diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2022-22576.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-22576.patch | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch new file mode 100644 index 0000000000..13479e7f0e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Monnerat <patrick@monnerat.net> | ||
3 | Date: Mon, 25 Apr 2022 11:44:05 +0200 | ||
4 | Subject: [PATCH] url: check sasl additional parameters for connection reuse. | ||
5 | |||
6 | Also move static function safecmp() as non-static Curl_safecmp() since | ||
7 | its purpose is needed at several places. | ||
8 | |||
9 | Bug: https://curl.se/docs/CVE-2022-22576.html | ||
10 | |||
11 | CVE-2022-22576 | ||
12 | |||
13 | Closes #8746 | ||
14 | --- | ||
15 | lib/strcase.c | 10 ++++++++++ | ||
16 | lib/strcase.h | 2 ++ | ||
17 | lib/url.c | 13 ++++++++++++- | ||
18 | lib/urldata.h | 1 + | ||
19 | lib/vtls/vtls.c | 21 ++++++--------------- | ||
20 | 5 files changed, 31 insertions(+), 16 deletions(-) | ||
21 | |||
22 | CVE: CVE-2022-22576 | ||
23 | Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch] | ||
24 | Comment: Refreshed patch | ||
25 | Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> | ||
26 | |||
27 | diff --git a/lib/strcase.c b/lib/strcase.c | ||
28 | index dd46ca1ba0e5..692a3f14aee7 100644 | ||
29 | --- a/lib/strcase.c | ||
30 | +++ b/lib/strcase.c | ||
31 | @@ -251,6 +251,16 @@ | ||
32 | } while(*src++ && --n); | ||
33 | } | ||
34 | |||
35 | +/* Compare case-sensitive NUL-terminated strings, taking care of possible | ||
36 | + * null pointers. Return true if arguments match. | ||
37 | + */ | ||
38 | +bool Curl_safecmp(char *a, char *b) | ||
39 | +{ | ||
40 | + if(a && b) | ||
41 | + return !strcmp(a, b); | ||
42 | + return !a && !b; | ||
43 | +} | ||
44 | + | ||
45 | /* --- public functions --- */ | ||
46 | |||
47 | int curl_strequal(const char *first, const char *second) | ||
48 | diff --git a/lib/strcase.h b/lib/strcase.h | ||
49 | index b234d3815220..2635f5117e99 100644 | ||
50 | --- a/lib/strcase.h | ||
51 | +++ b/lib/strcase.h | ||
52 | @@ -48,4 +48,6 @@ | ||
53 | void Curl_strntoupper(char *dest, const char *src, size_t n); | ||
54 | void Curl_strntolower(char *dest, const char *src, size_t n); | ||
55 | |||
56 | +bool Curl_safecmp(char *a, char *b); | ||
57 | + | ||
58 | #endif /* HEADER_CURL_STRCASE_H */ | ||
59 | diff --git a/lib/url.c b/lib/url.c | ||
60 | index 9a988b4d58d8..e1647b133854 100644 | ||
61 | --- a/lib/url.c | ||
62 | +++ b/lib/url.c | ||
63 | @@ -730,6 +730,7 @@ | ||
64 | Curl_safefree(conn->allocptr.host); | ||
65 | Curl_safefree(conn->allocptr.cookiehost); | ||
66 | Curl_safefree(conn->allocptr.rtsp_transport); | ||
67 | + Curl_safefree(conn->oauth_bearer); | ||
68 | Curl_safefree(conn->trailer); | ||
69 | Curl_safefree(conn->host.rawalloc); /* host name buffer */ | ||
70 | Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ | ||
71 | @@ -1251,7 +1252,9 @@ | ||
72 | /* This protocol requires credentials per connection, | ||
73 | so verify that we're using the same name and password as well */ | ||
74 | if(strcmp(needle->user, check->user) || | ||
75 | - strcmp(needle->passwd, check->passwd)) { | ||
76 | + strcmp(needle->passwd, check->passwd) || | ||
77 | + !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || | ||
78 | + !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
79 | /* one of them was different */ | ||
80 | continue; | ||
81 | } | ||
82 | @@ -3392,6 +3395,14 @@ | ||
83 | result = CURLE_OUT_OF_MEMORY; | ||
84 | goto out; | ||
85 | } | ||
86 | + } | ||
87 | + | ||
88 | + if(data->set.str[STRING_BEARER]) { | ||
89 | + conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); | ||
90 | + if(!conn->oauth_bearer) { | ||
91 | + result = CURLE_OUT_OF_MEMORY; | ||
92 | + goto out; | ||
93 | + } | ||
94 | } | ||
95 | |||
96 | #ifdef USE_UNIX_SOCKETS | ||
97 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
98 | index 07eb19b87034..1d89b8d7fa68 100644 | ||
99 | --- a/lib/urldata.h | ||
100 | +++ b/lib/urldata.h | ||
101 | @@ -949,6 +949,8 @@ | ||
102 | |||
103 | char *sasl_authzid; /* authorisation identity string, allocated */ | ||
104 | |||
105 | + char *oauth_bearer; /* OAUTH2 bearer, allocated */ | ||
106 | + | ||
107 | int httpversion; /* the HTTP version*10 reported by the server */ | ||
108 | int rtspversion; /* the RTSP version*10 reported by the server */ | ||
109 | |||
110 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
111 | index 03b85ba065e5..a40ac06f684f 100644 | ||
112 | --- a/lib/vtls/vtls.c | ||
113 | +++ b/lib/vtls/vtls.c | ||
114 | @@ -82,15 +82,6 @@ | ||
115 | else \ | ||
116 | dest->var = NULL; | ||
117 | |||
118 | -static bool safecmp(char *a, char *b) | ||
119 | -{ | ||
120 | - if(a && b) | ||
121 | - return !strcmp(a, b); | ||
122 | - else if(!a && !b) | ||
123 | - return TRUE; /* match */ | ||
124 | - return FALSE; /* no match */ | ||
125 | -} | ||
126 | - | ||
127 | |||
128 | bool | ||
129 | Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
130 | @@ -101,12 +101,12 @@ | ||
131 | (data->verifypeer == needle->verifypeer) && | ||
132 | (data->verifyhost == needle->verifyhost) && | ||
133 | (data->verifystatus == needle->verifystatus) && | ||
134 | - safecmp(data->CApath, needle->CApath) && | ||
135 | - safecmp(data->CAfile, needle->CAfile) && | ||
136 | - safecmp(data->issuercert, needle->issuercert) && | ||
137 | - safecmp(data->clientcert, needle->clientcert) && | ||
138 | - safecmp(data->random_file, needle->random_file) && | ||
139 | - safecmp(data->egdsocket, needle->egdsocket) && | ||
140 | + Curl_safecmp(data->CApath, needle->CApath) && | ||
141 | + Curl_safecmp(data->CAfile, needle->CAfile) && | ||
142 | + Curl_safecmp(data->issuercert, needle->issuercert) && | ||
143 | + Curl_safecmp(data->clientcert, needle->clientcert) && | ||
144 | + Curl_safecmp(data->random_file, needle->random_file) && | ||
145 | + Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
146 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
147 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
148 | Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) | ||