ -1420,8 +1411,8 @@ ConnectionExists(struct Curl_easy *data, | ||
141 | possible. (Especially we must not reuse the same connection if | ||
142 | partway through a handshake!) */ | ||
143 | if(wantNTLMhttp) { | ||
144 | - if(strcmp(needle->user, check->user) || | ||
145 | - strcmp(needle->passwd, check->passwd)) { | ||
146 | + if(Curl_timestrcmp(needle->user, check->user) || | ||
147 | + Curl_timestrcmp(needle->passwd, check->passwd)) { | ||
148 | |||
149 | /* we prefer a credential match, but this is at least a connection | ||
150 | that can be reused and "upgraded" to NTLM */ | ||
151 | @@ -1443,8 +1434,10 @@ ConnectionExists(struct Curl_easy *data, | ||
152 | if(!check->http_proxy.user || !check->http_proxy.passwd) | ||
153 | continue; | ||
154 | |||
155 | - if(strcmp(needle->http_proxy.user, check->http_proxy.user) || | ||
156 | - strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) | ||
157 | + if(Curl_timestrcmp(needle->http_proxy.user, | ||
158 | + check->http_proxy.user) || | ||
159 | + Curl_timestrcmp(needle->http_proxy.passwd, | ||
160 | + check->http_proxy.passwd)) | ||
161 | continue; | ||
162 | } | ||
163 | else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { | ||
164 | diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c | ||
165 | index 94f8f8c..a413419 100644 | ||
166 | --- a/lib/vauth/digest_sspi.c | ||
167 | +++ b/lib/vauth/digest_sspi.c | ||
168 | @@ -429,8 +429,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, | ||
169 | has changed then delete that context. */ | ||
170 | if((userp && !digest->user) || (!userp && digest->user) || | ||
171 | (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || | ||
172 | - (userp && digest->user && strcmp(userp, digest->user)) || | ||
173 | - (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { | ||
174 | + (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || | ||
175 | + (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { | ||
176 | if(digest->http_context) { | ||
177 | s_pSecFn->DeleteSecurityContext(digest->http_context); | ||
178 | Curl_safefree(digest->http_context); | ||
179 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
180 | index e2d3438..881c8d2 100644 | ||
181 | --- a/lib/vtls/vtls.c | ||
182 | +++ b/lib/vtls/vtls.c | ||
183 | @@ -146,8 +146,8 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, | ||
184 | Curl_safecmp(data->random_file, needle->random_file) && | ||
185 | Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
186 | #ifdef USE_TLS_SRP | ||
187 | - Curl_safecmp(data->username, needle->username) && | ||
188 | - Curl_safecmp(data->password, needle->password) && | ||
189 | + !Curl_timestrcmp(data->username, needle->username) && | ||
190 | + !Curl_timestrcmp(data->password, needle->password) && | ||
191 | (data->authtype == needle->authtype) && | ||
192 | #endif | ||
193 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
194 | -- | ||
195 | 2.35.7 | ||
196 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch new file mode 100644 index 0000000000..4e701edfff --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch | |||
@@ -0,0 +1,170 @@ | |||
1 | From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 9 Mar 2023 17:47:06 +0100 | ||
4 | Subject: [PATCH] ftp: add more conditions for connection reuse | ||
5 | |||
6 | Reported-by: Harry Sintonen | ||
7 | Closes #10730 | ||
8 | |||
9 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] | ||
10 | Comment: Backport for CVE-2023-27535 also fixes CVE-2023-27538 in the file "lib/url.c". | ||
11 | CVE: CVE-2023-27535, CVE-2023-27538 | ||
12 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
13 | --- | ||
14 | lib/ftp.c | 28 ++++++++++++++++++++++++++-- | ||
15 | lib/ftp.h | 5 +++++ | ||
16 | lib/setopt.c | 2 +- | ||
17 | lib/url.c | 19 ++++++++++++++++--- | ||
18 | lib/urldata.h | 4 ++-- | ||
19 | 5 files changed, 50 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
22 | index c6efaed..93bbaeb 100644 | ||
23 | --- a/lib/ftp.c | ||
24 | +++ b/lib/ftp.c | ||
25 | @@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, | ||
26 | } | ||
27 | |||
28 | freedirs(ftpc); | ||
29 | + Curl_safefree(ftpc->account); | ||
30 | + Curl_safefree(ftpc->alternative_to_user); | ||
31 | Curl_safefree(ftpc->prevpath); | ||
32 | Curl_safefree(ftpc->server_os); | ||
33 | Curl_pp_disconnect(pp); | ||
34 | @@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, | ||
