diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2023-38545.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-38545.patch | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch new file mode 100644 index 0000000000..c6b6726886 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 600a1caeb2312fdee5ef1caf7d613c12a8b2424a Mon Sep 17 00:00:00 2001 | ||
2 | From: Mike Crowe <mac@mcrowe.com> | ||
3 | Date: Wed, 11 Oct 2023 20:50:28 +0100 | ||
4 | Subject: [PATCH] socks: return error if hostname too long for remote resolve | ||
5 | To: libcurl development <curl-library@cool.haxx.se> | ||
6 | |||
7 | Prior to this change the state machine attempted to change the remote | ||
8 | resolve to a local resolve if the hostname was longer than 255 | ||
9 | characters. Unfortunately that did not work as intended and caused a | ||
10 | security issue. | ||
11 | |||
12 | Name resolvers cannot resolve hostnames longer than 255 characters. | ||
13 | |||
14 | Bug: https://curl.se/docs/CVE-2023-38545.html | ||
15 | |||
16 | Unfortunately CURLE_PROXY and CURLPX_LONG_HOSTNAME were introduced in | ||
17 | 7.73.0 so they can't be used in 7.69.1. Let's use | ||
18 | CURLE_COULDNT_RESOLVE_HOST as the best available alternative and update | ||
19 | the test appropriately. | ||
20 | |||
21 | libcurl's test support has been improved considerably since 7.69.1 which | ||
22 | means that the test must be modified to remove use of %VERSION and | ||
23 | %TESTNUMBER and the stderr output can no longer be checked. | ||
24 | |||
25 | CVE: CVE-2023-38545 | ||
26 | Upstream-Status: Backport [fb4415d8aee6c1045be932a34fe6107c2f5ed147] | ||
27 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
28 | --- | ||
29 | lib/socks.c | 13 +++++---- | ||
30 | tests/data/Makefile.inc | 2 +- | ||
31 | tests/data/test728 | 60 +++++++++++++++++++++++++++++++++++++++++ | ||
32 | 3 files changed, 69 insertions(+), 6 deletions(-) | ||
33 | create mode 100644 tests/data/test728 | ||
34 | |||
35 | diff --git a/lib/socks.c b/lib/socks.c | ||
36 | index 37099130e..f3bf40533 100644 | ||
37 | --- a/lib/socks.c | ||
38 | +++ b/lib/socks.c | ||
39 | @@ -521,11 +521,14 @@ CURLcode Curl_SOCKS5(const char *proxy_user, | ||
40 | infof(conn->data, "SOCKS5: connecting to HTTP proxy %s port %d\n", | ||
41 | hostname, remote_port); | ||
42 | |||
43 | - /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ | ||
44 | + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet. */ | ||
45 | if(!socks5_resolve_local && hostname_len > 255) { | ||
46 | - infof(conn->data, "SOCKS5: server resolving disabled for hostnames of " | ||
47 | - "length > 255 [actual len=%zu]\n", hostname_len); | ||
48 | - socks5_resolve_local = TRUE; | ||
49 | + failf(data, "SOCKS5: the destination hostname is too long to be " | ||
50 | + "resolved remotely by the proxy."); | ||
51 | + /* This version of libcurl doesn't have CURLE_PROXY and | ||
52 | + * therefore CURLPX_LONG_HOSTNAME, so let's report the best we | ||
53 | + * can. */ | ||
54 | + return CURLE_COULDNT_RESOLVE_HOST; | ||
55 | } | ||
56 | |||
57 | if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) | ||
58 | @@ -837,7 +840,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user, | ||
59 | |||
60 | if(!socks5_resolve_local) { | ||
61 | socksreq[len++] = 3; /* ATYP: domain name = 3 */ | ||
62 | - socksreq[len++] = (char) hostname_len; /* one byte address length */ | ||
63 | + socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ | ||
64 | memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ | ||
65 | len += hostname_len; | ||
66 | infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n", | ||
67 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
68 | index 3d8565c36..5ee2284ff 100644 | ||
69 | --- a/tests/data/Makefile.inc | ||
70 | +++ b/tests/data/Makefile.inc | ||
71 | @@ -89,7 +89,7 @@ test662 test663 test664 test665 test666 test667 test668 \ | ||
72 | test670 test671 test672 test673 \ | ||
73 | \ | ||
74 | test700 test701 test702 test703 test704 test705 test706 test707 test708 \ | ||
75 | -test709 test710 test711 test712 test713 test714 test715 test716 test717 \ | ||
76 | +test709 test710 test711 test712 test713 test714 test715 test716 test717 test728 \ | ||
77 | \ | ||
78 | test800 test801 test802 test803 test804 test805 test806 test807 test808 \ | ||
79 | test809 test810 test811 test812 test813 test814 test815 test816 test817 \ | ||
80 | diff --git a/tests/data/test728 b/tests/data/test728 | ||
81 | new file mode 100644 | ||
82 | index 000000000..7b1d8b2f3 | ||
83 | --- /dev/null | ||
84 | +++ b/tests/data/test728 | ||
85 | @@ -0,0 +1,60 @@ | ||
86 | +<testcase> | ||
87 | +<info> | ||
88 | +<keywords> | ||
89 | +HTTP | ||
90 | +HTTP GET | ||
91 | +SOCKS5 | ||
92 | +SOCKS5h | ||
93 | +followlocation | ||
94 | +</keywords> | ||
95 | +</info> | ||
96 | + | ||
97 | +# | ||
98 | +# Server-side | ||
99 | +<reply> | ||
100 | +# The hostname in this redirect is 256 characters and too long (> 255) for | ||
101 | +# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. | ||
102 | +<data> | ||
103 | +HTTP/1.1 301 Moved Permanently | ||
104 | +Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ | ||
105 | +Content-Length: 0 | ||
106 | +Connection: close | ||
107 | + | ||
108 | +</data> | ||
109 | +</reply> | ||
110 | + | ||
111 | +# | ||
112 | +# Client-side | ||
113 | +<client> | ||
114 | +<features> | ||
115 | +proxy | ||
116 | +</features> | ||
117 | +<server> | ||
118 | +http | ||
119 | +socks5 | ||
120 | +</server> | ||
121 | + <name> | ||
122 | +SOCKS5h with HTTP redirect to hostname too long | ||
123 | + </name> | ||
124 | + <command> | ||
125 | +--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/728 | ||
126 | +</command> | ||
127 | +</client> | ||
128 | + | ||
129 | +# | ||
130 | +# Verify data after the test has been "shot" | ||
131 | +<verify> | ||
132 | +<strip> | ||
133 | +^User-Agent:.* | ||
134 | +</strip> | ||
135 | +<protocol> | ||
136 | +GET /728 HTTP/1.1 | ||
137 | +Host: %HOSTIP:%HTTPPORT | ||
138 | +Accept: */* | ||
139 | + | ||
140 | +</protocol> | ||
141 | +<errorcode> | ||
142 | +6 | ||
143 | +</errorcode> | ||
144 | +</verify> | ||
145 | +</testcase> | ||
146 | -- | ||
147 | 2.39.2 | ||
148 | |||