1 files changed, 333 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..1cb95f0ea7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,333 @@
+From 7c6e072216001fb1280d1868adfdcb54e3372ce7 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+Bug: https://curl.se/docs/CVE-2021-22946.html
+CVE-2021-22946
+Upstream-Status: Backport [https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/ftp.c               |  9 ++++---
+ lib/imap.c              | 24 ++++++++----------
+ lib/pop3.c              | 33 +++++++++++-------------
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 3818a9e..8b3fe1d 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -2665,9 +2665,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
+     /* we have now received a full FTP server response */
+     switch(ftpc->state) {
+     case FTP_WAIT220:
+-      if(ftpcode == 230)
+-        /* 230 User logged in - already! */
+-        return ftp_state_user_resp(data, ftpcode, ftpc->state);
+      if(ftpcode == 230) {
+        /* 230 User logged in - already! Take as 220 if TLS required. */
+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
+           conn->bits.ftp_use_control_ssl)
+          return ftp_state_user_resp(data, ftpcode, ftpc->state);
+      }
+       else if(ftpcode != 220) {
+         failf(data, "Got a %03d ftp-server response when 220 was expected",
+               ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index 2d80699..b056208 100644
+--- a/lib/imap.c
+++ b/lib/imap.c
+@@ -933,22 +933,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
+       line += wordlen;
+     }
+   }
+-  else if(imapcode == IMAP_RESP_OK) {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(imapc->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = imap_perform_starttls(data, conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = imap_perform_authentication(data, conn);
+-      else {
+-        failf(data, "STARTTLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+    /* PREAUTH is not compatible with STARTTLS. */
+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
+      /* Switch to TLS connection now */
+      result = imap_perform_starttls(data, conn);
+     }
+-    else
+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+       result = imap_perform_authentication(data, conn);
+    else {
+      failf(data, "STARTTLS not available.");
+      result = CURLE_USE_SSL_FAILED;
+    }
+   }
+   else
+     result = imap_perform_authentication(data, conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 0ed3d3e..018fda1 100644
+--- a/lib/pop3.c
+++ b/lib/pop3.c
+@@ -738,28 +738,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
+       }
+     }
+   }
+-  else if(pop3code == '+') {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(pop3c->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = pop3_perform_starttls(data, conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = pop3_perform_authentication(data, conn);
+-      else {
+-        failf(data, "STLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+-    }
+-    else
+-      result = pop3_perform_authentication(data, conn);
+-  }
+   else {
+     /* Clear text is supported when CAPA isn't recognised */
+-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+    if(pop3code != '+')
+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ 
+-    result = pop3_perform_authentication(data, conn);
+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
+      result = pop3_perform_authentication(data, conn);
+    else if(pop3code == '+' && pop3c->tls_supported)
+      /* Switch to TLS connection now */
+      result = pop3_perform_starttls(data, conn);
+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+      /* Fallback and carry on with authentication */
+      result = pop3_perform_authentication(data, conn);
+    else {
+      failf(data, "STLS not supported.");
+      result = CURLE_USE_SSL_FAILED;
+    }
+   }
+ 
+   return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e08cfc7..e6e2551 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+ \
+test984 test985 test986 \
+\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
+++ b/tests/data/test984
+@@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPABILITY A001 BAD Not implemented
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+imap
+</server>
+ <name>
+IMAP require STARTTLS with failing capabilities
+ </name>
+ <command>
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
+</command>
+<file name="log/upload%TESTNUMBER">
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
+From: Fred Foobar <foobar@example.COM>
+Subject: afternoon meeting
+To: joe@example.com
+Message-Id: <B27397-0100000@example.COM>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
+
+Hello Joe, do you think we can meet at 3:30 tomorrow?
