1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
new file mode 100644
index 0000000000..4afd755149
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
@@ -0,0 +1,86 @@
+Backport of:
+From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 21 Sep 2020 09:15:51 +0200
+Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
+When using HTTPS proxy, SSL is used but not in the view of the FTP
+protocol handler itself so separate the connection's use of SSL from the
+FTP control connection's sue.
+Reported-by: Mingtao Yang
+Fixes #5523
+Closes #6006
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/ftp.c     | 13 ++++++-------
+ lib/urldata.h |  1 +
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 3382772..677527f 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+ 
+-  if(conn->ssl[FIRSTSOCKET].use) {
+  if(conn->bits.ftp_use_control_ssl) {
+     /* PBSZ = PROTECTION BUFFER SIZE.
+ 
+     The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
+@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+       }
+ #endif
+ 
+-      if(data->set.use_ssl &&
+-         (!conn->ssl[FIRSTSOCKET].use ||
+-          (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
+-           !conn->proxy_ssl[FIRSTSOCKET].use))) {
+-        /* We don't have a SSL/TLS connection yet, but FTPS is
+      if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
+        /* We don't have a SSL/TLS control connection yet, but FTPS is
+            requested. Try a FTPS connection now */
+ 
+         ftpc->count3 = 0;
+@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+         result = Curl_ssl_connect(conn, FIRSTSOCKET);
+         if(!result) {
+           conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
+          conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
+           result = ftp_state_user(conn);
+         }
+       }
+@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
+  *
+  */
+ static CURLcode ftp_connect(struct connectdata *conn,
+-                                 bool *done) /* see description above */
+                            bool *done) /* see description above */
+ {
+   CURLcode result;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
+     result = Curl_ssl_connect(conn, FIRSTSOCKET);
+     if(result)
+       return result;
+    conn->bits.ftp_use_control_ssl = TRUE;
+   }
+ 
+   Curl_pp_init(pp); /* init the generic pingpong data */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ff2d686..d1fb4a9 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -461,6 +461,7 @@ struct ConnectBits {
+                          EPRT doesn't work we disable it for the forthcoming
+                          requests */
+   BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
+  BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
+ #endif
+   BIT(netrc);         /* name+password provided by netrc */
+   BIT(userpwd_in_url); /* name+password found in url */

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch new file mode 100644 index 0000000000..4afd755149 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
@@ -0,0 +1,86 @@
	1	Backport of:
	2
	3	From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
	4	From: Daniel Stenberg <daniel@haxx.se>
	5	Date: Mon, 21 Sep 2020 09:15:51 +0200
	6	Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
	7
	8	When using HTTPS proxy, SSL is used but not in the view of the FTP
	9	protocol handler itself so separate the connection's use of SSL from the
	10	FTP control connection's sue.
	11
	12	Reported-by: Mingtao Yang
	13	Fixes #5523
	14	Closes #6006
	15
	16	Upstream-Status: backport from 7.68.0-1ubuntu2.7
	17	Signed-off-by: Mike Crowe <mac@mcrowe.com>
	18	---
	19	lib/ftp.c \| 13 ++++++-------
	20	lib/urldata.h \| 1 +
	21	2 files changed, 7 insertions(+), 7 deletions(-)
	22
	23	diff --git a/lib/ftp.c b/lib/ftp.c
	24	index 3382772..677527f 100644
	25	--- a/lib/ftp.c
	26	+++ b/lib/ftp.c
	27	@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
	28	{
	29	CURLcode result = CURLE_OK;
	30
	31	- if(conn->ssl[FIRSTSOCKET].use) {
	32	+ if(conn->bits.ftp_use_control_ssl) {
	33	/* PBSZ = PROTECTION BUFFER SIZE.
	34
	35	The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
	36	@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
	37	}
	38	#endif
	39
	40	- if(data->set.use_ssl &&
	41	- (!conn->ssl[FIRSTSOCKET].use \|\|
	42	- (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
	43	- !conn->proxy_ssl[FIRSTSOCKET].use))) {
	44	- /* We don't have a SSL/TLS connection yet, but FTPS is
	45	+ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
	46	+ /* We don't have a SSL/TLS control connection yet, but FTPS is
	47	requested. Try a FTPS connection now */
	48
	49	ftpc->count3 = 0;
	50	@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
	51	result = Curl_ssl_connect(conn, FIRSTSOCKET);
	52	if(!result) {
	53	conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
	54	+ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
	55	result = ftp_state_user(conn);
	56	}
	57	}
	58	@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
	59	*
	60	*/
	61	static CURLcode ftp_connect(struct connectdata *conn,
	62	- bool done) / see description above */
	63	+ bool done) / see description above */
	64	{
	65	CURLcode result;
	66	struct ftp_conn *ftpc = &conn->proto.ftpc;
	67	@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
	68	result = Curl_ssl_connect(conn, FIRSTSOCKET);
	69	if(result)
	70	return result;
	71	+ conn->bits.ftp_use_control_ssl = TRUE;
	72	}
	73
	74	Curl_pp_init(pp); /* init the generic pingpong data */
	75	diff --git a/lib/urldata.h b/lib/urldata.h
	76	index ff2d686..d1fb4a9 100644
	77	--- a/lib/urldata.h
	78	+++ b/lib/urldata.h
	79	@@ -461,6 +461,7 @@ struct ConnectBits {
	80	EPRT doesn't work we disable it for the forthcoming
	81	requests */
	82	BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
	83	+ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
	84	#endif
	85	BIT(netrc); /* name+password provided by netrc */
	86	BIT(userpwd_in_url); /* name+password found in url */