1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
new file mode 100644
index 0000000000..1a13df2d95
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
@@ -0,0 +1,114 @@
+From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
+CVE-2022-27776
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+---
+ lib/http.c    | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+CVE: CVE-2022-27776
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch]
+Comment: Refreshed patch
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+diff --git a/lib/http.c b/lib/http.c
+index ce79fc4e31c8..f0476f3b9272 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -731,6 +731,21 @@
+   return CURLE_OK;
+ }
+ 
+/*
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+ * data" can (still) be sent to this host.
+ */
+static bool allow_auth_to_host(struct Curl_easy *data)
+{
+  struct connectdata *conn = data->conn;
+  return (!data->state.this_is_a_follow ||
+          data->set.allow_auth_to_other_hosts ||
+          (data->state.first_host &&
+           strcasecompare(data->state.first_host, conn->host.name) &&
+           (data->state.first_remote_port == conn->remote_port) &&
+           (data->state.first_remote_protocol == conn->handler->protocol)));
+}
+
+ /**
+  * Curl_http_output_auth() setups the authentication headers for the
+  * host/proxy and the correct authentication
+@@ -799,15 +799,12 @@
+        with it */
+     authproxy->done = TRUE;
+ 
+-  /* To prevent the user+password to get sent to other than the original
+-     host due to a location-follow, we do some weirdo checks here */
+-  if(!data->state.this_is_a_follow ||
+-     conn->bits.netrc ||
+-     !data->state.first_host ||
+-     data->set.allow_auth_to_other_hosts ||
+-     strcasecompare(data->state.first_host, conn->host.name)) {
+  /* To prevent the user+password to get sent to other than the original host
+     due to a location-follow */
+  if(allow_auth_to_host(data)
+     || conn->bits.netrc
+    )
+     result = output_auth_headers(conn, authhost, request, path, FALSE);
+-  }
+   else
+     authhost->done = TRUE;
+ 
+@@ -1879,10 +1891,7 @@
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  (data->state.this_is_a_follow &&
+-                   data->state.first_host &&
+-                   !data->set.allow_auth_to_other_hosts &&
+-                   !strcasecompare(data->state.first_host, conn->host.name)))
+                  !allow_auth_to_host(data))                     
+             ;
+           else {
+             result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
+@@ -2065,6 +2074,7 @@
+       return CURLE_OUT_OF_MEMORY;
+ 
+     data->state.first_remote_port = conn->remote_port;
+    data->state.first_remote_protocol = conn->handler->protocol;    
+   }
+ 
+   if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 1d89b8d7fa68..ef2174d9e727 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -1342,13 +1342,15 @@
+   char *ulbuf; /* allocated upload buffer or NULL */
+   curl_off_t current_speed;  /* the ProgressShow() function sets this,
+                                 bytes / second */
+-  char *first_host; /* host name of the first (not followed) request.
+-                       if set, this should be the host name that we will
+-                       sent authorization to, no else. Used to make Location:
+-                       following not keep sending user+password... This is
+-                       strdup() data.
+-                    */
+-  int first_remote_port; /* remote port of the first (not followed) request */
+
+  /* host name, port number and protocol of the first (not followed) request.
+     if set, this should be the host name that we will sent authorization to,
+     no else. Used to make Location: following not keep sending user+password.
+     This is strdup()ed data. */
+  char *first_host;
+  int first_remote_port;
+  unsigned int first_remote_protocol;
+
+   struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+   long sessionage;                  /* number of the most recent session */
+   unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */

diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..1a13df2d95 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
@@ -0,0 +1,114 @@
	1	From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Mon, 25 Apr 2022 13:05:40 +0200
	4	Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
	5
	6	CVE-2022-27776
	7
	8	Reported-by: Harry Sintonen
	9	Bug: https://curl.se/docs/CVE-2022-27776.html
	10	Closes #8749
	11	---
	12	lib/http.c \| 34 ++++++++++++++++++++++------------
	13	lib/urldata.h \| 16 +++++++++-------
	14	2 files changed, 31 insertions(+), 19 deletions(-)
	15
	16	CVE: CVE-2022-27776
	17	Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch]
	18	Comment: Refreshed patch
	19	Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
	20
	21	diff --git a/lib/http.c b/lib/http.c
	22	index ce79fc4e31c8..f0476f3b9272 100644
	23	--- a/lib/http.c
	24	+++ b/lib/http.c
	25	@@ -731,6 +731,21 @@
	26	return CURLE_OK;
	27	}
	28
	29	+/*
	30	+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
	31	+ * data" can (still) be sent to this host.