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+A001 CAPABILITY
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
+++ b/tests/data/test985
+@@ -0,0 +1,54 @@
+<testcase>
+<info>
+<keywords>
+POP3
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPA -ERR Not implemented
+</servercmd>
+<data nocheck="yes">
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+  yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+pop3
+</server>
+ <name>
+POP3 require STARTTLS with failing capabilities
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
+ </command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+CAPA
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
+++ b/tests/data/test986
+@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+FTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY welcome 230 Welcome
+REPLY AUTH 500 unknown command
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+ftp
+</server>
+ <name>
+FTP require STARTTLS while preauthenticated
+ </name>
+<file name="log/test%TESTNUMBER.txt">
+data
+    to
+      see
+that FTPS
+works
+  so does it?
+</file>
+ <command>
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+AUTH SSL
+AUTH TLS
+</protocol>
+</verify>
+</testcase>
+-- 
+2.34.1

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch new file mode 100644 index 0000000000..1cb95f0ea7 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,333 @@
	1	From 7c6e072216001fb1280d1868adfdcb54e3372ce7 Mon Sep 17 00:00:00 2001
	2	From: Patrick Monnerat <patrick@monnerat.net>
	3	Date: Wed, 8 Sep 2021 11:56:22 +0200
	4	Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
	5
	6	In imap and pop3, check if TLS is required even when capabilities
	7	request has failed.
	8
	9	In ftp, ignore preauthentication (230 status of server greeting) if TLS
	10	is required.
	11
	12	Bug: https://curl.se/docs/CVE-2021-22946.html
	13
	14	CVE-2021-22946
	15
	16	Upstream-Status: Backport [https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca]
	17
	18	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	19
	20	---
	21	lib/ftp.c \| 9 ++++---
	22	lib/imap.c \| 24 ++++++++----------
	23	lib/pop3.c \| 33 +++++++++++-------------
	24	tests/data/Makefile.inc \| 2 ++
	25	tests/data/test984 \| 56 +++++++++++++++++++++++++++++++++++++++++
	26	tests/data/test985 \| 54 +++++++++++++++++++++++++++++++++++++++
	27	tests/data/test986 \| 53 ++++++++++++++++++++++++++++++++++++++
	28	7 files changed, 195 insertions(+), 36 deletions(-)
	29	create mode 100644 tests/data/test984
	30	create mode 100644 tests/data/test985
	31	create mode 100644 tests/data/test986
	32
	33	diff --git a/lib/ftp.c b/lib/ftp.c
	34	index 3818a9e..8b3fe1d 100644
	35	--- a/lib/ftp.c
	36	+++ b/lib/ftp.c
	37	@@ -2665,9 +2665,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
	38	/* we have now received a full FTP server response */
	39	switch(ftpc->state) {
	40	case FTP_WAIT220:
	41	- if(ftpcode == 230)
	42	- /* 230 User logged in - already! */
	43	- return ftp_state_user_resp(data, ftpcode, ftpc->state);
	44	+ if(ftpcode == 230) {
	45	+ /* 230 User logged in - already! Take as 220 if TLS required. */
	46	+ if(data->set.use_ssl <= CURLUSESSL_TRY \|\|
	47	+ conn->bits.ftp_use_control_ssl)
	48	+ return ftp_state_user_resp(data, ftpcode, ftpc->state);
	49	+ }
	50	else if(ftpcode != 220) {
	51	failf(data, "Got a %03d ftp-server response when 220 was expected",
	52	ftpcode);
	53	diff --git a/lib/imap.c b/lib/imap.c
	54	index 2d80699..b056208 100644
	55	--- a/lib/imap.c
	56	+++ b/lib/imap.c
	57	@@ -933,22 +933,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
	58	line += wordlen;
	59	}
	60	}
	61	- else if(imapcode == IMAP_RESP_OK) {
	62	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
	63	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
	64	- if(imapc->tls_supported)
	65	- /* Switch to TLS connection now */
	66	- result = imap_perform_starttls(data, conn);
	67	- else if(data->set.use_ssl == CURLUSESSL_TRY)
	68	- /* Fallback and carry on with authentication */
	69	- result = imap_perform_authentication(data, conn);
	70	- else {
