diff options
Diffstat (limited to 'meta/recipes-support/curl')
43 files changed, 5581 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch new file mode 100644 index 0000000000..fc396aabef --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | transfer: strip credentials from the auto-referer header field | ||
2 | |||
3 | CVE-2021-22876 | ||
4 | |||
5 | Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. | ||
6 | |||
7 | Bug: https://curl.se/docs/CVE-2021-22876.html | ||
8 | Upstream-Status: backport | ||
9 | --- | ||
10 | lib/transfer.c | 25 +++++++++++++++++++++++-- | ||
11 | 1 file changed, 23 insertions(+), 2 deletions(-) | ||
12 | |||
13 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
14 | index e76834eb3..744e1c00b 100644 | ||
15 | --- a/lib/transfer.c | ||
16 | +++ b/lib/transfer.c | ||
17 | @@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
18 | data->set.followlocation++; /* count location-followers */ | ||
19 | |||
20 | if(data->set.http_auto_referer) { | ||
21 | + CURLU *u; | ||
22 | + char *referer; | ||
23 | + | ||
24 | /* We are asked to automatically set the previous URL as the referer | ||
25 | when we get the next URL. We pick the ->url field, which may or may | ||
26 | not be 100% correct */ | ||
27 | @@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
28 | data->change.referer_alloc = FALSE; | ||
29 | } | ||
30 | |||
31 | - data->change.referer = strdup(data->change.url); | ||
32 | - if(!data->change.referer) | ||
33 | + /* Make a copy of the URL without crenditals and fragment */ | ||
34 | + u = curl_url(); | ||
35 | + if(!u) | ||
36 | + return CURLE_OUT_OF_MEMORY; | ||
37 | + | ||
38 | + uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); | ||
39 | + if(!uc) | ||
40 | + uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); | ||
41 | + if(!uc) | ||
42 | + uc = curl_url_set(u, CURLUPART_USER, NULL, 0); | ||
43 | + if(!uc) | ||
44 | + uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); | ||
45 | + if(!uc) | ||
46 | + uc = curl_url_get(u, CURLUPART_URL, &referer, 0); | ||
47 | + | ||
48 | + curl_url_cleanup(u); | ||
49 | + | ||
50 | + if(uc || referer == NULL) | ||
51 | return CURLE_OUT_OF_MEMORY; | ||
52 | + | ||
53 | + data->change.referer = referer; | ||
54 | data->change.referer_alloc = TRUE; /* yes, free this later */ | ||
55 | } | ||
56 | } | ||
57 | -- | ||
58 | 2.20.1 | ||
59 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch new file mode 100644 index 0000000000..8c0ecbfe7f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch | |||
@@ -0,0 +1,464 @@ | |||
1 | vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() | ||
2 | |||
3 | To make sure we set and extract the correct session. | ||
4 | |||
5 | Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. | ||
6 | |||
7 | CVE-2021-22890 | ||
8 | |||
9 | Reported-by: Mingtao Yang | ||
10 | Bug: https://curl.se/docs/CVE-2021-22890.html | ||
11 | Upstream-Status: backport | ||
12 | --- | ||
13 | lib/vtls/bearssl.c | 9 +++++--- | ||
14 | lib/vtls/gtls.c | 9 +++++--- | ||
15 | lib/vtls/mbedtls.c | 8 ++++--- | ||
16 | lib/vtls/mesalink.c | 9 +++++--- | ||
17 | lib/vtls/openssl.c | 52 ++++++++++++++++++++++++++++++++++---------- | ||
18 | lib/vtls/schannel.c | 10 +++++---- | ||
19 | lib/vtls/sectransp.c | 9 ++++---- | ||
20 | lib/vtls/vtls.c | 9 ++++++-- | ||
21 | lib/vtls/vtls.h | 2 ++ | ||
22 | lib/vtls/wolfssl.c | 8 ++++--- | ||
23 | 10 files changed, 88 insertions(+), 37 deletions(-) | ||
24 | |||
25 | diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c | ||
26 | index 67f945831..32cb0a4c2 100644 | ||
27 | --- a/lib/vtls/bearssl.c | ||
28 | +++ b/lib/vtls/bearssl.c | ||
29 | @@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) | ||
30 | void *session; | ||
31 | |||
32 | Curl_ssl_sessionid_lock(conn); | ||
33 | - if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { | ||
34 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
35 | + &session, NULL, sockindex)) { | ||
36 | br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session); | ||
37 | infof(data, "BearSSL: re-using session ID\n"); | ||
38 | } | ||
39 | @@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) | ||
40 | return CURLE_OUT_OF_MEMORY; | ||
41 | br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session); | ||
42 | Curl_ssl_sessionid_lock(conn); | ||
43 | - incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); | ||
44 | + incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
45 | + &oldsession, NULL, sockindex)); | ||
46 | if(incache) | ||
47 | Curl_ssl_delsessionid(conn, oldsession); | ||
48 | - ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); | ||
49 | + ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
50 | + session, 0, sockindex); | ||
51 | Curl_ssl_sessionid_unlock(conn); | ||
52 | if(ret) { | ||
53 | free(session); | ||
54 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
55 | index 5f740eeba..46e149c7d 100644 | ||
56 | --- a/lib/vtls/gtls.c | ||
57 | +++ b/lib/vtls/gtls.c | ||
58 | @@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn, | ||
59 | size_t ssl_idsize; | ||
60 | |||
61 | Curl_ssl_sessionid_lock(conn); | ||
62 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { | ||
63 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
64 | + &ssl_sessionid, &ssl_idsize, sockindex)) { | ||
65 | /* we got a session id, use it! */ | ||
66 | gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); | ||
67 | |||
68 | @@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
69 | gnutls_session_get_data(session, connect_sessionid, &connect_idsize); | ||
70 | |||
71 | Curl_ssl_sessionid_lock(conn); | ||
72 | - incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, | ||
73 | + incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
74 | + &ssl_sessionid, NULL, | ||
75 | sockindex)); | ||
76 | if(incache) { | ||
77 | /* there was one before in the cache, so instead of risking that the | ||
78 | @@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
79 | } | ||
80 | |||
81 | /* store this session id */ | ||
82 | - result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, | ||
83 | + result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
84 | + connect_sessionid, connect_idsize, | ||
85 | sockindex); | ||
86 | Curl_ssl_sessionid_unlock(conn); | ||
87 | if(result) { | ||
88 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
89 | index f057315f3..19df8478e 100644 | ||
90 | --- a/lib/vtls/mbedtls.c | ||
91 | +++ b/lib/vtls/mbedtls.c | ||
92 | @@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn, | ||
93 | void *old_session = NULL; | ||
94 | |||
95 | Curl_ssl_sessionid_lock(conn); | ||
96 | - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { | ||
97 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
98 | + &old_session, NULL, sockindex)) { | ||
99 | ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session); | ||
100 | if(ret) { | ||
101 | Curl_ssl_sessionid_unlock(conn); | ||
102 | @@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn, | ||
103 | int ret; | ||
104 | mbedtls_ssl_session *our_ssl_sessionid; | ||
105 | void *old_ssl_sessionid = NULL; | ||
106 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
107 | |||
108 | our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); | ||
109 | if(!our_ssl_sessionid) | ||
110 | @@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn, | ||
111 | |||
112 | /* If there's already a matching session in the cache, delete it */ | ||
113 | Curl_ssl_sessionid_lock(conn); | ||
114 | - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) | ||
115 | + if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex)) | ||
116 | Curl_ssl_delsessionid(conn, old_ssl_sessionid); | ||
117 | |||
118 | - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); | ||
119 | + retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex); | ||
120 | Curl_ssl_sessionid_unlock(conn); | ||
121 | if(retcode) { | ||
122 | mbedtls_ssl_session_free(our_ssl_sessionid); | ||
123 | diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c | ||
124 | index cab1e390b..79d1e3dfa 100644 | ||
125 | --- a/lib/vtls/mesalink.c | ||
126 | +++ b/lib/vtls/mesalink.c | ||
127 | @@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) | ||
128 | void *ssl_sessionid = NULL; | ||
129 | |||
130 | Curl_ssl_sessionid_lock(conn); | ||
131 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { | ||
132 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
133 | + &ssl_sessionid, NULL, sockindex)) { | ||
134 | /* we got a session id, use it! */ | ||
135 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
136 | Curl_ssl_sessionid_unlock(conn); | ||
137 | @@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) | ||
138 | bool incache; | ||
139 | SSL_SESSION *our_ssl_sessionid; | ||
140 | void *old_ssl_sessionid = NULL; | ||
141 | + bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
142 | |||
143 | our_ssl_sessionid = SSL_get_session(BACKEND->handle); | ||
144 | |||
145 | Curl_ssl_sessionid_lock(conn); | ||
146 | incache = | ||
147 | - !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); | ||
148 | + !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, | ||
149 | + NULL, sockindex)); | ||
150 | if(incache) { | ||
151 | if(old_ssl_sessionid != our_ssl_sessionid) { | ||
152 | infof(data, "old SSL session ID is stale, removing\n"); | ||
153 | @@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) | ||
154 | |||
155 | if(!incache) { | ||
156 | result = Curl_ssl_addsessionid( | ||
157 | - conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); | ||
158 | + conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex); | ||
159 | if(result) { | ||
160 | Curl_ssl_sessionid_unlock(conn); | ||
161 | failf(data, "failed to store ssl session"); | ||
162 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
163 | index 1d09cadca..64f43605a 100644 | ||
164 | --- a/lib/vtls/openssl.c | ||
165 | +++ b/lib/vtls/openssl.c | ||
166 | @@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void) | ||
167 | */ | ||
168 | static int ossl_get_ssl_sockindex_index(void) | ||
169 | { | ||
170 | - static int ssl_ex_data_sockindex_index = -1; | ||
171 | - if(ssl_ex_data_sockindex_index < 0) { | ||
172 | - ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, | ||
173 | - NULL); | ||
174 | + static int sockindex_index = -1; | ||
175 | + if(sockindex_index < 0) { | ||
176 | + sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | ||
177 | } | ||
178 | - return ssl_ex_data_sockindex_index; | ||
179 | + return sockindex_index; | ||
180 | +} | ||
181 | + | ||
182 | +/* Return an extra data index for proxy boolean. | ||
183 | + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). | ||
184 | + */ | ||
185 | +static int ossl_get_proxy_index(void) | ||
186 | +{ | ||
187 | + static int proxy_index = -1; | ||
188 | + if(proxy_index < 0) { | ||
189 | + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | ||
190 | + } | ||
191 | + return proxy_index; | ||
192 | } | ||
193 | |||
194 | static int passwd_callback(char *buf, int num, int encrypting, | ||
195 | @@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void) | ||
196 | #endif | ||
197 | |||
198 | /* Initialize the extra data indexes */ | ||
199 | - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) | ||
200 | + if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || | ||
201 | + ossl_get_proxy_index() < 0) | ||
202 | return 0; | ||
203 | |||
204 | return 1; | ||
205 | @@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
206 | curl_socket_t *sockindex_ptr; | ||
207 | int connectdata_idx = ossl_get_ssl_conn_index(); | ||
208 | int sockindex_idx = ossl_get_ssl_sockindex_index(); | ||
209 | + int proxy_idx = ossl_get_proxy_index(); | ||
210 | + bool isproxy; | ||
211 | |||
212 | - if(connectdata_idx < 0 || sockindex_idx < 0) | ||
213 | + if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) | ||
214 | return 0; | ||
215 | |||
216 | conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); | ||
217 | @@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
218 | sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); | ||
219 | sockindex = (int)(sockindex_ptr - conn->sock); | ||
220 | |||
221 | + isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; | ||
222 | + | ||
223 | if(SSL_SET_OPTION(primary.sessionid)) { | ||
224 | bool incache; | ||
225 | void *old_ssl_sessionid = NULL; | ||
226 | |||
227 | Curl_ssl_sessionid_lock(conn); | ||
228 | - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, | ||
229 | - sockindex)); | ||
230 | + if(isproxy) | ||
231 | + incache = FALSE; | ||
232 | + else | ||
233 | + incache = !(Curl_ssl_getsessionid(conn, isproxy, | ||
234 | + &old_ssl_sessionid, NULL, sockindex)); | ||
235 | if(incache) { | ||
236 | if(old_ssl_sessionid != ssl_sessionid) { | ||
237 | infof(data, "old SSL session ID is stale, removing\n"); | ||
238 | @@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) | ||
239 | } | ||
240 | |||
241 | if(!incache) { | ||
242 | - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, | ||
243 | + if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, | ||
244 | 0 /* unknown size */, sockindex)) { | ||
245 | /* the session has been put into the session cache */ | ||
246 | res = 1; | ||
247 | @@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
248 | void *ssl_sessionid = NULL; | ||
249 | int connectdata_idx = ossl_get_ssl_conn_index(); | ||
250 | int sockindex_idx = ossl_get_ssl_sockindex_index(); | ||
251 | + int proxy_idx = ossl_get_proxy_index(); | ||
252 | |||
253 | - if(connectdata_idx >= 0 && sockindex_idx >= 0) { | ||
254 | + if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { | ||
255 | /* Store the data needed for the "new session" callback. | ||
256 | * The sockindex is stored as a pointer to an array element. */ | ||
257 | SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn); | ||
258 | SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex); | ||
259 | +#ifndef CURL_DISABLE_PROXY | ||
260 | + SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: | ||
261 | + NULL); | ||
262 | +#else | ||
263 | + SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL); | ||
264 | +#endif | ||
265 | + | ||
266 | } | ||
267 | |||
268 | Curl_ssl_sessionid_lock(conn); | ||
269 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { | ||
270 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
271 | + &ssl_sessionid, NULL, sockindex)) { | ||
272 | /* we got a session id, use it! */ | ||
273 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
274 | Curl_ssl_sessionid_unlock(conn); | ||
275 | diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c | ||
276 | index f665ee340..a354ce95d 100644 | ||
277 | --- a/lib/vtls/schannel.c | ||
278 | +++ b/lib/vtls/schannel.c | ||
279 | @@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) | ||
280 | /* check for an existing re-usable credential handle */ | ||
281 | if(SSL_SET_OPTION(primary.sessionid)) { | ||
282 | Curl_ssl_sessionid_lock(conn); | ||
283 | - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { | ||
284 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
285 | + (void **)&old_cred, NULL, sockindex)) { | ||
286 | BACKEND->cred = old_cred; | ||
287 | DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); | ||
288 | |||
289 | @@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
290 | struct ssl_connect_data *connssl = &conn->ssl[sockindex]; | ||
291 | SECURITY_STATUS sspi_status = SEC_E_OK; | ||
292 | CERT_CONTEXT *ccert_context = NULL; | ||
293 | + bool isproxy = SSL_IS_PROXY(); | ||
294 | #ifdef DEBUGBUILD | ||
295 | - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
296 | + const char * const hostname = isproxy ? conn->http_proxy.host.name : | ||
297 | conn->host.name; | ||
298 | #endif | ||
299 | #ifdef HAS_ALPN | ||
300 | @@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
301 | struct curl_schannel_cred *old_cred = NULL; | ||
302 | |||
303 | Curl_ssl_sessionid_lock(conn); | ||
304 | - incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, | ||
305 | + incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL, | ||
306 | sockindex)); | ||
307 | if(incache) { | ||
308 | if(old_cred != BACKEND->cred) { | ||
309 | @@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) | ||
310 | } | ||
311 | } | ||
312 | if(!incache) { | ||
313 | - result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, | ||
314 | + result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred, | ||
315 | sizeof(struct curl_schannel_cred), | ||
316 | sockindex); | ||
317 | if(result) { | ||
318 | diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c | ||
319 | index 7dd028fb7..9c67d465a 100644 | ||
320 | --- a/lib/vtls/sectransp.c | ||
321 | +++ b/lib/vtls/sectransp.c | ||
322 | @@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
323 | const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); | ||
324 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
325 | char * const ssl_cert = SSL_SET_OPTION(cert); | ||
326 | - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
327 | + bool isproxy = SSL_IS_PROXY(); | ||
328 | + const char * const hostname = isproxy ? conn->http_proxy.host.name : | ||
329 | conn->host.name; | ||
330 | const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; | ||
331 | #ifdef ENABLE_IPV6 | ||
332 | @@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
333 | |||
334 | #ifdef USE_NGHTTP2 | ||
335 | if(data->set.httpversion >= CURL_HTTP_VERSION_2 && | ||
336 | - (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { | ||
337 | + (!isproxy || !conn->bits.tunnel_proxy)) { | ||
338 | CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); | ||
339 | infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); | ||
340 | } | ||
341 | @@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
342 | size_t ssl_sessionid_len; | ||
343 | |||
344 | Curl_ssl_sessionid_lock(conn); | ||
345 | - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, | ||
346 | + if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, | ||
347 | &ssl_sessionid_len, sockindex)) { | ||
348 | /* we got a session id, use it! */ | ||
349 | err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len); | ||
350 | @@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, | ||
351 | return CURLE_SSL_CONNECT_ERROR; | ||
352 | } | ||
353 | |||
354 | - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, | ||
355 | + result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len, | ||
356 | sockindex); | ||
357 | Curl_ssl_sessionid_unlock(conn); | ||
358 | if(result) { | ||
359 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
360 | index dfefa1bd5..aaf73ef8f 100644 | ||
361 | --- a/lib/vtls/vtls.c | ||
362 | +++ b/lib/vtls/vtls.c | ||
363 | @@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) | ||
364 | * there's one suitable, it is provided. Returns TRUE when no entry matched. | ||
365 | */ | ||
366 | bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
367 | + const bool isProxy, | ||
368 | void **ssl_sessionid, | ||
369 | size_t *idsize, /* set 0 if unknown */ | ||
370 | int sockindex) | ||
371 | @@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
372 | long *general_age; | ||
373 | bool no_match = TRUE; | ||
374 | |||
375 | - const bool isProxy = CONNECT_PROXY_SSL(); | ||
376 | struct ssl_primary_config * const ssl_config = isProxy ? | ||
377 | &conn->proxy_ssl_config : | ||
378 | &conn->ssl_config; | ||
379 | @@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
380 | int port = isProxy ? (int)conn->port : conn->remote_port; | ||
381 | *ssl_sessionid = NULL; | ||
382 | |||
383 | +#ifdef CURL_DISABLE_PROXY | ||
384 | + if(isProxy) | ||
385 | + return TRUE; | ||
386 | +#endif | ||
387 | + | ||
388 | DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); | ||
389 | |||
390 | if(!SSL_SET_OPTION(primary.sessionid)) | ||
391 | @@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) | ||
392 | * later on. | ||
393 | */ | ||
394 | CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
395 | + bool isProxy, | ||
396 | void *ssl_sessionid, | ||
397 | size_t idsize, | ||
398 | int sockindex) | ||
399 | @@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
400 | char *clone_conn_to_host; | ||
401 | int conn_to_port; | ||
402 | long *general_age; | ||
403 | - const bool isProxy = CONNECT_PROXY_SSL(); | ||
404 | struct ssl_primary_config * const ssl_config = isProxy ? | ||
405 | &conn->proxy_ssl_config : | ||
406 | &conn->ssl_config; | ||
407 | diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h | ||
408 | index a81b2f22d..a5e348752 100644 | ||
409 | --- a/lib/vtls/vtls.h | ||
410 | +++ b/lib/vtls/vtls.h | ||
411 | @@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); | ||
412 | * under sessionid mutex). | ||
413 | */ | ||
414 | bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
415 | + const bool isproxy, | ||
416 | void **ssl_sessionid, | ||
417 | size_t *idsize, /* set 0 if unknown */ | ||
418 | int sockindex); | ||
419 | @@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, | ||
420 | * object with cache (e.g. incrementing refcount on success) | ||
421 | */ | ||
422 | CURLcode Curl_ssl_addsessionid(struct connectdata *conn, | ||
423 | + const bool isProxy, | ||
424 | void *ssl_sessionid, | ||
425 | size_t idsize, | ||
426 | int sockindex); | ||
427 | diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c | ||
428 | index 8c2d3f4a2..dd9f907ff 100644 | ||
429 | --- a/lib/vtls/wolfssl.c | ||
430 | +++ b/lib/vtls/wolfssl.c | ||
431 | @@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn, | ||
432 | void *ssl_sessionid = NULL; | ||
433 | |||
434 | Curl_ssl_sessionid_lock(conn); | ||
435 | - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { | ||
436 | + if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, | ||
437 | + &ssl_sessionid, NULL, sockindex)) { | ||
438 | /* we got a session id, use it! */ | ||
439 | if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { | ||
440 | char error_buffer[WOLFSSL_MAX_ERROR_SZ]; | ||
441 | @@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn, | ||
442 | void *old_ssl_sessionid = NULL; | ||
443 | |||
444 | our_ssl_sessionid = SSL_get_session(BACKEND->handle); | ||
445 | + bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; | ||
446 | |||
447 | Curl_ssl_sessionid_lock(conn); | ||
448 | - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, | ||
449 | + incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, | ||
450 | sockindex)); | ||
451 | if(incache) { | ||
452 | if(old_ssl_sessionid != our_ssl_sessionid) { | ||
453 | @@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn, | ||
454 | } | ||
455 | |||
456 | if(!incache) { | ||
457 | - result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, | ||
458 | + result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, | ||
459 | 0 /* unknown size */, sockindex); | ||
460 | if(result) { | ||
461 | Curl_ssl_sessionid_unlock(conn); | ||
462 | -- | ||
463 | 2.20.1 | ||
464 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/meta/recipes-support/curl/curl/CVE-2021-22898.patch new file mode 100644 index 0000000000..0800e10175 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22898.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 | ||
2 | From: Harry Sintonen <sintonen@iki.fi> | ||
3 | Date: Fri, 7 May 2021 13:09:57 +0200 | ||
4 | Subject: [PATCH] telnet: check sscanf() for correct number of matches | ||
5 | |||
6 | CVE: CVE-2021-22898 | ||
7 | Upstream-Status: Backport | ||
8 | Link: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde | ||
9 | Bug: https://curl.se/docs/CVE-2021-22898.html | ||
10 | --- | ||
11 | lib/telnet.c | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/lib/telnet.c b/lib/telnet.c | ||
15 | index 26e0658ba9cc..fdd137fb0c04 100644 | ||
16 | --- a/lib/telnet.c | ||
17 | +++ b/lib/telnet.c | ||
18 | @@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) | ||
19 | size_t tmplen = (strlen(v->data) + 1); | ||
20 | /* Add the variable only if it fits */ | ||
21 | if(len + tmplen < (int)sizeof(temp)-6) { | ||
22 | - if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { | ||
23 | + if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { | ||
24 | msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
25 | "%c%s%c%s", CURL_NEW_ENV_VAR, varname, | ||
26 | CURL_NEW_ENV_VALUE, varval); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..68fde45ddf --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch | |||
@@ -0,0 +1,226 @@ | |||
1 | Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and | ||
2 | case sensitivity CVE-2021-22924 | ||
3 | |||
4 | Reported-by: Harry Sintonen | ||
5 | Bug: https://curl.se/docs/CVE-2021-22924.html | ||
6 | CVE: CVE-2021-22924 | ||
7 | Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 | ||
8 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
9 | --- | ||
10 | lib/url.c | 5 +++-- | ||
11 | lib/urldata.h | 2 +- | ||
12 | lib/vtls/gtls.c | 10 +++++----- | ||
13 | lib/vtls/nss.c | 4 ++-- | ||
14 | lib/vtls/openssl.c | 12 ++++++------ | ||
15 | lib/vtls/vtls.c | 23 ++++++++++++++++++----- | ||
16 | 6 files changed, 35 insertions(+), 21 deletions(-) | ||
17 | |||
18 | diff --git a/lib/url.c b/lib/url.c | ||
19 | index 47fc66aed..eebad8d32 100644 | ||
20 | --- a/lib/url.c | ||
21 | +++ b/lib/url.c | ||
22 | @@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
23 | data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; | ||
24 | data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; | ||
25 | data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; | ||
26 | + data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; | ||
27 | + data->set.proxy_ssl.primary.issuercert = | ||
28 | + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; | ||
29 | data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; | ||
30 | data->set.proxy_ssl.primary.random_file = | ||
31 | data->set.str[STRING_SSL_RANDOM_FILE]; | ||
32 | @@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
33 | |||
34 | data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; | ||
35 | data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
36 | - data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; | ||
37 | - data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; | ||
38 | data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; | ||
39 | data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; | ||
40 | data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; | ||
41 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
42 | index fbb8b645e..615fbf369 100644 | ||
43 | --- a/lib/urldata.h | ||
44 | +++ b/lib/urldata.h | ||
45 | @@ -224,6 +224,7 @@ struct ssl_primary_config { | ||
46 | long version_max; /* max supported version the client wants to use*/ | ||
47 | char *CApath; /* certificate dir (doesn't work on windows) */ | ||
48 | char *CAfile; /* certificate to verify peer against */ | ||
49 | + char *issuercert; /* optional issuer certificate filename */ | ||
50 | char *clientcert; | ||
51 | char *random_file; /* path to file containing "random" data */ | ||
52 | char *egdsocket; /* path to file containing the EGD daemon socket */ | ||
53 | @@ -240,7 +241,6 @@ struct ssl_config_data { | ||
54 | struct ssl_primary_config primary; | ||
55 | long certverifyresult; /* result from the certificate verification */ | ||
56 | char *CRLfile; /* CRL to check certificate revocation */ | ||
57 | - char *issuercert;/* optional issuer certificate filename */ | ||
58 | curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ | ||
59 | void *fsslctxp; /* parameter for call back */ | ||
60 | char *cert; /* client certificate file name */ | ||
61 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
62 | index 46e149c7d..8c051024f 100644 | ||
63 | --- a/lib/vtls/gtls.c | ||
64 | +++ b/lib/vtls/gtls.c | ||
65 | @@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn, | ||
66 | if(!chainp) { | ||
67 | if(SSL_CONN_CONFIG(verifypeer) || | ||
68 | SSL_CONN_CONFIG(verifyhost) || | ||
69 | - SSL_SET_OPTION(issuercert)) { | ||
70 | + SSL_CONN_CONFIG(issuercert)) { | ||
71 | #ifdef USE_TLS_SRP | ||
72 | if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
73 | && SSL_SET_OPTION(username) != NULL | ||
74 | @@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn, | ||
75 | gnutls_x509_crt_t format */ | ||
76 | gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); | ||
77 | |||
78 | - if(SSL_SET_OPTION(issuercert)) { | ||
79 | + if(SSL_CONN_CONFIG(issuercert)) { | ||
80 | gnutls_x509_crt_init(&x509_issuer); | ||
81 | - issuerp = load_file(SSL_SET_OPTION(issuercert)); | ||
82 | + issuerp = load_file(SSL_CONN_CONFIG(issuercert)); | ||
83 | gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); | ||
84 | rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); | ||
85 | gnutls_x509_crt_deinit(x509_issuer); | ||
86 | unload_file(issuerp); | ||
87 | if(rc <= 0) { | ||
88 | failf(data, "server certificate issuer check failed (IssuerCert: %s)", | ||
89 | - SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); | ||
90 | + SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); | ||
91 | gnutls_x509_crt_deinit(x509_cert); | ||
92 | return CURLE_SSL_ISSUER_ERROR; | ||
93 | } | ||
94 | infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", | ||
95 | - SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); | ||
96 | + SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); | ||
97 | } | ||
98 | |||
99 | size = sizeof(certbuf); | ||
100 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
101 | index ef51b0d91..375c78b1b 100644 | ||
102 | --- a/lib/vtls/nss.c | ||
103 | +++ b/lib/vtls/nss.c | ||
104 | @@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) | ||
105 | if(result) | ||
106 | goto error; | ||
107 | |||
108 | - if(SSL_SET_OPTION(issuercert)) { | ||
109 | + if(SSL_CONN_CONFIG(issuercert)) { | ||
110 | SECStatus ret = SECFailure; | ||
111 | - char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); | ||
112 | + char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); | ||
113 | if(nickname) { | ||
114 | /* we support only nicknames in case of issuercert for now */ | ||
115 | ret = check_issuer_cert(BACKEND->handle, nickname); | ||
116 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
117 | index 64f43605a..7e81fd3a0 100644 | ||
118 | --- a/lib/vtls/openssl.c | ||
119 | +++ b/lib/vtls/openssl.c | ||
120 | @@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
121 | deallocating the certificate. */ | ||
122 | |||
123 | /* e.g. match issuer name with provided issuer certificate */ | ||
124 | - if(SSL_SET_OPTION(issuercert)) { | ||
125 | + if(SSL_CONN_CONFIG(issuercert)) { | ||
126 | fp = BIO_new(BIO_s_file()); | ||
127 | if(fp == NULL) { | ||
128 | failf(data, | ||
129 | @@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn, | ||
130 | return CURLE_OUT_OF_MEMORY; | ||
131 | } | ||
132 | |||
133 | - if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { | ||
134 | + if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { | ||
135 | if(strict) | ||
136 | failf(data, "SSL: Unable to open issuer cert (%s)", | ||
137 | - SSL_SET_OPTION(issuercert)); | ||
138 | + SSL_CONN_CONFIG(issuercert)); | ||
139 | BIO_free(fp); | ||
140 | X509_free(BACKEND->server_cert); | ||
141 | BACKEND->server_cert = NULL; | ||
142 | @@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
143 | if(!issuer) { | ||
144 | if(strict) | ||
145 | failf(data, "SSL: Unable to read issuer cert (%s)", | ||
146 | - SSL_SET_OPTION(issuercert)); | ||
147 | + SSL_CONN_CONFIG(issuercert)); | ||
148 | BIO_free(fp); | ||
149 | X509_free(issuer); | ||
150 | X509_free(BACKEND->server_cert); | ||
151 | @@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
152 | if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { | ||
153 | if(strict) | ||
154 | failf(data, "SSL: Certificate issuer check failed (%s)", | ||
155 | - SSL_SET_OPTION(issuercert)); | ||
156 | + SSL_CONN_CONFIG(issuercert)); | ||
157 | BIO_free(fp); | ||
158 | X509_free(issuer); | ||
159 | X509_free(BACKEND->server_cert); | ||
160 | @@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
161 | } | ||
162 | |||
163 | infof(data, " SSL certificate issuer check ok (%s)\n", | ||
164 | - SSL_SET_OPTION(issuercert)); | ||
165 | + SSL_CONN_CONFIG(issuercert)); | ||
166 | BIO_free(fp); | ||
167 | X509_free(issuer); | ||
168 | } | ||
169 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
170 | index aaf73ef8f..8c681da14 100644 | ||
171 | --- a/lib/vtls/vtls.c | ||
172 | +++ b/lib/vtls/vtls.c | ||
173 | @@ -82,6 +82,16 @@ | ||
174 | else \ | ||
175 | dest->var = NULL; | ||
176 | |||
177 | +static bool safecmp(char *a, char *b) | ||
178 | +{ | ||
179 | + if(a && b) | ||
180 | + return !strcmp(a, b); | ||
181 | + else if(!a && !b) | ||
182 | + return TRUE; /* match */ | ||
183 | + return FALSE; /* no match */ | ||
184 | +} | ||
185 | + | ||
186 | + | ||
187 | bool | ||
188 | Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
189 | struct ssl_primary_config* needle) | ||
190 | @@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
191 | (data->verifypeer == needle->verifypeer) && | ||
192 | (data->verifyhost == needle->verifyhost) && | ||
193 | (data->verifystatus == needle->verifystatus) && | ||
194 | - Curl_safe_strcasecompare(data->CApath, needle->CApath) && | ||
195 | - Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && | ||
196 | - Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && | ||
197 | - Curl_safe_strcasecompare(data->random_file, needle->random_file) && | ||
198 | - Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && | ||
199 | + safecmp(data->CApath, needle->CApath) && | ||
200 | + safecmp(data->CAfile, needle->CAfile) && | ||
201 | + safecmp(data->issuercert, needle->issuercert) && | ||
202 | + safecmp(data->clientcert, needle->clientcert) && | ||
203 | + safecmp(data->random_file, needle->random_file) && | ||
204 | + safecmp(data->egdsocket, needle->egdsocket) && | ||
205 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
206 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
207 | Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) | ||
208 | @@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
209 | |||
210 | CLONE_STRING(CApath); | ||
211 | CLONE_STRING(CAfile); | ||
212 | + CLONE_STRING(issuercert); | ||
213 | CLONE_STRING(clientcert); | ||
214 | CLONE_STRING(random_file); | ||
215 | CLONE_STRING(egdsocket); | ||
216 | @@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) | ||
217 | { | ||
218 | Curl_safefree(sslc->CApath); | ||
219 | Curl_safefree(sslc->CAfile); | ||
220 | + Curl_safefree(sslc->issuercert); | ||
221 | Curl_safefree(sslc->clientcert); | ||
222 | Curl_safefree(sslc->random_file); | ||
223 | Curl_safefree(sslc->egdsocket); | ||
224 | -- | ||
225 | 2.30.2 | ||
226 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..13b55f76be --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | Subject: [PATCH] telnet: fix option parser to not send uninitialized | ||
2 | contents CVE-2021-22925 | ||
3 | |||
4 | Reported-by: Red Hat Product Security | ||
5 | Bug: https://curl.se/docs/CVE-2021-22925.html | ||
6 | CVE: CVE-2021-22925 | ||
7 | Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 | ||
8 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
9 | --- | ||
10 | lib/telnet.c | 17 +++++++++++------ | ||
11 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
12 | |||
13 | diff --git a/lib/telnet.c b/lib/telnet.c | ||
14 | index 4bf4c652c..3347ad6d1 100644 | ||
15 | --- a/lib/telnet.c | ||
16 | +++ b/lib/telnet.c | ||
17 | @@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) | ||
18 | size_t tmplen = (strlen(v->data) + 1); | ||
19 | /* Add the variable only if it fits */ | ||
20 | if(len + tmplen < (int)sizeof(temp)-6) { | ||
21 | - if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { | ||
22 | - msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
23 | - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, | ||
24 | - CURL_NEW_ENV_VALUE, varval); | ||
25 | - len += tmplen; | ||
26 | - } | ||
27 | + int rv; | ||
28 | + char sep[2] = ""; | ||
29 | + varval[0] = 0; | ||
30 | + rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); | ||
31 | + if(rv == 1) | ||
32 | + len += msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
33 | + "%c%s", CURL_NEW_ENV_VAR, varname); | ||
34 | + else if(rv >= 2) | ||
35 | + len += msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
36 | + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, | ||
37 | + CURL_NEW_ENV_VALUE, varval); | ||
38 | } | ||
39 | } | ||
40 | msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
41 | -- | ||
42 | 2.30.2 | ||
43 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch new file mode 100644 index 0000000000..4afd755149 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001 | ||
4 | From: Daniel Stenberg <daniel@haxx.se> | ||
5 | Date: Mon, 21 Sep 2020 09:15:51 +0200 | ||
6 | Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy" | ||
7 | |||
8 | When using HTTPS proxy, SSL is used but not in the view of the FTP | ||
9 | protocol handler itself so separate the connection's use of SSL from the | ||
10 | FTP control connection's sue. | ||
11 | |||
12 | Reported-by: Mingtao Yang | ||
13 | Fixes #5523 | ||
14 | Closes #6006 | ||
15 | |||
16 | Upstream-Status: backport from 7.68.0-1ubuntu2.7 | ||
17 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
18 | --- | ||
19 | lib/ftp.c | 13 ++++++------- | ||
20 | lib/urldata.h | 1 + | ||
21 | 2 files changed, 7 insertions(+), 7 deletions(-) | ||
22 | |||
23 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
24 | index 3382772..677527f 100644 | ||
25 | --- a/lib/ftp.c | ||
26 | +++ b/lib/ftp.c | ||
27 | @@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn) | ||
28 | { | ||
29 | CURLcode result = CURLE_OK; | ||
30 | |||
31 | - if(conn->ssl[FIRSTSOCKET].use) { | ||
32 | + if(conn->bits.ftp_use_control_ssl) { | ||
33 | /* PBSZ = PROTECTION BUFFER SIZE. | ||
34 | |||
35 | The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says: | ||
36 | @@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
37 | } | ||
38 | #endif | ||
39 | |||
40 | - if(data->set.use_ssl && | ||
41 | - (!conn->ssl[FIRSTSOCKET].use || | ||
42 | - (conn->bits.proxy_ssl_connected[FIRSTSOCKET] && | ||
43 | - !conn->proxy_ssl[FIRSTSOCKET].use))) { | ||
44 | - /* We don't have a SSL/TLS connection yet, but FTPS is | ||
45 | + if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) { | ||
46 | + /* We don't have a SSL/TLS control connection yet, but FTPS is | ||
47 | requested. Try a FTPS connection now */ | ||
48 | |||
49 | ftpc->count3 = 0; | ||
50 | @@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
51 | result = Curl_ssl_connect(conn, FIRSTSOCKET); | ||
52 | if(!result) { | ||
53 | conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ | ||
54 | + conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ | ||
55 | result = ftp_state_user(conn); | ||
56 | } | ||
57 | } | ||
58 | @@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn) | ||
59 | * | ||
60 | */ | ||
61 | static CURLcode ftp_connect(struct connectdata *conn, | ||
62 | - bool *done) /* see description above */ | ||
63 | + bool *done) /* see description above */ | ||
64 | { | ||
65 | CURLcode result; | ||
66 | struct ftp_conn *ftpc = &conn->proto.ftpc; | ||
67 | @@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn, | ||
68 | result = Curl_ssl_connect(conn, FIRSTSOCKET); | ||
69 | if(result) | ||
70 | return result; | ||
71 | + conn->bits.ftp_use_control_ssl = TRUE; | ||
72 | } | ||
73 | |||
74 | Curl_pp_init(pp); /* init the generic pingpong data */ | ||
75 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
76 | index ff2d686..d1fb4a9 100644 | ||
77 | --- a/lib/urldata.h | ||
78 | +++ b/lib/urldata.h | ||
79 | @@ -461,6 +461,7 @@ struct ConnectBits { | ||
80 | EPRT doesn't work we disable it for the forthcoming | ||
81 | requests */ | ||
82 | BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */ | ||
83 | + BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */ | ||
84 | #endif | ||
85 | BIT(netrc); /* name+password provided by netrc */ | ||
86 | BIT(userpwd_in_url); /* name+password found in url */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch new file mode 100644 index 0000000000..98032d8b78 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch | |||
@@ -0,0 +1,328 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001 | ||
4 | From: Patrick Monnerat <patrick@monnerat.net> | ||
5 | Date: Wed, 8 Sep 2021 11:56:22 +0200 | ||
6 | Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd | ||
7 | |||
8 | In imap and pop3, check if TLS is required even when capabilities | ||
9 | request has failed. | ||
10 | |||
11 | In ftp, ignore preauthentication (230 status of server greeting) if TLS | ||
12 | is required. | ||
13 | |||
14 | Bug: https://curl.se/docs/CVE-2021-22946.html | ||
15 | Upstream-Status: backport from 7.68.0-1ubuntu2.7 | ||
16 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
17 | CVE: CVE-2021-22946 | ||
18 | --- | ||
19 | lib/ftp.c | 9 ++++--- | ||
20 | lib/imap.c | 24 ++++++++---------- | ||
21 | lib/pop3.c | 33 +++++++++++------------- | ||
22 | tests/data/Makefile.inc | 2 ++ | ||
23 | tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ | ||
24 | tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ | ||
25 | tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ | ||
26 | 7 files changed, 195 insertions(+), 36 deletions(-) | ||
27 | create mode 100644 tests/data/test984 | ||
28 | create mode 100644 tests/data/test985 | ||
29 | create mode 100644 tests/data/test986 | ||
30 | |||
31 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
32 | index 677527f..91b43d8 100644 | ||
33 | --- a/lib/ftp.c | ||
34 | +++ b/lib/ftp.c | ||
35 | @@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
36 | /* we have now received a full FTP server response */ | ||
37 | switch(ftpc->state) { | ||
38 | case FTP_WAIT220: | ||
39 | - if(ftpcode == 230) | ||
40 | - /* 230 User logged in - already! */ | ||
41 | - return ftp_state_user_resp(conn, ftpcode, ftpc->state); | ||
42 | + if(ftpcode == 230) { | ||
43 | + /* 230 User logged in - already! Take as 220 if TLS required. */ | ||
44 | + if(data->set.use_ssl <= CURLUSESSL_TRY || | ||
45 | + conn->bits.ftp_use_control_ssl) | ||
46 | + return ftp_state_user_resp(conn, ftpcode, ftpc->state); | ||
47 | + } | ||
48 | else if(ftpcode != 220) { | ||
49 | failf(data, "Got a %03d ftp-server response when 220 was expected", | ||
50 | ftpcode); | ||
51 | diff --git a/lib/imap.c b/lib/imap.c | ||
52 | index 66172bd..9880ce1 100644 | ||
53 | --- a/lib/imap.c | ||
54 | +++ b/lib/imap.c | ||
55 | @@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn, | ||
56 | line += wordlen; | ||
57 | } | ||
58 | } | ||
59 | - else if(imapcode == IMAP_RESP_OK) { | ||
60 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
61 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
62 | - if(imapc->tls_supported) | ||
63 | - /* Switch to TLS connection now */ | ||
64 | - result = imap_perform_starttls(conn); | ||
65 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
66 | - /* Fallback and carry on with authentication */ | ||
67 | - result = imap_perform_authentication(conn); | ||
68 | - else { | ||
69 | - failf(data, "STARTTLS not supported."); | ||
70 | - result = CURLE_USE_SSL_FAILED; | ||
71 | - } | ||
72 | + else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
73 | + /* PREAUTH is not compatible with STARTTLS. */ | ||
74 | + if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { | ||
75 | + /* Switch to TLS connection now */ | ||
76 | + result = imap_perform_starttls(conn); | ||
77 | } | ||
78 | - else | ||
79 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
80 | result = imap_perform_authentication(conn); | ||
81 | + else { | ||
82 | + failf(data, "STARTTLS not available."); | ||
83 | + result = CURLE_USE_SSL_FAILED; | ||
84 | + } | ||
85 | } | ||
86 | else | ||
87 | result = imap_perform_authentication(conn); | ||
88 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
89 | index 57c1373..145b2b4 100644 | ||
90 | --- a/lib/pop3.c | ||
91 | +++ b/lib/pop3.c | ||
92 | @@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code, | ||
93 | } | ||
94 | } | ||
95 | } | ||
96 | - else if(pop3code == '+') { | ||
97 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
98 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
99 | - if(pop3c->tls_supported) | ||
100 | - /* Switch to TLS connection now */ | ||
101 | - result = pop3_perform_starttls(conn); | ||
102 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
103 | - /* Fallback and carry on with authentication */ | ||
104 | - result = pop3_perform_authentication(conn); | ||
105 | - else { | ||
106 | - failf(data, "STLS not supported."); | ||
107 | - result = CURLE_USE_SSL_FAILED; | ||
108 | - } | ||
109 | - } | ||
110 | - else | ||
111 | - result = pop3_perform_authentication(conn); | ||
112 | - } | ||
113 | else { | ||
114 | /* Clear text is supported when CAPA isn't recognised */ | ||
115 | - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
116 | + if(pop3code != '+') | ||
117 | + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
118 | |||
119 | - result = pop3_perform_authentication(conn); | ||
120 | + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) | ||
121 | + result = pop3_perform_authentication(conn); | ||
122 | + else if(pop3code == '+' && pop3c->tls_supported) | ||
123 | + /* Switch to TLS connection now */ | ||
124 | + result = pop3_perform_starttls(conn); | ||
125 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
126 | + /* Fallback and carry on with authentication */ | ||
127 | + result = pop3_perform_authentication(conn); | ||
128 | + else { | ||
129 | + failf(data, "STLS not supported."); | ||
130 | + result = CURLE_USE_SSL_FAILED; | ||
131 | + } | ||
132 | } | ||
133 | |||
134 | return result; | ||
135 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
136 | index f9535a6..0fa6799 100644 | ||
137 | --- a/tests/data/Makefile.inc | ||
138 | +++ b/tests/data/Makefile.inc | ||
139 | @@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ | ||
140 | test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
141 | test963 test964 test965 test966 test967 test968 test969 \ | ||
142 | \ | ||
143 | +test984 test985 test986 \ | ||
144 | +\ | ||
145 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
146 | test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ | ||
147 | test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ | ||
148 | diff --git a/tests/data/test984 b/tests/data/test984 | ||
149 | new file mode 100644 | ||
150 | index 0000000..e573f23 | ||
151 | --- /dev/null | ||
152 | +++ b/tests/data/test984 | ||
153 | @@ -0,0 +1,56 @@ | ||
154 | +<testcase> | ||
155 | +<info> | ||
156 | +<keywords> | ||
157 | +IMAP | ||
158 | +STARTTLS | ||
159 | +</keywords> | ||
160 | +</info> | ||
161 | + | ||
162 | +# | ||
163 | +# Server-side | ||
164 | +<reply> | ||
165 | +<servercmd> | ||
166 | +REPLY CAPABILITY A001 BAD Not implemented | ||
167 | +</servercmd> | ||
168 | +</reply> | ||
169 | + | ||
170 | +# | ||
171 | +# Client-side | ||
172 | +<client> | ||
173 | +<features> | ||
174 | +SSL | ||
175 | +</features> | ||
176 | +<server> | ||
177 | +imap | ||
178 | +</server> | ||
179 | + <name> | ||
180 | +IMAP require STARTTLS with failing capabilities | ||
181 | + </name> | ||
182 | + <command> | ||
183 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd | ||
184 | +</command> | ||
185 | +<file name="log/upload%TESTNUMBER"> | ||
186 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
187 | +From: Fred Foobar <foobar@example.COM> | ||
188 | +Subject: afternoon meeting | ||
189 | +To: joe@example.com | ||
190 | +Message-Id: <B27397-0100000@example.COM> | ||
191 | +MIME-Version: 1.0 | ||
192 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
193 | + | ||
194 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
195 | +</file> | ||
196 | +</client> | ||
197 | + | ||
198 | +# | ||
199 | +# Verify data after the test has been "shot" | ||
200 | +<verify> | ||
201 | +# 64 is CURLE_USE_SSL_FAILED | ||
202 | +<errorcode> | ||
203 | +64 | ||
204 | +</errorcode> | ||
205 | +<protocol> | ||
206 | +A001 CAPABILITY | ||
207 | +</protocol> | ||
208 | +</verify> | ||
209 | +</testcase> | ||
210 | diff --git a/tests/data/test985 b/tests/data/test985 | ||
211 | new file mode 100644 | ||
212 | index 0000000..d0db4aa | ||
213 | --- /dev/null | ||
214 | +++ b/tests/data/test985 | ||
215 | @@ -0,0 +1,54 @@ | ||
216 | +<testcase> | ||
217 | +<info> | ||
218 | +<keywords> | ||
219 | +POP3 | ||
220 | +STARTTLS | ||
221 | +</keywords> | ||
222 | +</info> | ||
223 | + | ||
224 | +# | ||
225 | +# Server-side | ||
226 | +<reply> | ||
227 | +<servercmd> | ||
228 | +REPLY CAPA -ERR Not implemented | ||
229 | +</servercmd> | ||
230 | +<data nocheck="yes"> | ||
231 | +From: me@somewhere | ||
232 | +To: fake@nowhere | ||
233 | + | ||
234 | +body | ||
235 | + | ||
236 | +-- | ||
237 | + yours sincerely | ||
238 | +</data> | ||
239 | +</reply> | ||
240 | + | ||
241 | +# | ||
242 | +# Client-side | ||
243 | +<client> | ||
244 | +<features> | ||
245 | +SSL | ||
246 | +</features> | ||
247 | +<server> | ||
248 | +pop3 | ||
249 | +</server> | ||
250 | + <name> | ||
251 | +POP3 require STARTTLS with failing capabilities | ||
252 | + </name> | ||
253 | + <command> | ||
254 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd | ||
255 | + </command> | ||
256 | +</client> | ||
257 | + | ||
258 | +# | ||
259 | +# Verify data after the test has been "shot" | ||
260 | +<verify> | ||
261 | +# 64 is CURLE_USE_SSL_FAILED | ||
262 | +<errorcode> | ||
263 | +64 | ||
264 | +</errorcode> | ||
265 | +<protocol> | ||
266 | +CAPA | ||
267 | +</protocol> | ||
268 | +</verify> | ||
269 | +</testcase> | ||
270 | diff --git a/tests/data/test986 b/tests/data/test986 | ||
271 | new file mode 100644 | ||
272 | index 0000000..a709437 | ||
273 | --- /dev/null | ||
274 | +++ b/tests/data/test986 | ||
275 | @@ -0,0 +1,53 @@ | ||
276 | +<testcase> | ||
277 | +<info> | ||
278 | +<keywords> | ||
279 | +FTP | ||
280 | +STARTTLS | ||
281 | +</keywords> | ||
282 | +</info> | ||
283 | + | ||
284 | +# | ||
285 | +# Server-side | ||
286 | +<reply> | ||
287 | +<servercmd> | ||
288 | +REPLY welcome 230 Welcome | ||
289 | +REPLY AUTH 500 unknown command | ||
290 | +</servercmd> | ||
291 | +</reply> | ||
292 | + | ||
293 | +# Client-side | ||
294 | +<client> | ||
295 | +<features> | ||
296 | +SSL | ||
297 | +</features> | ||
298 | +<server> | ||
299 | +ftp | ||
300 | +</server> | ||
301 | + <name> | ||
302 | +FTP require STARTTLS while preauthenticated | ||
303 | + </name> | ||
304 | +<file name="log/test%TESTNUMBER.txt"> | ||
305 | +data | ||
306 | + to | ||
307 | + see | ||
308 | +that FTPS | ||
309 | +works | ||
310 | + so does it? | ||
311 | +</file> | ||
312 | + <command> | ||
313 | +--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret | ||
314 | +</command> | ||
315 | +</client> | ||
316 | + | ||
317 | +# Verify data after the test has been "shot" | ||
318 | +<verify> | ||
319 | +# 64 is CURLE_USE_SSL_FAILED | ||
320 | +<errorcode> | ||
321 | +64 | ||
322 | +</errorcode> | ||
323 | +<protocol> | ||
324 | +AUTH SSL | ||
325 | +AUTH TLS | ||
326 | +</protocol> | ||
327 | +</verify> | ||
328 | +</testcase> | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch new file mode 100644 index 0000000000..070a328e27 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch | |||
@@ -0,0 +1,352 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001 | ||
4 | From: Patrick Monnerat <patrick@monnerat.net> | ||
5 | Date: Tue, 7 Sep 2021 13:26:42 +0200 | ||
6 | Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response | ||
7 | pipelining | ||
8 | |||
9 | If a server pipelines future responses within the STARTTLS response, the | ||
10 | former are preserved in the pingpong cache across TLS negotiation and | ||
11 | used as responses to the encrypted commands. | ||
12 | |||
13 | This fix detects pipelined STARTTLS responses and rejects them with an | ||
14 | error. | ||
15 | |||
16 | Bug: https://curl.se/docs/CVE-2021-22947.html | ||
17 | Upstream-Status: backport from 7.68.0-1ubuntu2.7 | ||
18 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
19 | CVE: CVE-2021-22947 | ||
20 | |||
21 | --- | ||
22 | lib/ftp.c | 3 +++ | ||
23 | lib/imap.c | 4 +++ | ||
24 | lib/pop3.c | 4 +++ | ||
25 | lib/smtp.c | 4 +++ | ||
26 | tests/data/Makefile.inc | 2 ++ | ||
27 | tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ | ||
28 | tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ | ||
29 | tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ | ||
30 | tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ | ||
31 | 9 files changed, 237 insertions(+) | ||
32 | create mode 100644 tests/data/test980 | ||
33 | create mode 100644 tests/data/test981 | ||
34 | create mode 100644 tests/data/test982 | ||
35 | create mode 100644 tests/data/test983 | ||
36 | |||
37 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
38 | index 91b43d8..31a34e8 100644 | ||
39 | --- a/lib/ftp.c | ||
40 | +++ b/lib/ftp.c | ||
41 | @@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | ||
42 | case FTP_AUTH: | ||
43 | /* we have gotten the response to a previous AUTH command */ | ||
44 | |||
45 | + if(pp->cache_size) | ||
46 | + return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ | ||
47 | + | ||
48 | /* RFC2228 (page 5) says: | ||
49 | * | ||
50 | * If the server is willing to accept the named security mechanism, | ||
51 | diff --git a/lib/imap.c b/lib/imap.c | ||
52 | index 9880ce1..0ca700f 100644 | ||
53 | --- a/lib/imap.c | ||
54 | +++ b/lib/imap.c | ||
55 | @@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn, | ||
56 | |||
57 | (void)instate; /* no use for this yet */ | ||
58 | |||
59 | + /* Pipelining in response is forbidden. */ | ||
60 | + if(data->conn->proto.imapc.pp.cache_size) | ||
61 | + return CURLE_WEIRD_SERVER_REPLY; | ||
62 | + | ||
63 | if(imapcode != IMAP_RESP_OK) { | ||
64 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
65 | failf(data, "STARTTLS denied"); | ||
66 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
67 | index 145b2b4..8a2d52e 100644 | ||
68 | --- a/lib/pop3.c | ||
69 | +++ b/lib/pop3.c | ||
70 | @@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn, | ||
71 | |||
72 | (void)instate; /* no use for this yet */ | ||
73 | |||
74 | + /* Pipelining in response is forbidden. */ | ||
75 | + if(data->conn->proto.pop3c.pp.cache_size) | ||
76 | + return CURLE_WEIRD_SERVER_REPLY; | ||
77 | + | ||
78 | if(pop3code != '+') { | ||
79 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
80 | failf(data, "STARTTLS denied"); | ||
81 | diff --git a/lib/smtp.c b/lib/smtp.c | ||
82 | index e187287..66183e2 100644 | ||
83 | --- a/lib/smtp.c | ||
84 | +++ b/lib/smtp.c | ||
85 | @@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn, | ||
86 | |||
87 | (void)instate; /* no use for this yet */ | ||
