curl: Add patch to fix CVE-2022-43551

Add patch to fix the security issue "curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL." as per below link Link: https://curl.se/docs/CVE-2022-43551.html (From OE-Core rev: baa18f2cf107af7a5e1c7b7befad46e6c48f4222) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> 2022-12-22 11:07:08 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-06 17:33:23 +0000
commit: b6879ce896e1be225a2389871b03274930bb7303 (patch)
tree: 820cc20fc692434f1b573dc23c016bce02ef7924 /meta
parent: 18da62e637b8487a07fade71db847db120de8d6b (diff)
download: poky-b6879ce896e1be225a2389871b03274930bb7303.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
new file mode 100644
index 0000000000..e1ec7bf72e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
@@ -0,0 +1,35 @@
+From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:36:55 +0100
+Subject: [PATCH] http: use the IDN decoded name in HSTS checks
+Otherwise it stores the info HSTS into the persistent cache for the IDN
+name which will not match when the HSTS status is later checked for
+using the decoded name.
+Reported-by: Hiroki Kurosawa
+Closes #10111
+CVE: CVE-2022-43551
+Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comments: Hunk refresh to remove patch-fuzz warning
+---
+ lib/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/http.c b/lib/http.c
+index 85528a2218eee..a784745a8d505 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
+   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+           (conn->handler->flags & PROTOPT_SSL)) {
+     CURLcode check =
+-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
+      Curl_hsts_parse(data->hsts, conn->host.name,
+                       headp + strlen("Strict-Transport-Security:"));
+     if(check)
+       infof(data, "Illegal STS header skipped");
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4774ae7f2b..bd68e40ca4 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -32,6 +32,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2022-32221.patch \
           file://CVE-2022-42916.patch \
           file://CVE-2022-42915.patch \
+           file://CVE-2022-43551.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>	2022-12-22 11:07:08 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-06 17:33:23 +0000
commit	b6879ce896e1be225a2389871b03274930bb7303 (patch)
tree	820cc20fc692434f1b573dc23c016bce02ef7924 /meta
parent	18da62e637b8487a07fade71db847db120de8d6b (diff)
download	poky-b6879ce896e1be225a2389871b03274930bb7303.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/meta/recipes-support/curl/curl/CVE-2022-43551.patch new file mode 100644 index 0000000000..e1ec7bf72e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
@@ -0,0 +1,35 @@
		1	From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Mon, 19 Dec 2022 08:36:55 +0100
		4	Subject: [PATCH] http: use the IDN decoded name in HSTS checks
		5
		6	Otherwise it stores the info HSTS into the persistent cache for the IDN
		7	name which will not match when the HSTS status is later checked for
		8	using the decoded name.
		9
		10	Reported-by: Hiroki Kurosawa
		11
		12	Closes #10111
		13
		14	CVE: CVE-2022-43551
		15	Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28]
		16	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		17	Comments: Hunk refresh to remove patch-fuzz warning
		18
		19	---
		20	lib/http.c \| 2 +-
		21	1 file changed, 1 insertion(+), 1 deletion(-)
		22
		23	diff --git a/lib/http.c b/lib/http.c
		24	index 85528a2218eee..a784745a8d505 100644
		25	--- a/lib/http.c
		26	+++ b/lib/http.c
		27	@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy data, struct connectdata conn,
		28	else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
		29	(conn->handler->flags & PROTOPT_SSL)) {
		30	CURLcode check =
		31	- Curl_hsts_parse(data->hsts, data->state.up.hostname,
		32	+ Curl_hsts_parse(data->hsts, conn->host.name,
		33	headp + strlen("Strict-Transport-Security:"));
		34	if(check)
		35	infof(data, "Illegal STS header skipped");


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 4774ae7f2b..bd68e40ca4 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -32,6 +32,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
32	file://CVE-2022-32221.patch \	32	file://CVE-2022-32221.patch \
33	file://CVE-2022-42916.patch \	33	file://CVE-2022-42916.patch \
34	file://CVE-2022-42915.patch \	34	file://CVE-2022-42915.patch \
		35	file://CVE-2022-43551.patch \
35	"	36	"
36	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	37	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
37		38