	71	- failf(data, "STARTTLS not supported.");
	72	- result = CURLE_USE_SSL_FAILED;
	73	- }
	74	+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
	75	+ /* PREAUTH is not compatible with STARTTLS. */
	76	+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
	77	+ /* Switch to TLS connection now */
	78	+ result = imap_perform_starttls(data, conn);
	79	}
	80	- else
	81	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
	82	result = imap_perform_authentication(data, conn);
	83	+ else {
	84	+ failf(data, "STARTTLS not available.");
	85	+ result = CURLE_USE_SSL_FAILED;
	86	+ }
	87	}
	88	else
	89	result = imap_perform_authentication(data, conn);
	90	diff --git a/lib/pop3.c b/lib/pop3.c
	91	index 0ed3d3e..018fda1 100644
	92	--- a/lib/pop3.c
	93	+++ b/lib/pop3.c
	94	@@ -738,28 +738,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
	95	}
	96	}
	97	}
	98	- else if(pop3code == '+') {
	99	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
	100	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
	101	- if(pop3c->tls_supported)
	102	- /* Switch to TLS connection now */
	103	- result = pop3_perform_starttls(data, conn);
	104	- else if(data->set.use_ssl == CURLUSESSL_TRY)
	105	- /* Fallback and carry on with authentication */
	106	- result = pop3_perform_authentication(data, conn);
	107	- else {
	108	- failf(data, "STLS not supported.");
	109	- result = CURLE_USE_SSL_FAILED;
	110	- }
	111	- }
	112	- else
	113	- result = pop3_perform_authentication(data, conn);
	114	- }
	115	else {
	116	/* Clear text is supported when CAPA isn't recognised */
	117	- pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
	118	+ if(pop3code != '+')
	119	+ pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
	120
	121	- result = pop3_perform_authentication(data, conn);
	122	+ if(!data->set.use_ssl \|\| conn->ssl[FIRSTSOCKET].use)
	123	+ result = pop3_perform_authentication(data, conn);
	124	+ else if(pop3code == '+' && pop3c->tls_supported)
	125	+ /* Switch to TLS connection now */
	126	+ result = pop3_perform_starttls(data, conn);
	127	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
	128	+ /* Fallback and carry on with authentication */
	129	+ result = pop3_perform_authentication(data, conn);
	130	+ else {
	131	+ failf(data, "STLS not supported.");
	132	+ result = CURLE_USE_SSL_FAILED;
	133	+ }
	134	}
	135
	136	return result;
	137	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
	138	index e08cfc7..e6e2551 100644
	139	--- a/tests/data/Makefile.inc
	140	+++ b/tests/data/Makefile.inc
	141	@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
	142	test954 test955 test956 test957 test958 test959 test960 test961 test962 \
	143	test963 test964 test965 test966 test967 test968 test969 test970 test971 \
	144	\
	145	+test984 test985 test986 \
	146	+\
	147	test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
	148	test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
	149	test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
	150	diff --git a/tests/data/test984 b/tests/data/test984
	151	new file mode 100644
	152	index 0000000..e573f23
	153	--- /dev/null
	154	+++ b/tests/data/test984
	155	@@ -0,0 +1,56 @@
	156	+<testcase>
	157	+<info>
	158	+<keywords>
	159	+IMAP
	160	+STARTTLS
	161	+</keywords>
	162	+</info>
	163	+
	164	+#
	165	+# Server-side
	166	+<reply>
	167	+<servercmd>
	168	+REPLY CAPABILITY A001 BAD Not implemented
	169	+</servercmd>
	170	+</reply>
	171	+
	172	+#
	173	+# Client-side
	174	+<client>
	175	+<features>
	176	+SSL
	177	+</features>
	178	+<server>
	179	+imap
	180	+</server>
	181	+ <name>
	182	+IMAP require STARTTLS with failing capabilities
	183	+ </name>
	184	+ <command>
	185	+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
	186	+</command>
	187	+<file name="log/upload%TESTNUMBER">
	188	+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
	189	+From: Fred Foobar <foobar@example.COM>
	190	+Subject: afternoon meeting
	191	+To: joe@example.com
	192	+Message-Id: <B27397-0100000@example.COM>
	193	+MIME-Version: 1.0
	194	+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
	195	+
	196	+Hello Joe, do you think we can meet at 3:30 tomorrow?
