1 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
new file mode 100644
index 0000000000..3d56025210
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
@@ -0,0 +1,71 @@
+From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH] url: check SSH config match on connection reuse
+CVE-2022-27782
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/url.c      | 11 +++++++++++
+ lib/vssh/ssh.h |  6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 6518be9..8da0245 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data)
+   }
+ }
+ 
+static bool ssh_config_matches(struct connectdata *one,
+                               struct connectdata *two)
+{
+  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
+          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
+}
+ /*
+  * Given one filled in connection struct (named needle), this function should
+  * detect if there already is one that has all the significant details
+@@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
+      if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
+        if(!ssh_config_matches(needle, check))
+          continue;
+      }
+
+       if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
+          needle->bits.tunnel_proxy) {
+         /* The requested connection does not use a HTTP proxy or it uses SSL or
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 0d4ee52..8f2632e 100644
+--- a/lib/vssh/ssh.h
+++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -120,8 +120,8 @@ struct ssh_conn {
+ 
+   /* common */
+   const char *passphrase;     /* pass-phrase to use */
+-  char *rsa_pub;              /* path name */
+-  char *rsa;                  /* path name */
+  char *rsa_pub;              /* strdup'ed public key file */
+  char *rsa;                  /* strdup'ed private key file */
+   bool authed;                /* the connection has been authenticated fine */
+   sshstate state;             /* always use ssh.c:state() to change state! */
+   sshstate nextstate;         /* the state to goto after stopping */

diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch new file mode 100644 index 0000000000..3d56025210 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
@@ -0,0 +1,71 @@
	1	From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Mon, 9 May 2022 23:13:53 +0200
	4	Subject: [PATCH] url: check SSH config match on connection reuse
	5
	6	CVE-2022-27782
	7
	8	Reported-by: Harry Sintonen
	9	Bug: https://curl.se/docs/CVE-2022-27782.html
	10	Closes #8825
	11
	12	Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
	13	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	14	---
	15	lib/url.c \| 11 +++++++++++
	16	lib/vssh/ssh.h \| 6 +++---
	17	2 files changed, 14 insertions(+), 3 deletions(-)
	18
	19	diff --git a/lib/url.c b/lib/url.c
	20	index 6518be9..8da0245 100644
	21	--- a/lib/url.c
	22	+++ b/lib/url.c
	23	@@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data)
	24	}
	25	}
	26
	27	+static bool ssh_config_matches(struct connectdata *one,
	28	+ struct connectdata *two)
	29	+{
	30	+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
	31	+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
	32	+}
	33	/*
	34	* Given one filled in connection struct (named needle), this function should
	35	* detect if there already is one that has all the significant details
	36	@@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data,
	37	}
	38	}
	39
	40	+ if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
	41	+ if(!ssh_config_matches(needle, check))
	42	+ continue;
	43	+ }
	44	+
	45	if(!needle->bits.httpproxy \|\| (needle->handler->flags&PROTOPT_SSL) \|\|
	46	needle->bits.tunnel_proxy) {
	47	/* The requested connection does not use a HTTP proxy or it uses SSL or
	48	diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
	49	index 0d4ee52..8f2632e 100644
	50	--- a/lib/vssh/ssh.h
	51	+++ b/lib/vssh/ssh.h
	52	@@ -7,7 +7,7 @@
	53	* \| (__\| \|_\| \| _ <\| \|___
	54	* \___\|\___/\|_\| \_\_____\|
	55	*
	56	- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
	57	+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
	58	*
	59	* This software is licensed as described in the file COPYING, which
	60	* you should have received as part of this distribution. The terms
	61	@@ -120,8 +120,8 @@ struct ssh_conn {
	62
	63	/* common */
	64	const char passphrase; / pass-phrase to use */
	65	- char rsa_pub; / path name */
	66	- char rsa; / path name */
	67	+ char rsa_pub; / strdup'ed public key file */
	68	+ char rsa; / strdup'ed private key file */
	69	bool authed; /* the connection has been authenticated fine */
	70	sshstate state; /* always use ssh.c:state() to change state! */
	71	sshstate nextstate; /* the state to goto after stopping */