1 files changed, 328 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..98032d8b78
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,328 @@
+Backport of:
+From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+Bug: https://curl.se/docs/CVE-2021-22946.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22946
+---
+ lib/ftp.c               |  9 ++++---
+ lib/imap.c              | 24 ++++++++----------
+ lib/pop3.c              | 33 +++++++++++-------------
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 677527f..91b43d8 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+     /* we have now received a full FTP server response */
+     switch(ftpc->state) {
+     case FTP_WAIT220:
+-      if(ftpcode == 230)
+-        /* 230 User logged in - already! */
+-        return ftp_state_user_resp(conn, ftpcode, ftpc->state);
+      if(ftpcode == 230) {
+        /* 230 User logged in - already! Take as 220 if TLS required. */
+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
+           conn->bits.ftp_use_control_ssl)
+          return ftp_state_user_resp(conn, ftpcode, ftpc->state);
+      }
+       else if(ftpcode != 220) {
+         failf(data, "Got a %03d ftp-server response when 220 was expected",
+               ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index 66172bd..9880ce1 100644
+--- a/lib/imap.c
+++ b/lib/imap.c
+@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
+       line += wordlen;
+     }
+   }
+-  else if(imapcode == IMAP_RESP_OK) {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(imapc->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = imap_perform_starttls(conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = imap_perform_authentication(conn);
+-      else {
+-        failf(data, "STARTTLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+    /* PREAUTH is not compatible with STARTTLS. */
+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
+      /* Switch to TLS connection now */
+      result = imap_perform_starttls(conn);
+     }
+-    else
+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+       result = imap_perform_authentication(conn);
+    else {
+      failf(data, "STARTTLS not available.");
+      result = CURLE_USE_SSL_FAILED;
+    }
+   }
+   else
+     result = imap_perform_authentication(conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 57c1373..145b2b4 100644
+--- a/lib/pop3.c
+++ b/lib/pop3.c
+@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
+       }
+     }
+   }
+-  else if(pop3code == '+') {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(pop3c->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = pop3_perform_starttls(conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = pop3_perform_authentication(conn);
+-      else {
+-        failf(data, "STLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+-    }
+-    else
+-      result = pop3_perform_authentication(conn);
+-  }
+   else {
+     /* Clear text is supported when CAPA isn't recognised */
+-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+    if(pop3code != '+')
+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ 
+-    result = pop3_perform_authentication(conn);
+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
+      result = pop3_perform_authentication(conn);
+    else if(pop3code == '+' && pop3c->tls_supported)
+      /* Switch to TLS connection now */
+      result = pop3_perform_starttls(conn);
+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+      /* Fallback and carry on with authentication */
+      result = pop3_perform_authentication(conn);
+    else {
+      failf(data, "STLS not supported.");
+      result = CURLE_USE_SSL_FAILED;
+    }
+   }
+ 
+   return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index f9535a6..0fa6799 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
+test984 test985 test986 \
+\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
+++ b/tests/data/test984
+@@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPABILITY A001 BAD Not implemented
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+imap
+</server>
+ <name>
+IMAP require STARTTLS with failing capabilities
+ </name>
+ <command>
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
+</command>
+<file name="log/upload%TESTNUMBER">
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
+From: Fred Foobar <foobar@example.COM>
+Subject: afternoon meeting
+To: joe@example.com
+Message-Id: <B27397-0100000@example.COM>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
+
+Hello Joe, do you think we can meet at 3:30 tomorrow?
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+A001 CAPABILITY
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
+++ b/tests/data/test985
+@@ -0,0 +1,54 @@
+<testcase>
+<info>
+<keywords>
+POP3
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPA -ERR Not implemented
+</servercmd>
+<data nocheck="yes">
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+  yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+pop3
+</server>
+ <name>
+POP3 require STARTTLS with failing capabilities
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
+ </command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+CAPA
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
+++ b/tests/data/test986
+@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+FTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY welcome 230 Welcome
+REPLY AUTH 500 unknown command
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+ftp
+</server>
+ <name>
+FTP require STARTTLS while preauthenticated
+ </name>
+<file name="log/test%TESTNUMBER.txt">
+data
+    to
+      see
+that FTPS
+works
+  so does it?
+</file>
+ <command>
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+AUTH SSL
+AUTH TLS
+</protocol>
+</verify>
+</testcase>

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch new file mode 100644 index 0000000000..98032d8b78 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,328 @@
	1	Backport of:
	2
	3	From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001
	4	From: Patrick Monnerat <patrick@monnerat.net>
	5	Date: Wed, 8 Sep 2021 11:56:22 +0200
	6	Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
	7
	8	In imap and pop3, check if TLS is required even when capabilities
	9	request has failed.
	10
	11	In ftp, ignore preauthentication (230 status of server greeting) if TLS
	12	is required.