35 | { | ||
36 | char *type; | ||
37 | struct FTP *ftp; | ||
38 | + struct ftp_conn *ftpc = &conn->proto.ftpc; | ||
39 | |||
40 | - data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); | ||
41 | + ftp = calloc(sizeof(struct FTP), 1); | ||
42 | if(!ftp) | ||
43 | return CURLE_OUT_OF_MEMORY; | ||
44 | |||
45 | + /* clone connection related data that is FTP specific */ | ||
46 | + if(data->set.str[STRING_FTP_ACCOUNT]) { | ||
47 | + ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); | ||
48 | + if(!ftpc->account) { | ||
49 | + free(ftp); | ||
50 | + return CURLE_OUT_OF_MEMORY; | ||
51 | + } | ||
52 | + } | ||
53 | + if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { | ||
54 | + ftpc->alternative_to_user = | ||
55 | + strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); | ||
56 | + if(!ftpc->alternative_to_user) { | ||
57 | + Curl_safefree(ftpc->account); | ||
58 | + free(ftp); | ||
59 | + return CURLE_OUT_OF_MEMORY; | ||
60 | + } | ||
61 | + } | ||
62 | + data->req.p.ftp = ftp; | ||
63 | + | ||
64 | ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ | ||
65 | |||
66 | /* FTP URLs support an extension like ";type=<typecode>" that | ||
67 | @@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, | ||
68 | /* get some initial data into the ftp struct */ | ||
69 | ftp->transfer = PPTRANSFER_BODY; | ||
70 | ftp->downloadsize = 0; | ||
71 | - conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ | ||
72 | + ftpc->known_filesize = -1; /* unknown size for now */ | ||
73 | + ftpc->use_ssl = data->set.use_ssl; | ||
74 | + ftpc->ccc = data->set.ftp_ccc; | ||
75 | |||
76 | return CURLE_OK; | ||
77 | } | ||
78 | diff --git a/lib/ftp.h b/lib/ftp.h | ||
79 | index 1cfdac0..afca25b 100644 | ||
80 | --- a/lib/ftp.h | ||
81 | +++ b/lib/ftp.h | ||
82 | @@ -115,6 +115,8 @@ struct FTP { | ||
83 | struct */ | ||
84 | struct ftp_conn { | ||
85 | struct pingpong pp; | ||
86 | + char *account; | ||
87 | + char *alternative_to_user; | ||
88 | char *entrypath; /* the PWD reply when we logged on */ | ||
89 | char *file; /* url-decoded file name (or path) */ | ||
90 | char **dirs; /* realloc()ed array for path components */ | ||
91 | @@ -144,6 +146,9 @@ struct ftp_conn { | ||
92 | ftpstate state; /* always use ftp.c:state() to change state! */ | ||
93 | ftpstate state_saved; /* transfer type saved to be reloaded after | ||
94 | data connection is established */ | ||
95 | + unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or | ||
96 | + IMAP or POP3 or others! (type: curl_usessl)*/ | ||
97 | + unsigned char ccc; /* ccc level for this connection */ | ||
98 | curl_off_t retr_size_saved; /* Size of retrieved file saved */ | ||
99 | char *server_os; /* The target server operating system. */ | ||
100 | curl_off_t known_filesize; /* file size is different from -1, if wildcard | ||
101 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
102 | index 29a78a4..89d0150 100644 | ||
103 | --- a/lib/setopt.c | ||
104 | +++ b/lib/setopt.c | ||
105 | @@ -2304,7 +2304,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
106 | arg = va_arg(param, long); | ||
107 | if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) | ||
108 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
109 | - data->set.use_ssl = (curl_usessl)arg; | ||
110 | + data->set.use_ssl = (unsigned char)arg; | ||
111 | break; | ||
112 | |||
113 | case CURLOPT_SSL_OPTIONS: | ||
114 | diff --git a/lib/url.c b/lib/url.c | ||
115 | index c397b57..280171c 100644 | ||
116 | --- a/lib/url.c | ||
117 | +++ b/lib/url.c | ||
118 | @@ -1347,11 +1347,24 @@ ConnectionExists(struct Curl_easy *data, | ||
119 | (check->httpversion >= 20) && | ||
120 | (data->state.httpwant < CURL_HTTP_VERSION_2_0)) | ||
121 | continue; | ||
122 | - | ||
123 | - if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { | ||
124 | - if(!ssh_config_matches(needle, check)) | ||
125 | +#ifdef USE_SSH | ||
126 | + else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { | ||
127 | + if(!ssh_config_matches(needle, check)) | ||
128 | continue; | ||
129 | } | ||
130 | +#endif | ||
131 | +#ifndef CURL_DISABLE_FTP | ||
132 | + else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { | ||
133 | + /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ | ||
134 | + if(Curl_timestrcmp(needle->proto.ftpc.account, | ||
135 | + check->proto.ftpc.account) || | ||
