diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/cve-2021-22946.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/cve-2021-22946.patch | 332 |
1 files changed, 332 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/cve-2021-22946.patch b/meta/recipes-support/curl/curl/cve-2021-22946.patch new file mode 100644 index 0000000000..1a4b3e1144 --- /dev/null +++ b/meta/recipes-support/curl/curl/cve-2021-22946.patch | |||
@@ -0,0 +1,332 @@ | |||
1 | CVE: CVE-2021-22946 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001 | ||
6 | From: Patrick Monnerat <patrick@monnerat.net> | ||
7 | Date: Wed, 8 Sep 2021 11:56:22 +0200 | ||
8 | Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd | ||
9 | |||
10 | In imap and pop3, check if TLS is required even when capabilities | ||
11 | request has failed. | ||
12 | |||
13 | In ftp, ignore preauthentication (230 status of server greeting) if TLS | ||
14 | is required. | ||
15 | |||
16 | Bug: https://curl.se/docs/CVE-2021-22946.html | ||
17 | |||
18 | CVE-2021-22946 | ||
19 | --- | ||
20 | lib/ftp.c | 9 ++++--- | ||
21 | lib/imap.c | 24 ++++++++---------- | ||
22 | lib/pop3.c | 33 +++++++++++------------- | ||
23 | tests/data/Makefile.inc | 2 ++ | ||
24 | tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ | ||
25 | tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ | ||
26 | tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ | ||
27 | 7 files changed, 195 insertions(+), 36 deletions(-) | ||
28 | create mode 100644 tests/data/test984 | ||
29 | create mode 100644 tests/data/test985 | ||
30 | create mode 100644 tests/data/test986 | ||
31 | |||
32 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
33 | index 1a699de59..08d18ca74 100644 | ||
34 | --- a/lib/ftp.c | ||
35 | +++ b/lib/ftp.c | ||
36 | @@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, | ||
37 | /* we have now received a full FTP server response */ | ||
38 | switch(ftpc->state) { | ||
39 | case FTP_WAIT220: | ||
40 | - if(ftpcode == 230) | ||
41 | - /* 230 User logged in - already! */ | ||
42 | - return ftp_state_user_resp(data, ftpcode, ftpc->state); | ||
43 | + if(ftpcode == 230) { | ||
44 | + /* 230 User logged in - already! Take as 220 if TLS required. */ | ||
45 | + if(data->set.use_ssl <= CURLUSESSL_TRY || | ||
46 | + conn->bits.ftp_use_control_ssl) | ||
47 | + return ftp_state_user_resp(data, ftpcode, ftpc->state); | ||
48 | + } | ||
49 | else if(ftpcode != 220) { | ||
50 | failf(data, "Got a %03d ftp-server response when 220 was expected", | ||
51 | ftpcode); | ||
52 | diff --git a/lib/imap.c b/lib/imap.c | ||
53 | index ab4d412ee..efc0420ce 100644 | ||
54 | --- a/lib/imap.c | ||
55 | +++ b/lib/imap.c | ||
56 | @@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, | ||
57 | line += wordlen; | ||
58 | } | ||
59 | } | ||
60 | - else if(imapcode == IMAP_RESP_OK) { | ||
61 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
62 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
63 | - if(imapc->tls_supported) | ||
64 | - /* Switch to TLS connection now */ | ||
65 | - result = imap_perform_starttls(data, conn); | ||
66 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
67 | - /* Fallback and carry on with authentication */ | ||
68 | - result = imap_perform_authentication(data, conn); | ||
69 | - else { | ||
70 | - failf(data, "STARTTLS not supported."); | ||
71 | - result = CURLE_USE_SSL_FAILED; | ||
72 | - } | ||
73 | + else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
74 | + /* PREAUTH is not compatible with STARTTLS. */ | ||
75 | + if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { | ||
76 | + /* Switch to TLS connection now */ | ||
77 | + result = imap_perform_starttls(data, conn); | ||
78 | } | ||
79 | - else | ||
80 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
81 | result = imap_perform_authentication(data, conn); | ||