	13
	14	Bug: https://curl.se/docs/CVE-2021-22946.html
	15	Upstream-Status: backport from 7.68.0-1ubuntu2.7
	16	Signed-off-by: Mike Crowe <mac@mcrowe.com>
	17	CVE: CVE-2021-22946
	18	---
	19	lib/ftp.c \| 9 ++++---
	20	lib/imap.c \| 24 ++++++++----------
	21	lib/pop3.c \| 33 +++++++++++-------------
	22	tests/data/Makefile.inc \| 2 ++
	23	tests/data/test984 \| 56 +++++++++++++++++++++++++++++++++++++++++
	24	tests/data/test985 \| 54 +++++++++++++++++++++++++++++++++++++++
	25	tests/data/test986 \| 53 ++++++++++++++++++++++++++++++++++++++
	26	7 files changed, 195 insertions(+), 36 deletions(-)
	27	create mode 100644 tests/data/test984
	28	create mode 100644 tests/data/test985
	29	create mode 100644 tests/data/test986
	30
	31	diff --git a/lib/ftp.c b/lib/ftp.c
	32	index 677527f..91b43d8 100644
	33	--- a/lib/ftp.c
	34	+++ b/lib/ftp.c
	35	@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
	36	/* we have now received a full FTP server response */
	37	switch(ftpc->state) {
	38	case FTP_WAIT220:
	39	- if(ftpcode == 230)
	40	- /* 230 User logged in - already! */
	41	- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
	42	+ if(ftpcode == 230) {
	43	+ /* 230 User logged in - already! Take as 220 if TLS required. */
	44	+ if(data->set.use_ssl <= CURLUSESSL_TRY \|\|
	45	+ conn->bits.ftp_use_control_ssl)
	46	+ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
	47	+ }
	48	else if(ftpcode != 220) {
	49	failf(data, "Got a %03d ftp-server response when 220 was expected",
	50	ftpcode);
	51	diff --git a/lib/imap.c b/lib/imap.c
	52	index 66172bd..9880ce1 100644
	53	--- a/lib/imap.c
	54	+++ b/lib/imap.c
	55	@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
	56	line += wordlen;
	57	}
	58	}
	59	- else if(imapcode == IMAP_RESP_OK) {
	60	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
	61	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
	62	- if(imapc->tls_supported)
	63	- /* Switch to TLS connection now */
	64	- result = imap_perform_starttls(conn);
	65	- else if(data->set.use_ssl == CURLUSESSL_TRY)
	66	- /* Fallback and carry on with authentication */
	67	- result = imap_perform_authentication(conn);
	68	- else {
	69	- failf(data, "STARTTLS not supported.");
	70	- result = CURLE_USE_SSL_FAILED;
	71	- }
	72	+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
	73	+ /* PREAUTH is not compatible with STARTTLS. */
	74	+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
	75	+ /* Switch to TLS connection now */
	76	+ result = imap_perform_starttls(conn);
	77	}
	78	- else
	79	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
	80	result = imap_perform_authentication(conn);
	81	+ else {
	82	+ failf(data, "STARTTLS not available.");
	83	+ result = CURLE_USE_SSL_FAILED;
	84	+ }
	85	}
	86	else
	87	result = imap_perform_authentication(conn);
	88	diff --git a/lib/pop3.c b/lib/pop3.c
	89	index 57c1373..145b2b4 100644
	90	--- a/lib/pop3.c
	91	+++ b/lib/pop3.c
	92	@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
	93	}
	94	}
	95	}
	96	- else if(pop3code == '+') {
	97	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
	98	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
	99	- if(pop3c->tls_supported)
	100	- /* Switch to TLS connection now */
	101	- result = pop3_perform_starttls(conn);
	102	- else if(data->set.use_ssl == CURLUSESSL_TRY)
	103	- /* Fallback and carry on with authentication */
	104	- result = pop3_perform_authentication(conn);
	105	- else {
	106	- failf(data, "STLS not supported.");
	107	- result = CURLE_USE_SSL_FAILED;
	108	- }
	109	- }
	110	- else
	111	- result = pop3_perform_authentication(conn);
	112	- }
	113	else {
	114	/* Clear text is supported when CAPA isn't recognised */
	115	- pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
	116	+ if(pop3code != '+')
	117	+ pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
	118
	119	- result = pop3_perform_authentication(conn);
	120	+ if(!data->set.use_ssl \|\| conn->ssl[FIRSTSOCKET].use)
	121	+ result = pop3_perform_authentication(conn);
	122	+ else if(pop3code == '+' && pop3c->tls_supported)
	123	+ /* Switch to TLS connection now */
	124	+ result = pop3_perform_starttls(conn);
	125	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
	126	+ /* Fallback and carry on with authentication */
	127	+ result = pop3_perform_authentication(conn);
	128	+ else {
	129	+ failf(data, "STLS not supported.");
	130	+ result = CURLE_USE_SSL_FAILED;
	131	+ }
	132	}
	133
	134	return result;
	135	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
	136	index f9535a6..0fa6799 100644
	137	--- a/tests/data/Makefile.inc
	138	+++ b/tests/data/Makefile.inc
	139	@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
	140	test954 test955 test956 test957 test958 test959 test960 test961 test962 \
	141	test963 test964 test965 test966 test967 test968 test969 \
	142	\
	143	+test984 test985 test986 \
	144	+\
	145	test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
	146	test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
	147	test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
	148	diff --git a/tests/data/test984 b/tests/data/test984
	149	new file mode 100644
	150	index 0000000..e573f23
	151	--- /dev/null
	152	+++ b/tests/data/test984
	153	@@ -0,0 +1,56 @@
	154	+<testcase>
	155	+<info>
	156	+<keywords>
	157	+IMAP
	158	+STARTTLS
	159	+</keywords>
	160	+</info>
	161	+
	162	+#
	163	+# Server-side
	164	+<reply>
	165	+<servercmd>
	166	+REPLY CAPABILITY A001 BAD Not implemented
	167	+</servercmd>
	168	+</reply>
	169	+
	170	+#
	171	+# Client-side
	172	+<client>
	173	+<features>
	174	+SSL
	175	+</features>
	176	+<server>
	177	+imap
	178	+</server>
	179	+ <name>
	180	+IMAP require STARTTLS with failing capabilities
	181	+ </name>
	182	+ <command>
	183	+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
	184	+</command>
	185	+<file name="log/upload%TESTNUMBER">
	186	+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
	187	+From: Fred Foobar <foobar@example.COM>
	188	+Subject: afternoon meeting
	189	+To: joe@example.com
	190	+Message-Id: <B27397-0100000@example.COM>
	191	+MIME-Version: 1.0
	192	+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
	193	+
	194	+Hello Joe, do you think we can meet at 3:30 tomorrow?