136 | + Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, | ||
137 | + check->proto.ftpc.alternative_to_user) || | ||
138 | + (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || | ||
139 | + (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) | ||
140 | + continue; | ||
141 | + } | ||
142 | +#endif | ||
143 | |||
144 | if((needle->handler->flags&PROTOPT_SSL) | ||
145 | #ifndef CURL_DISABLE_PROXY | ||
146 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
147 | index 69eb2ee..6e6122a 100644 | ||
148 | --- a/lib/urldata.h | ||
149 | +++ b/lib/urldata.h | ||
150 | @@ -1748,8 +1748,6 @@ struct UserDefined { | ||
151 | enum CURL_NETRC_OPTION | ||
152 | use_netrc; /* defined in include/curl.h */ | ||
153 | #endif | ||
154 | - curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or | ||
155 | - IMAP or POP3 or others! */ | ||
156 | long new_file_perms; /* Permissions to use when creating remote files */ | ||
157 | long new_directory_perms; /* Permissions to use when creating remote dirs */ | ||
158 | long ssh_auth_types; /* allowed SSH auth types */ | ||
159 | @@ -1877,6 +1875,8 @@ struct UserDefined { | ||
160 | BIT(http09_allowed); /* allow HTTP/0.9 responses */ | ||
161 | BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some | ||
162 | recipients */ | ||
163 | + unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or | ||
164 | + IMAP or POP3 or others! (type: curl_usessl)*/ | ||
165 | }; | ||
166 | |||
167 | struct Names { | ||
168 | -- | ||
169 | 2.35.7 | ||
170 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch new file mode 100644 index 0000000000..fb3ee6a14d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 10 Mar 2023 09:22:43 +0100 | ||
4 | Subject: [PATCH] url: only reuse connections with same GSS delegation | ||
5 | |||
6 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] | ||
7 | CVE: CVE-2023-27536 | ||
8 | Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
9 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
10 | --- | ||
11 | lib/url.c | 6 ++++++ | ||
12 | lib/urldata.h | 1 + | ||
13 | 2 files changed, 7 insertions(+) | ||
14 | |||
15 | diff --git a/lib/url.c b/lib/url.c | ||
16 | index 280171c..c6413a1 100644 | ||
17 | --- a/lib/url.c | ||
18 | +++ b/lib/url.c | ||
19 | @@ -1341,6 +1341,11 @@ ConnectionExists(struct Curl_easy *data, | ||
20 | } | ||
21 | } | ||
22 | |||
23 | + /* GSS delegation differences do not actually affect every connection | ||
24 | + and auth method, but this check takes precaution before efficiency */ | ||
25 | + if(needle->gssapi_delegation != check->gssapi_delegation) | ||
26 | + continue; | ||
27 | + | ||
28 | /* If multiplexing isn't enabled on the h2 connection and h1 is | ||
29 | explicitly requested, handle it: */ | ||
30 | if((needle->handler->protocol & PROTO_FAMILY_HTTP) && | ||
31 | @@ -1813,6 +1818,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) | ||
32 | conn->fclosesocket = data->set.fclosesocket; | ||
33 | conn->closesocket_client = data->set.closesocket_client; | ||
34 | conn->lastused = Curl_now(); /* used now */ | ||
35 | + conn->gssapi_delegation = data->set.gssapi_delegation; | ||
36 | |||
37 | return conn; | ||
38 | error: | ||
39 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
40 | index 6e6122a..602c735 100644 | ||
41 | --- a/lib/urldata.h | ||
42 | +++ b/lib/urldata.h | ||
43 | @@ -1131,6 +1131,7 @@ struct connectdata { | ||
44 | int socks5_gssapi_enctype; | ||
45 | #endif | ||
46 | unsigned short localport; | ||
47 | + long gssapi_delegation; /* inherited from set.gssapi_delegation */ | ||
48 | }; | ||
49 | |||
50 | /* The end of connectdata. */ | ||
51 | -- | ||
52 | 2.35.7 | ||
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 4c18afe293..70ceb9f370 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb | |||
@@ -42,6 +42,9 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ | |||
42 | file://CVE-2023-23916.patch \ | 42 | file://CVE-2023-23916.patch \ |
43 | file://CVE-2023-27533.patch \ | 43 | file://CVE-2023-27533.patch \ |
44 | file://CVE-2023-27534.patch \ | 44 | file://CVE-2023-27534.patch \ |
45 | file://CVE-2023-27535-pre1.patch \ | ||
46 | file://CVE-2023-27535_and_CVE-2023-27538.patch \ | ||
47 | file://CVE-2023-27536.patch \ | ||
45 | " | 48 | " |
46 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" | 49 | SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" |
47 | 50 | ||