82 | + else { | ||
83 | + failf(data, "STARTTLS not available."); | ||
84 | + result = CURLE_USE_SSL_FAILED; | ||
85 | + } | ||
86 | } | ||
87 | else | ||
88 | result = imap_perform_authentication(data, conn); | ||
89 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
90 | index 5fdd6f3e0..f97e10eab 100644 | ||
91 | --- a/lib/pop3.c | ||
92 | +++ b/lib/pop3.c | ||
93 | @@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, | ||
94 | } | ||
95 | } | ||
96 | } | ||
97 | - else if(pop3code == '+') { | ||
98 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
99 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
100 | - if(pop3c->tls_supported) | ||
101 | - /* Switch to TLS connection now */ | ||
102 | - result = pop3_perform_starttls(data, conn); | ||
103 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
104 | - /* Fallback and carry on with authentication */ | ||
105 | - result = pop3_perform_authentication(data, conn); | ||
106 | - else { | ||
107 | - failf(data, "STLS not supported."); | ||
108 | - result = CURLE_USE_SSL_FAILED; | ||
109 | - } | ||
110 | - } | ||
111 | - else | ||
112 | - result = pop3_perform_authentication(data, conn); | ||
113 | - } | ||
114 | else { | ||
115 | /* Clear text is supported when CAPA isn't recognised */ | ||
116 | - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
117 | + if(pop3code != '+') | ||
118 | + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
119 | |||
120 | - result = pop3_perform_authentication(data, conn); | ||
121 | + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) | ||
122 | + result = pop3_perform_authentication(data, conn); | ||
123 | + else if(pop3code == '+' && pop3c->tls_supported) | ||
124 | + /* Switch to TLS connection now */ | ||
125 | + result = pop3_perform_starttls(data, conn); | ||
126 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
127 | + /* Fallback and carry on with authentication */ | ||
128 | + result = pop3_perform_authentication(data, conn); | ||
129 | + else { | ||
130 | + failf(data, "STLS not supported."); | ||
131 | + result = CURLE_USE_SSL_FAILED; | ||
132 | + } | ||
133 | } | ||
134 | |||
135 | return result; | ||
136 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
137 | index 163696962..5cd092192 100644 | ||
138 | --- a/tests/data/Makefile.inc | ||
139 | +++ b/tests/data/Makefile.inc | ||
140 | @@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
141 | test963 test964 test965 test966 test967 test968 test969 test970 test971 \ | ||
142 | test972 \ | ||
143 | \ | ||
144 | +test984 test985 test986 \ | ||
145 | +\ | ||
146 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
147 | test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ | ||
148 | test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ | ||
149 | diff --git a/tests/data/test984 b/tests/data/test984 | ||
150 | new file mode 100644 | ||
151 | index 000000000..e573f23c1 | ||
152 | --- /dev/null | ||
153 | +++ b/tests/data/test984 | ||
154 | @@ -0,0 +1,56 @@ | ||
155 | +<testcase> | ||
156 | +<info> | ||
157 | +<keywords> | ||
158 | +IMAP | ||
159 | +STARTTLS | ||
160 | +</keywords> | ||
161 | +</info> | ||
162 | + | ||
163 | +# | ||
164 | +# Server-side | ||
165 | +<reply> | ||
166 | +<servercmd> | ||
167 | +REPLY CAPABILITY A001 BAD Not implemented | ||
168 | +</servercmd> | ||
169 | +</reply> | ||
170 | + | ||
171 | +# | ||
172 | +# Client-side | ||
173 | +<client> | ||
174 | +<features> | ||
175 | +SSL | ||
176 | +</features> | ||
177 | +<server> | ||
178 | +imap | ||
179 | +</server> | ||
180 | + <name> | ||
181 | +IMAP require STARTTLS with failing capabilities | ||
182 | + </name> | ||
183 | + <command> | ||
184 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd | ||
185 | +</command> | ||
186 | +<file name="log/upload%TESTNUMBER"> | ||
