1 files changed, 0 insertions, 332 deletions
diff --git a/meta/recipes-support/curl/curl/cve-2021-22946.patch b/meta/recipes-support/curl/curl/cve-2021-22946.patch
deleted file mode 100644
index 1a4b3e1144..0000000000
--- a/meta/recipes-support/curl/curl/cve-2021-22946.patch
+++ /dev/null
@@ -1,332 +0,0 @@
-CVE: CVE-2021-22946
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Wed, 8 Sep 2021 11:56:22 +0200
-Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd
-In imap and pop3, check if TLS is required even when capabilities
-request has failed.
-In ftp, ignore preauthentication (230 status of server greeting) if TLS
-is required.
-Bug: https://curl.se/docs/CVE-2021-22946.html
-CVE-2021-22946
---
- lib/ftp.c               |  9 ++++---
- lib/imap.c              | 24 ++++++++----------
- lib/pop3.c              | 33 +++++++++++-------------
- tests/data/Makefile.inc |  2 ++
- tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
- tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
- 7 files changed, 195 insertions(+), 36 deletions(-)
- create mode 100644 tests/data/test984
- create mode 100644 tests/data/test985
- create mode 100644 tests/data/test986
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 1a699de59..08d18ca74 100644
--- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
-     /* we have now received a full FTP server response */
-     switch(ftpc->state) {
-     case FTP_WAIT220:
-      if(ftpcode == 230)
-        /* 230 User logged in - already! */
-        return ftp_state_user_resp(data, ftpcode, ftpc->state);
-+      if(ftpcode == 230) {
-+        /* 230 User logged in - already! Take as 220 if TLS required. */
-+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
-+           conn->bits.ftp_use_control_ssl)
-+          return ftp_state_user_resp(data, ftpcode, ftpc->state);
-+      }
-       else if(ftpcode != 220) {
-         failf(data, "Got a %03d ftp-server response when 220 was expected",
-               ftpcode);
-diff --git a/lib/imap.c b/lib/imap.c
-index ab4d412ee..efc0420ce 100644
--- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
-       line += wordlen;
-     }
-   }
-  else if(imapcode == IMAP_RESP_OK) {
-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
-      if(imapc->tls_supported)
-        /* Switch to TLS connection now */
-        result = imap_perform_starttls(data, conn);
-      else if(data->set.use_ssl == CURLUSESSL_TRY)
-        /* Fallback and carry on with authentication */
-        result = imap_perform_authentication(data, conn);
-      else {
-        failf(data, "STARTTLS not supported.");
-        result = CURLE_USE_SSL_FAILED;
-      }
-+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-+    /* PREAUTH is not compatible with STARTTLS. */
-+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
-+      /* Switch to TLS connection now */
-+      result = imap_perform_starttls(data, conn);
-     }
-    else
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-       result = imap_perform_authentication(data, conn);
-+    else {
-+      failf(data, "STARTTLS not available.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
-   else
-     result = imap_perform_authentication(data, conn);
-diff --git a/lib/pop3.c b/lib/pop3.c
-index 5fdd6f3e0..f97e10eab 100644
--- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
-       }
-     }
-   }
-  else if(pop3code == '+') {
-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
-      if(pop3c->tls_supported)
-        /* Switch to TLS connection now */
-        result = pop3_perform_starttls(data, conn);
-      else if(data->set.use_ssl == CURLUSESSL_TRY)
-        /* Fallback and carry on with authentication */
-        result = pop3_perform_authentication(data, conn);
-      else {
-        failf(data, "STLS not supported.");
-        result = CURLE_USE_SSL_FAILED;
-      }
-    }
-    else
-      result = pop3_perform_authentication(data, conn);
-  }
-   else {
-     /* Clear text is supported when CAPA isn't recognised */
-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
-+    if(pop3code != '+')
-+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
- 
-    result = pop3_perform_authentication(data, conn);
-+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
-+      result = pop3_perform_authentication(data, conn);
-+    else if(pop3code == '+' && pop3c->tls_supported)
-+      /* Switch to TLS connection now */
-+      result = pop3_perform_starttls(data, conn);
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-+      /* Fallback and carry on with authentication */
-+      result = pop3_perform_authentication(data, conn);
-+    else {
-+      failf(data, "STLS not supported.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
- 
-   return result;
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 163696962..5cd092192 100644
--- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- test972 \
- \
-+test984 test985 test986 \
-+\
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
- test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
-diff --git a/tests/data/test984 b/tests/data/test984
-new file mode 100644
-index 000000000..e573f23c1
--- /dev/null
-+++ b/tests/data/test984
-@@ -0,0 +1,56 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPABILITY A001 BAD Not implemented
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test985 b/tests/data/test985
-new file mode 100644
-index 000000000..d0db4aadf
--- /dev/null
-+++ b/tests/data/test985
-@@ -0,0 +1,54 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPA -ERR Not implemented
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+CAPA
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test986 b/tests/data/test986
-new file mode 100644
-index 000000000..a709437a4
--- /dev/null
-+++ b/tests/data/test986
-@@ -0,0 +1,53 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY welcome 230 Welcome
-+REPLY AUTH 500 unknown command
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP require STARTTLS while preauthenticated
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+AUTH TLS
-+</protocol>
-+</verify>
-+</testcase>
-- 
-2.25.1

diff --git a/meta/recipes-support/curl/curl/cve-2021-22946.patch b/meta/recipes-support/curl/curl/cve-2021-22946.patch deleted file mode 100644 index 1a4b3e1144..0000000000 --- a/meta/recipes-support/curl/curl/cve-2021-22946.patch +++ /dev/null
@@ -1,332 +0,0 @@
1	CVE: CVE-2021-22946
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001
6	From: Patrick Monnerat <patrick@monnerat.net>
7	Date: Wed, 8 Sep 2021 11:56:22 +0200
8	Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd
9
10	In imap and pop3, check if TLS is required even when capabilities
11	request has failed.
12
13	In ftp, ignore preauthentication (230 status of server greeting) if TLS
14	is required.
15
16	Bug: https://curl.se/docs/CVE-2021-22946.html
17
18	CVE-2021-22946
19	---
20	lib/ftp.c \| 9 ++++---
21	lib/imap.c \| 24 ++++++++----------
22	lib/pop3.c \| 33 +++++++++++-------------
23	tests/data/Makefile.inc \| 2 ++
24	tests/data/test984 \| 56 +++++++++++++++++++++++++++++++++++++++++
25	tests/data/test985 \| 54 +++++++++++++++++++++++++++++++++++++++
26	tests/data/test986 \| 53 ++++++++++++++++++++++++++++++++++++++
27	7 files changed, 195 insertions(+), 36 deletions(-)
28	create mode 100644 tests/data/test984
29	create mode 100644 tests/data/test985
30	create mode 100644 tests/data/test986
31
32	diff --git a/lib/ftp.c b/lib/ftp.c
33	index 1a699de59..08d18ca74 100644
34	--- a/lib/ftp.c
35	+++ b/lib/ftp.c
36	@@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
37	/* we have now received a full FTP server response */
38	switch(ftpc->state) {
39	case FTP_WAIT220:
40	- if(ftpcode == 230)
41	- /* 230 User logged in - already! */
42	- return ftp_state_user_resp(data, ftpcode, ftpc->state);
43	+ if(ftpcode == 230) {
44	+ /* 230 User logged in - already! Take as 220 if TLS required. */
45	+ if(data->set.use_ssl <= CURLUSESSL_TRY \|\|
46	+ conn->bits.ftp_use_control_ssl)
47	+ return ftp_state_user_resp(data, ftpcode, ftpc->state);
48	+ }
49	else if(ftpcode != 220) {
50	failf(data, "Got a %03d ftp-server response when 220 was expected",
51	ftpcode);
52	diff --git a/lib/imap.c b/lib/imap.c
53	index ab4d412ee..efc0420ce 100644
54	--- a/lib/imap.c
55	+++ b/lib/imap.c
56	@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
57	line += wordlen;
58	}
59	}
60	- else if(imapcode == IMAP_RESP_OK) {
61	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
62	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
63	- if(imapc->tls_supported)
64	- /* Switch to TLS connection now */
65	- result = imap_perform_starttls(data, conn);
66	- else if(data->set.use_ssl == CURLUSESSL_TRY)
67	- /* Fallback and carry on with authentication */
68	- result = imap_perform_authentication(data, conn);
69	- else {
70	- failf(data, "STARTTLS not supported.");
71	- result = CURLE_USE_SSL_FAILED;
72	- }
73	+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
74	+ /* PREAUTH is not compatible with STARTTLS. */
75	+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
76	+ /* Switch to TLS connection now */
77	+ result = imap_perform_starttls(data, conn);
78	}
79	- else
80	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
81	result = imap_perform_authentication(data, conn);
82	+ else {
83	+ failf(data, "STARTTLS not available.");
84	+ result = CURLE_USE_SSL_FAILED;
85	+ }
86	}
87	else
88	result = imap_perform_authentication(data, conn);
89	diff --git a/lib/pop3.c b/lib/pop3.c
90	index 5fdd6f3e0..f97e10eab 100644
91	--- a/lib/pop3.c
92	+++ b/lib/pop3.c
93	@@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
94	}
95	}
96	}
97	- else if(pop3code == '+') {
98	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
99	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
100	- if(pop3c->tls_supported)
101	- /* Switch to TLS connection now */
102	- result = pop3_perform_starttls(data, conn);
103	- else if(data->set.use_ssl == CURLUSESSL_TRY)
104	- /* Fallback and carry on with authentication */
105	- result = pop3_perform_authentication(data, conn);
106	- else {
107	- failf(data, "STLS not supported.");
108	- result = CURLE_USE_SSL_FAILED;
109	- }
110	- }
111	- else
112	- result = pop3_perform_authentication(data, conn);
113	- }
114	else {
115	/* Clear text is supported when CAPA isn't recognised */
116	- pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
117	+ if(pop3code != '+')
118	+ pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
119
120	- result = pop3_perform_authentication(data, conn);
121	+ if(!data->set.use_ssl \|\| conn->ssl[FIRSTSOCKET].use)
122	+ result = pop3_perform_authentication(data, conn);
123	+ else if(pop3code == '+' && pop3c->tls_supported)
124	+ /* Switch to TLS connection now */
125	+ result = pop3_perform_starttls(data, conn);
126	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
127	+ /* Fallback and carry on with authentication */
128	+ result = pop3_perform_authentication(data, conn);
129	+ else {
130	+ failf(data, "STLS not supported.");
131	+ result = CURLE_USE_SSL_FAILED;
132	+ }
133	}
134
135	return result;
136	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
137	index 163696962..5cd092192 100644
138	--- a/tests/data/Makefile.inc
139	+++ b/tests/data/Makefile.inc
140	@@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
141	test963 test964 test965 test966 test967 test968 test969 test970 test971 \
142	test972 \
143	\
144	+test984 test985 test986 \
145	+\
146	test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
147	test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
148	test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
149	diff --git a/tests/data/test984 b/tests/data/test984
150	new file mode 100644
151	index 000000000..e573f23c1
152	--- /dev/null
153	+++ b/tests/data/test984
154	@@ -0,0 +1,56 @@
155	+<testcase>
156	+<info>
157	+<keywords>
158	+IMAP
159	+STARTTLS
160	+</keywords>
161	+</info>
162	+
163	+#
164	+# Server-side
165	+<reply>
166	+<servercmd>
167	+REPLY CAPABILITY A001 BAD Not implemented
168	+</servercmd>
169	+</reply>
170	+
171	+#
172	+# Client-side
173	+<client>
174	+<features>
175	+SSL
176	+</features>
177	+<server>
178	+imap
179	+</server>
180	+ <name>
181	+IMAP require STARTTLS with failing capabilities
182	+ </name>
183	+ <command>
184	+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
185	+</command>
186	+<file name="log/upload%TESTNUMBER">
187	+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
188	+From: Fred Foobar <foobar@example.COM>
189	+Subject: afternoon meeting
190	+To: joe@example.com
191	+Message-Id: <B27397-0100000@example.COM>
192	+MIME-Version: 1.0
193	+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
194	+
195	+Hello Joe, do you think we can meet at 3:30 tomorrow?
196	+</file>
197	+</client>
198	+
199	+#
200	+# Verify data after the test has been "shot"
201	+<verify>
202	+# 64 is CURLE_USE_SSL_FAILED
203	+<errorcode>
204	+64
205	+</errorcode>
206	+<protocol>
207	+A001 CAPABILITY
208	+</protocol>
209	+</verify>
210	+</testcase>
211	diff --git a/tests/data/test985 b/tests/data/test985
212	new file mode 100644
213	index 000000000..d0db4aadf
214	--- /dev/null
215	+++ b/tests/data/test985
216	@@ -0,0 +1,54 @@
217	+<testcase>
218	+<info>
219	+<keywords>
220	+POP3
221	+STARTTLS
222	+</keywords>
223	+</info>
224	+
225	+#
226	+# Server-side
227	+<reply>
228	+<servercmd>
229	+REPLY CAPA -ERR Not implemented
230	+</servercmd>
231	+<data nocheck="yes">
232	+From: me@somewhere
233	+To: fake@nowhere
234	+
235	+body
236	+
237	+--
238	+ yours sincerely
239	+</data>
240	+</reply>
241	+
242	+#
243	+# Client-side
244	+<client>
245	+<features>
246	+SSL
247	+</features>
248	+<server>
249	+pop3
250	+</server>
251	+ <name>
252	+POP3 require STARTTLS with failing capabilities
253	+ </name>
254	+ <command>
255	+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
256	+ </command>
257	+</client>
258	+
259	+#
260	+# Verify data after the test has been "shot"
261	+<verify>
262	+# 64 is CURLE_USE_SSL_FAILED
263	+<errorcode>
264	+64
265	+</errorcode>
266	+<protocol>
267	+CAPA
268	+</protocol>
269	+</verify>
270	+</testcase>
271	diff --git a/tests/data/test986 b/tests/data/test986
272	new file mode 100644
273	index 000000000..a709437a4
274	--- /dev/null
275	+++ b/tests/data/test986
276	@@ -0,0 +1,53 @@
277	+<testcase>
278	+<info>
279	+<keywords>
280	+FTP
281	+STARTTLS
282	+</keywords>
283	+</info>
284	+
285	+#
286	+# Server-side
287	+<reply>
288	+<servercmd>
289	+REPLY welcome 230 Welcome
290	+REPLY AUTH 500 unknown command
291	+</servercmd>
292	+</reply>
293	+
294	+# Client-side
295	+<client>
296	+<features>
297	+SSL
298	+</features>
299	+<server>
300	+ftp
301	+</server>
302	+ <name>
303	+FTP require STARTTLS while preauthenticated
304	+ </name>
305	+<file name="log/test%TESTNUMBER.txt">
306	+data
307	+ to
308	+ see
309	+that FTPS
310	+works
311	+ so does it?
312	+</file>
313	+ <command>
314	+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
315	+</command>
316	+</client>
317	+
318	+# Verify data after the test has been "shot"
319	+<verify>
320	+# 64 is CURLE_USE_SSL_FAILED
321	+<errorcode>
322	+64
323	+</errorcode>
324	+<protocol>
325	+AUTH SSL
326	+AUTH TLS
327	+</protocol>
328	+</verify>
329	+</testcase>
330	--
331	2.25.1
332