	197	+</file>
	198	+</client>
	199	+
	200	+#
	201	+# Verify data after the test has been "shot"
	202	+<verify>
	203	+# 64 is CURLE_USE_SSL_FAILED
	204	+<errorcode>
	205	+64
	206	+</errorcode>
	207	+<protocol>
	208	+A001 CAPABILITY
	209	+</protocol>
	210	+</verify>
	211	+</testcase>
	212	diff --git a/tests/data/test985 b/tests/data/test985
	213	new file mode 100644
	214	index 0000000..d0db4aa
	215	--- /dev/null
	216	+++ b/tests/data/test985
	217	@@ -0,0 +1,54 @@
	218	+<testcase>
	219	+<info>
	220	+<keywords>
	221	+POP3
	222	+STARTTLS
	223	+</keywords>
	224	+</info>
	225	+
	226	+#
	227	+# Server-side
	228	+<reply>
	229	+<servercmd>
	230	+REPLY CAPA -ERR Not implemented
	231	+</servercmd>
	232	+<data nocheck="yes">
	233	+From: me@somewhere
	234	+To: fake@nowhere
	235	+
	236	+body
	237	+
	238	+--
	239	+ yours sincerely
	240	+</data>
	241	+</reply>
	242	+
	243	+#
	244	+# Client-side
	245	+<client>
	246	+<features>
	247	+SSL
	248	+</features>
	249	+<server>
	250	+pop3
	251	+</server>
	252	+ <name>
	253	+POP3 require STARTTLS with failing capabilities
	254	+ </name>
	255	+ <command>
	256	+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
	257	+ </command>
	258	+</client>
	259	+
	260	+#
	261	+# Verify data after the test has been "shot"
	262	+<verify>
	263	+# 64 is CURLE_USE_SSL_FAILED
	264	+<errorcode>
	265	+64
	266	+</errorcode>
	267	+<protocol>
	268	+CAPA
	269	+</protocol>
	270	+</verify>
	271	+</testcase>
	272	diff --git a/tests/data/test986 b/tests/data/test986
	273	new file mode 100644
	274	index 0000000..a709437
	275	--- /dev/null
	276	+++ b/tests/data/test986
	277	@@ -0,0 +1,53 @@
	278	+<testcase>
	279	+<info>
	280	+<keywords>
	281	+FTP
	282	+STARTTLS
	283	+</keywords>
	284	+</info>
	285	+
	286	+#
	287	+# Server-side
	288	+<reply>
	289	+<servercmd>
	290	+REPLY welcome 230 Welcome
	291	+REPLY AUTH 500 unknown command
	292	+</servercmd>
	293	+</reply>
	294	+
	295	+# Client-side
	296	+<client>
	297	+<features>
	298	+SSL
	299	+</features>
	300	+<server>
	301	+ftp
	302	+</server>
	303	+ <name>
	304	+FTP require STARTTLS while preauthenticated
	305	+ </name>
	306	+<file name="log/test%TESTNUMBER.txt">
	307	+data
	308	+ to
	309	+ see
	310	+that FTPS
	311	+works
	312	+ so does it?
	313	+</file>
	314	+ <command>
	315	+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
	316	+</command>
	317	+</client>
	318	+
	319	+# Verify data after the test has been "shot"
	320	+<verify>
	321	+# 64 is CURLE_USE_SSL_FAILED
	322	+<errorcode>
	323	+64
	324	+</errorcode>
	325	+<protocol>
	326	+AUTH SSL
	327	+AUTH TLS
	328	+</protocol>
	329	+</verify>
	330	+</testcase>
	331	--
	332	2.34.1
	333