	195	+</file>
	196	+</client>
	197	+
	198	+#
	199	+# Verify data after the test has been "shot"
	200	+<verify>
	201	+# 64 is CURLE_USE_SSL_FAILED
	202	+<errorcode>
	203	+64
	204	+</errorcode>
	205	+<protocol>
	206	+A001 CAPABILITY
	207	+</protocol>
	208	+</verify>
	209	+</testcase>
	210	diff --git a/tests/data/test985 b/tests/data/test985
	211	new file mode 100644
	212	index 0000000..d0db4aa
	213	--- /dev/null
	214	+++ b/tests/data/test985
	215	@@ -0,0 +1,54 @@
	216	+<testcase>
	217	+<info>
	218	+<keywords>
	219	+POP3
	220	+STARTTLS
	221	+</keywords>
	222	+</info>
	223	+
	224	+#
	225	+# Server-side
	226	+<reply>
	227	+<servercmd>
	228	+REPLY CAPA -ERR Not implemented
	229	+</servercmd>
	230	+<data nocheck="yes">
	231	+From: me@somewhere
	232	+To: fake@nowhere
	233	+
	234	+body
	235	+
	236	+--
	237	+ yours sincerely
	238	+</data>
	239	+</reply>
	240	+
	241	+#
	242	+# Client-side
	243	+<client>
	244	+<features>
	245	+SSL
	246	+</features>
	247	+<server>
	248	+pop3
	249	+</server>
	250	+ <name>
	251	+POP3 require STARTTLS with failing capabilities
	252	+ </name>
	253	+ <command>
	254	+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
	255	+ </command>
	256	+</client>
	257	+
	258	+#
	259	+# Verify data after the test has been "shot"
	260	+<verify>
	261	+# 64 is CURLE_USE_SSL_FAILED
	262	+<errorcode>
	263	+64
	264	+</errorcode>
	265	+<protocol>
	266	+CAPA
	267	+</protocol>
	268	+</verify>
	269	+</testcase>
	270	diff --git a/tests/data/test986 b/tests/data/test986
	271	new file mode 100644
	272	index 0000000..a709437
	273	--- /dev/null
	274	+++ b/tests/data/test986
	275	@@ -0,0 +1,53 @@
	276	+<testcase>
	277	+<info>
	278	+<keywords>
	279	+FTP
	280	+STARTTLS
	281	+</keywords>
	282	+</info>
	283	+
	284	+#
	285	+# Server-side
	286	+<reply>
	287	+<servercmd>
	288	+REPLY welcome 230 Welcome
	289	+REPLY AUTH 500 unknown command
	290	+</servercmd>
	291	+</reply>
	292	+
	293	+# Client-side
	294	+<client>
	295	+<features>
	296	+SSL
	297	+</features>
	298	+<server>
	299	+ftp
	300	+</server>
	301	+ <name>
	302	+FTP require STARTTLS while preauthenticated
	303	+ </name>
	304	+<file name="log/test%TESTNUMBER.txt">
	305	+data
	306	+ to
	307	+ see
	308	+that FTPS
	309	+works
	310	+ so does it?
	311	+</file>
	312	+ <command>
	313	+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
	314	+</command>
	315	+</client>
	316	+
	317	+# Verify data after the test has been "shot"
	318	+<verify>
	319	+# 64 is CURLE_USE_SSL_FAILED
	320	+<errorcode>
	321	+64
	322	+</errorcode>
	323	+<protocol>
	324	+AUTH SSL
	325	+AUTH TLS
	326	+</protocol>
	327	+</verify>
	328	+</testcase>