	32	+ */
	33	+static bool allow_auth_to_host(struct Curl_easy *data)
	34	+{
	35	+ struct connectdata *conn = data->conn;
	36	+ return (!data->state.this_is_a_follow \|\|
	37	+ data->set.allow_auth_to_other_hosts \|\|
	38	+ (data->state.first_host &&
	39	+ strcasecompare(data->state.first_host, conn->host.name) &&
	40	+ (data->state.first_remote_port == conn->remote_port) &&
	41	+ (data->state.first_remote_protocol == conn->handler->protocol)));
	42	+}
	43	+
	44	/**
	45	* Curl_http_output_auth() setups the authentication headers for the
	46	* host/proxy and the correct authentication
	47	@@ -799,15 +799,12 @@
	48	with it */
	49	authproxy->done = TRUE;
	50
	51	- /* To prevent the user+password to get sent to other than the original
	52	- host due to a location-follow, we do some weirdo checks here */
	53	- if(!data->state.this_is_a_follow \|\|
	54	- conn->bits.netrc \|\|
	55	- !data->state.first_host \|\|
	56	- data->set.allow_auth_to_other_hosts \|\|
	57	- strcasecompare(data->state.first_host, conn->host.name)) {
	58	+ /* To prevent the user+password to get sent to other than the original host
	59	+ due to a location-follow */
	60	+ if(allow_auth_to_host(data)
	61	+ \|\| conn->bits.netrc
	62	+ )
	63	result = output_auth_headers(conn, authhost, request, path, FALSE);
	64	- }
	65	else
	66	authhost->done = TRUE;
	67
	68	@@ -1879,10 +1891,7 @@
	69	checkprefix("Cookie:", compare)) &&
	70	/* be careful of sending this potentially sensitive header to
	71	other hosts */
	72	- (data->state.this_is_a_follow &&
	73	- data->state.first_host &&
	74	- !data->set.allow_auth_to_other_hosts &&
	75	- !strcasecompare(data->state.first_host, conn->host.name)))
	76	+ !allow_auth_to_host(data))
	77	;
	78	else {
	79	result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
	80	@@ -2065,6 +2074,7 @@
	81	return CURLE_OUT_OF_MEMORY;
	82
	83	data->state.first_remote_port = conn->remote_port;
	84	+ data->state.first_remote_protocol = conn->handler->protocol;
	85	}
	86
	87	if((conn->handler->protocol&(PROTO_FAMILY_HTTP\|CURLPROTO_FTP)) &&
	88	diff --git a/lib/urldata.h b/lib/urldata.h
	89	index 1d89b8d7fa68..ef2174d9e727 100644
	90	--- a/lib/urldata.h
	91	+++ b/lib/urldata.h
	92	@@ -1342,13 +1342,15 @@
	93	char ulbuf; / allocated upload buffer or NULL */
	94	curl_off_t current_speed; /* the ProgressShow() function sets this,
	95	bytes / second */
	96	- char first_host; / host name of the first (not followed) request.
	97	- if set, this should be the host name that we will
	98	- sent authorization to, no else. Used to make Location:
	99	- following not keep sending user+password... This is
	100	- strdup() data.
	101	- */
	102	- int first_remote_port; /* remote port of the first (not followed) request */
	103	+
	104	+ /* host name, port number and protocol of the first (not followed) request.
	105	+ if set, this should be the host name that we will sent authorization to,
	106	+ no else. Used to make Location: following not keep sending user+password.
	107	+ This is strdup()ed data. */
	108	+ char *first_host;
	109	+ int first_remote_port;
	110	+ unsigned int first_remote_protocol;
	111	+
	112	struct curl_ssl_session session; / array of 'max_ssl_sessions' size */
	113	long sessionage; /* number of the most recent session */
	114	unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */