diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2020-8284.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2020-8284.patch | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8284.patch b/meta/recipes-support/curl/curl/CVE-2020-8284.patch new file mode 100644 index 0000000000..4ae514ffa8 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8284.patch | |||
@@ -0,0 +1,210 @@ | |||
1 | From ec9cc725d598ac77de7b6df8afeec292b3c8ad46 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 24 Nov 2020 14:56:57 +0100 | ||
4 | Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default | ||
5 | |||
6 | The command line tool also independently sets --ftp-skip-pasv-ip by | ||
7 | default. | ||
8 | |||
9 | Ten test cases updated to adapt the modified --libcurl output. | ||
10 | |||
11 | Bug: https://curl.se/docs/CVE-2020-8284.html | ||
12 | CVE-2020-8284 | ||
13 | |||
14 | Reported-by: Varnavas Papaioannou | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/curl/curl/commit/ec9cc725d598ac] | ||
17 | |||
18 | CVE: CVE-2020-8284 | ||
19 | |||
20 | Signed-off-by: Daniel Stenberg <daniel@haxx.se> | ||
21 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
22 | --- | ||
23 | docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++ | ||
24 | docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- | ||
25 | lib/url.c | 1 + | ||
26 | src/tool_cfgable.c | 1 + | ||
27 | tests/data/test1400 | 1 + | ||
28 | tests/data/test1401 | 1 + | ||
29 | tests/data/test1402 | 1 + | ||
30 | tests/data/test1403 | 1 + | ||
31 | tests/data/test1404 | 1 + | ||
32 | tests/data/test1405 | 1 + | ||
33 | tests/data/test1406 | 1 + | ||
34 | tests/data/test1407 | 1 + | ||
35 | tests/data/test1420 | 1 + | ||
36 | 14 files changed, 18 insertions(+), 3 deletions(-) | ||
37 | |||
38 | diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d | ||
39 | index d6fd4589b1e..bcf4e7e62f2 100644 | ||
40 | --- a/docs/cmdline-opts/ftp-skip-pasv-ip.d | ||
41 | +++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d | ||
42 | @@ -10,4 +10,6 @@ to curl's PASV command when curl connects the data connection. Instead curl | ||
43 | will re-use the same IP address it already uses for the control | ||
44 | connection. | ||
45 | |||
46 | +Since curl 7.74.0 this option is enabled by default. | ||
47 | + | ||
48 | This option has no effect if PORT, EPRT or EPSV is used instead of PASV. | ||
49 | diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | ||
50 | index d6217d0d8ca..fa87ddce769 100644 | ||
51 | --- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | ||
52 | +++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | ||
53 | @@ -5,7 +5,7 @@ | ||
54 | .\" * | (__| |_| | _ <| |___ | ||
55 | .\" * \___|\___/|_| \_\_____| | ||
56 | .\" * | ||
57 | -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
58 | +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
59 | .\" * | ||
60 | .\" * This software is licensed as described in the file COPYING, which | ||
61 | .\" * you should have received as part of this distribution. The terms | ||
62 | @@ -35,11 +35,13 @@ address it already uses for the control connection. But it will use the port | ||
63 | number from the 227-response. | ||
64 | |||
65 | This option thus allows libcurl to work around broken server installations | ||
66 | -that due to NATs, firewalls or incompetence report the wrong IP address back. | ||
67 | +that due to NATs, firewalls or incompetence report the wrong IP address | ||
68 | +back. Setting the option also reduces the risk for various sorts of client | ||
69 | +abuse by malicious servers. | ||
70 | |||
71 | This option has no effect if PORT, EPRT or EPSV is used instead of PASV. | ||
72 | .SH DEFAULT | ||
73 | -0 | ||
74 | +1 since 7.74.0, was 0 before then. | ||
75 | .SH PROTOCOLS | ||
76 | FTP | ||
77 | .SH EXAMPLE | ||
78 | diff --git a/lib/url.c b/lib/url.c | ||
79 | index f8b2a0030de..2b0ba87ba87 100644 | ||
80 | --- a/lib/url.c | ||
81 | +++ b/lib/url.c | ||
82 | @@ -497,6 +497,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) | ||
83 | set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ | ||
84 | set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ | ||
85 | set->ftp_filemethod = FTPFILE_MULTICWD; | ||
86 | + set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ | ||
87 | #endif | ||
88 | set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ | ||
89 | |||
90 | diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c | ||
91 | index c52d8e1c6bb..4c06d3557b7 100644 | ||
92 | --- a/src/tool_cfgable.c | ||
93 | +++ b/src/tool_cfgable.c | ||
94 | @@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config) | ||
95 | config->tcp_nodelay = TRUE; /* enabled by default */ | ||
96 | config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; | ||
97 | config->http09_allowed = FALSE; | ||
98 | + config->ftp_skip_ip = TRUE; | ||
99 | } | ||
100 | |||
101 | static void free_config_fields(struct OperationConfig *config) | ||
102 | diff --git a/tests/data/test1400 b/tests/data/test1400 | ||
103 | index 812ad0b88d9..b7060eca58e 100644 | ||
104 | --- a/tests/data/test1400 | ||
105 | +++ b/tests/data/test1400 | ||
106 | @@ -73,6 +73,7 @@ int main(int argc, char *argv[]) | ||
107 | curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||
108 | curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||
109 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
110 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
111 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
112 | |||
113 | /* Here is a list of options the curl code used that cannot get generated | ||
114 | diff --git a/tests/data/test1401 b/tests/data/test1401 | ||
115 | index f93b3d637de..a2629683aff 100644 | ||
116 | --- a/tests/data/test1401 | ||
117 | +++ b/tests/data/test1401 | ||
118 | @@ -87,6 +87,7 @@ int main(int argc, char *argv[]) | ||
119 | curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||
120 | curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); | ||
121 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
122 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
123 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
124 | curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | | ||
125 | (long)CURLPROTO_FTP | | ||
126 | diff --git a/tests/data/test1402 b/tests/data/test1402 | ||
127 | index 7593c516da1..1bd55cb4e3b 100644 | ||
128 | --- a/tests/data/test1402 | ||
129 | +++ b/tests/data/test1402 | ||
130 | @@ -78,6 +78,7 @@ int main(int argc, char *argv[]) | ||
131 | curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||
132 | curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||
133 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
134 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
135 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
136 | |||
137 | /* Here is a list of options the curl code used that cannot get generated | ||
138 | diff --git a/tests/data/test1403 b/tests/data/test1403 | ||
139 | index ecb4dd3dcab..a7c9fcca322 100644 | ||
140 | --- a/tests/data/test1403 | ||
141 | +++ b/tests/data/test1403 | ||
142 | @@ -73,6 +73,7 @@ int main(int argc, char *argv[]) | ||
143 | curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||
144 | curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||
145 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
146 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
147 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
148 | |||
149 | /* Here is a list of options the curl code used that cannot get generated | ||
150 | diff --git a/tests/data/test1404 b/tests/data/test1404 | ||
151 | index 97622b63948..1d8e8cf7779 100644 | ||
152 | --- a/tests/data/test1404 | ||
153 | +++ b/tests/data/test1404 | ||
154 | @@ -147,6 +147,7 @@ int main(int argc, char *argv[]) | ||
155 | curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||
156 | curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||
157 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
158 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
159 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
160 | |||
161 | /* Here is a list of options the curl code used that cannot get generated | ||
162 | diff --git a/tests/data/test1405 b/tests/data/test1405 | ||
163 | index 2bac79eda74..b4087704f7b 100644 | ||
164 | --- a/tests/data/test1405 | ||
165 | +++ b/tests/data/test1405 | ||
166 | @@ -89,6 +89,7 @@ int main(int argc, char *argv[]) | ||
167 | curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); | ||
168 | curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); | ||
169 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
170 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
171 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
172 | |||
173 | /* Here is a list of options the curl code used that cannot get generated | ||
174 | diff --git a/tests/data/test1406 b/tests/data/test1406 | ||
175 | index 51a166adff2..38f68d11ee1 100644 | ||
176 | --- a/tests/data/test1406 | ||
177 | +++ b/tests/data/test1406 | ||
178 | @@ -79,6 +79,7 @@ int main(int argc, char *argv[]) | ||
179 | curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406"); | ||
180 | curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); | ||
181 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
182 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
183 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
184 | curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); | ||
185 | curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); | ||
186 | diff --git a/tests/data/test1407 b/tests/data/test1407 | ||
187 | index f6879008fb2..a7e13ba7585 100644 | ||
188 | --- a/tests/data/test1407 | ||
189 | +++ b/tests/data/test1407 | ||
190 | @@ -62,6 +62,7 @@ int main(int argc, char *argv[]) | ||
191 | curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); | ||
192 | curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); | ||
193 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
194 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
195 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
196 | |||
197 | /* Here is a list of options the curl code used that cannot get generated | ||
198 | diff --git a/tests/data/test1420 b/tests/data/test1420 | ||
199 | index 057ecc4773a..4b8d7bbf418 100644 | ||
200 | --- a/tests/data/test1420 | ||
201 | +++ b/tests/data/test1420 | ||
202 | @@ -67,6 +67,7 @@ int main(int argc, char *argv[]) | ||
203 | curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1"); | ||
204 | curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); | ||
205 | curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||
206 | + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); | ||
207 | curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||
208 | |||
209 | /* Here is a list of options the curl code used that cannot get generated | ||
210 | |||