187 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
188 | +From: Fred Foobar <foobar@example.COM> | ||
189 | +Subject: afternoon meeting | ||
190 | +To: joe@example.com | ||
191 | +Message-Id: <B27397-0100000@example.COM> | ||
192 | +MIME-Version: 1.0 | ||
193 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
194 | + | ||
195 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
196 | +</file> | ||
197 | +</client> | ||
198 | + | ||
199 | +# | ||
200 | +# Verify data after the test has been "shot" | ||
201 | +<verify> | ||
202 | +# 64 is CURLE_USE_SSL_FAILED | ||
203 | +<errorcode> | ||
204 | +64 | ||
205 | +</errorcode> | ||
206 | +<protocol> | ||
207 | +A001 CAPABILITY | ||
208 | +</protocol> | ||
209 | +</verify> | ||
210 | +</testcase> | ||
211 | diff --git a/tests/data/test985 b/tests/data/test985 | ||
212 | new file mode 100644 | ||
213 | index 000000000..d0db4aadf | ||
214 | --- /dev/null | ||
215 | +++ b/tests/data/test985 | ||
216 | @@ -0,0 +1,54 @@ | ||
217 | +<testcase> | ||
218 | +<info> | ||
219 | +<keywords> | ||
220 | +POP3 | ||
221 | +STARTTLS | ||
222 | +</keywords> | ||
223 | +</info> | ||
224 | + | ||
225 | +# | ||
226 | +# Server-side | ||
227 | +<reply> | ||
228 | +<servercmd> | ||
229 | +REPLY CAPA -ERR Not implemented | ||
230 | +</servercmd> | ||
231 | +<data nocheck="yes"> | ||
232 | +From: me@somewhere | ||
233 | +To: fake@nowhere | ||
234 | + | ||
235 | +body | ||
236 | + | ||
237 | +-- | ||
238 | + yours sincerely | ||
239 | +</data> | ||
240 | +</reply> | ||
241 | + | ||
242 | +# | ||
243 | +# Client-side | ||
244 | +<client> | ||
245 | +<features> | ||
246 | +SSL | ||
247 | +</features> | ||
248 | +<server> | ||
249 | +pop3 | ||
250 | +</server> | ||
251 | + <name> | ||
252 | +POP3 require STARTTLS with failing capabilities | ||
253 | + </name> | ||
254 | + <command> | ||
255 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd | ||
256 | + </command> | ||
257 | +</client> | ||
258 | + | ||
259 | +# | ||
260 | +# Verify data after the test has been "shot" | ||
261 | +<verify> | ||
262 | +# 64 is CURLE_USE_SSL_FAILED | ||
263 | +<errorcode> | ||
264 | +64 | ||
265 | +</errorcode> | ||
266 | +<protocol> | ||
267 | +CAPA | ||
268 | +</protocol> | ||
269 | +</verify> | ||
270 | +</testcase> | ||
271 | diff --git a/tests/data/test986 b/tests/data/test986 | ||
272 | new file mode 100644 | ||
273 | index 000000000..a709437a4 | ||
274 | --- /dev/null | ||
275 | +++ b/tests/data/test986 | ||
276 | @@ -0,0 +1,53 @@ | ||
277 | +<testcase> | ||
278 | +<info> | ||
279 | +<keywords> | ||
280 | +FTP | ||
281 | +STARTTLS | ||
282 | +</keywords> | ||
283 | +</info> | ||
284 | + | ||
285 | +# | ||
286 | +# Server-side | ||
287 | +<reply> | ||
288 | +<servercmd> | ||
289 | +REPLY welcome 230 Welcome | ||
290 | +REPLY AUTH 500 unknown command | ||
291 | +</servercmd> | ||
292 | +</reply> | ||
293 | + | ||
294 | +# Client-side | ||
295 | +<client> | ||
296 | +<features> | ||
297 | +SSL | ||
298 | +</features> | ||
299 | +<server> | ||
300 | +ftp | ||
301 | +</server> | ||
302 | + <name> | ||
303 | +FTP require STARTTLS while preauthenticated | ||
304 | + </name> | ||
305 | +<file name="log/test%TESTNUMBER.txt"> | ||
306 | +data | ||
307 | + to | ||
308 | + see | ||
309 | +that FTPS | ||
310 | +works | ||
311 | + so does it? | ||
312 | +</file> | ||
313 | + <command> | ||
314 | +--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret | ||
315 | +</command> | ||
316 | +</client> | ||
317 | + | ||
318 | +# Verify data after the test has been "shot" | ||
319 | +<verify> | ||
320 | +# 64 is CURLE_USE_SSL_FAILED | ||
321 | +<errorcode> | ||
322 | +64 | ||
323 | +</errorcode> | ||
324 | +<protocol> | ||
325 | +AUTH SSL | ||
326 | +AUTH TLS | ||
327 | +</protocol> | ||
328 | +</verify> | ||
329 | +</testcase> | ||
330 | -- | ||
331 | 2.25.1 | ||
332 | |||