88 | |||
89 | + /* Pipelining in response is forbidden. */ | ||
90 | + if(data->conn->proto.smtpc.pp.cache_size) | ||
91 | + return CURLE_WEIRD_SERVER_REPLY; | ||
92 | + | ||
93 | if(smtpcode != 220) { | ||
94 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
95 | failf(data, "STARTTLS denied, code %d", smtpcode); | ||
96 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
97 | index 0fa6799..60e8176 100644 | ||
98 | --- a/tests/data/Makefile.inc | ||
99 | +++ b/tests/data/Makefile.inc | ||
100 | @@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ | ||
101 | test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
102 | test963 test964 test965 test966 test967 test968 test969 \ | ||
103 | \ | ||
104 | +test980 test981 test982 test983 \ | ||
105 | +\ | ||
106 | test984 test985 test986 \ | ||
107 | \ | ||
108 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
109 | diff --git a/tests/data/test980 b/tests/data/test980 | ||
110 | new file mode 100644 | ||
111 | index 0000000..97567f8 | ||
112 | --- /dev/null | ||
113 | +++ b/tests/data/test980 | ||
114 | @@ -0,0 +1,52 @@ | ||
115 | +<testcase> | ||
116 | +<info> | ||
117 | +<keywords> | ||
118 | +SMTP | ||
119 | +STARTTLS | ||
120 | +</keywords> | ||
121 | +</info> | ||
122 | + | ||
123 | +# | ||
124 | +# Server-side | ||
125 | +<reply> | ||
126 | +<servercmd> | ||
127 | +CAPA STARTTLS | ||
128 | +AUTH PLAIN | ||
129 | +REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted | ||
130 | +REPLY AUTH 535 5.7.8 Authentication credentials invalid | ||
131 | +</servercmd> | ||
132 | +</reply> | ||
133 | + | ||
134 | +# | ||
135 | +# Client-side | ||
136 | +<client> | ||
137 | +<features> | ||
138 | +SSL | ||
139 | +</features> | ||
140 | +<server> | ||
141 | +smtp | ||
142 | +</server> | ||
143 | + <name> | ||
144 | +SMTP STARTTLS pipelined server response | ||
145 | + </name> | ||
146 | +<stdin> | ||
147 | +mail body | ||
148 | +</stdin> | ||
149 | + <command> | ||
150 | +smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - | ||
151 | +</command> | ||
152 | +</client> | ||
153 | + | ||
154 | +# | ||
155 | +# Verify data after the test has been "shot" | ||
156 | +<verify> | ||
157 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
158 | +<errorcode> | ||
159 | +8 | ||
160 | +</errorcode> | ||
161 | +<protocol> | ||
162 | +EHLO %TESTNUMBER | ||
163 | +STARTTLS | ||
164 | +</protocol> | ||
165 | +</verify> | ||
166 | +</testcase> | ||
167 | diff --git a/tests/data/test981 b/tests/data/test981 | ||
168 | new file mode 100644 | ||
169 | index 0000000..2b98ce4 | ||
170 | --- /dev/null | ||
171 | +++ b/tests/data/test981 | ||
172 | @@ -0,0 +1,59 @@ | ||
173 | +<testcase> | ||
174 | +<info> | ||
175 | +<keywords> | ||
176 | +IMAP | ||
177 | +STARTTLS | ||
178 | +</keywords> | ||
179 | +</info> | ||
180 | + | ||
181 | +# | ||
182 | +# Server-side | ||
183 | +<reply> | ||
184 | +<servercmd> | ||
185 | +CAPA STARTTLS | ||
186 | +REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted | ||
187 | +REPLY LOGIN A003 BAD Authentication credentials invalid | ||
188 | +</servercmd> | ||
189 | +</reply> | ||
190 | + | ||
191 | +# | ||
192 | +# Client-side | ||
193 | +<client> | ||
194 | +<features> | ||
195 | +SSL | ||
196 | +</features> | ||
197 | +<server> | ||
198 | +imap | ||
199 | +</server> | ||
200 | + <name> | ||
201 | +IMAP STARTTLS pipelined server response | ||
202 | + </name> | ||
203 | + <command> | ||
204 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl | ||
205 | +</command> | ||
206 | +<file name="log/upload%TESTNUMBER"> | ||
207 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
208 | +From: Fred Foobar <foobar@example.COM> | ||
209 | +Subject: afternoon meeting | ||
210 | +To: joe@example.com | ||
211 | +Message-Id: <B27397-0100000@example.COM> | ||
212 | +MIME-Version: 1.0 | ||
213 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
214 | + | ||
215 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
216 | +</file> | ||
217 | +</client> | ||
218 | + | ||
219 | +# | ||
220 | +# Verify data after the test has been "shot" | ||
221 | +<verify> | ||
222 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
223 | +<errorcode> | ||
224 | +8 | ||
225 | +</errorcode> | ||
226 | +<protocol> | ||
227 | +A001 CAPABILITY | ||
228 | +A002 STARTTLS | ||
229 | +</protocol> | ||
230 | +</verify> | ||
231 | +</testcase> | ||
232 | diff --git a/tests/data/test982 b/tests/data/test982 | ||
233 | new file mode 100644 | ||
234 | index 0000000..9e07cc0 | ||
235 | --- /dev/null | ||
236 | +++ b/tests/data/test982 | ||
237 | @@ -0,0 +1,57 @@ | ||
238 | +<testcase> | ||
239 | +<info> | ||
240 | +<keywords> | ||
241 | +POP3 | ||
242 | +STARTTLS | ||
243 | +</keywords> | ||
244 | +</info> | ||
245 | + | ||
246 | +# | ||
247 | +# Server-side | ||
248 | +<reply> | ||
249 | +<servercmd> | ||
250 | +CAPA STLS USER | ||
251 | +REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated | ||
252 | +REPLY PASS -ERR Authentication credentials invalid | ||
253 | +</servercmd> | ||
254 | +<data nocheck="yes"> | ||
255 | +From: me@somewhere | ||
256 | +To: fake@nowhere | ||
257 | + | ||
258 | +body | ||
259 | + | ||
260 | +-- | ||
261 | + yours sincerely | ||
262 | +</data> | ||
263 | +</reply> | ||
264 | + | ||
265 | +# | ||
266 | +# Client-side | ||
267 | +<client> | ||
268 | +<features> | ||
269 | +SSL | ||
270 | +</features> | ||
271 | +<server> | ||
272 | +pop3 | ||
273 | +</server> | ||
274 | + <name> | ||
275 | +POP3 STARTTLS pipelined server response | ||
276 | + </name> | ||
277 | + <command> | ||
278 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl | ||
279 | + </command> | ||
280 | +</client> | ||
281 | + | ||
282 | +# | ||
283 | +# Verify data after the test has been "shot" | ||
284 | +<verify> | ||
285 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
286 | +<errorcode> | ||
287 | +8 | ||
288 | +</errorcode> | ||
289 | +<protocol> | ||
290 | +CAPA | ||
291 | +STLS | ||
292 | +</protocol> | ||
293 | +</verify> | ||
294 | +</testcase> | ||
295 | diff --git a/tests/data/test983 b/tests/data/test983 | ||
296 | new file mode 100644 | ||
297 | index 0000000..300ec45 | ||
298 | --- /dev/null | ||
299 | +++ b/tests/data/test983 | ||
300 | @@ -0,0 +1,52 @@ | ||
301 | +<testcase> | ||
302 | +<info> | ||
303 | +<keywords> | ||
304 | +FTP | ||
305 | +STARTTLS | ||
306 | +</keywords> | ||
307 | +</info> | ||
308 | + | ||
309 | +# | ||
310 | +# Server-side | ||
311 | +<reply> | ||
312 | +<servercmd> | ||
313 | +REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete | ||
314 | +REPLY PASS 530 Login incorrect | ||
315 | +</servercmd> | ||
316 | +</reply> | ||
317 | + | ||
318 | +# Client-side | ||
319 | +<client> | ||
320 | +<features> | ||
321 | +SSL | ||
322 | +</features> | ||
323 | +<server> | ||
324 | +ftp | ||
325 | +</server> | ||
326 | + <name> | ||
327 | +FTP STARTTLS pipelined server response | ||
328 | + </name> | ||
329 | +<file name="log/test%TESTNUMBER.txt"> | ||
330 | +data | ||
331 | + to | ||
332 | + see | ||
333 | +that FTPS | ||
334 | +works | ||
335 | + so does it? | ||
336 | +</file> | ||
337 | + <command> | ||
338 | +--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP | ||
339 | +</command> | ||
340 | +</client> | ||
341 | + | ||
342 | +# Verify data after the test has been "shot" | ||
343 | +<verify> | ||
344 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
345 | +<errorcode> | ||
346 | +8 | ||
347 | +</errorcode> | ||
348 | +<protocol> | ||
349 | +AUTH SSL | ||
350 | +</protocol> | ||
351 | +</verify> | ||
352 | +</testcase> | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch new file mode 100644 index 0000000000..13479e7f0e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Monnerat <patrick@monnerat.net> | ||
3 | Date: Mon, 25 Apr 2022 11:44:05 +0200 | ||
4 | Subject: [PATCH] url: check sasl additional parameters for connection reuse. | ||
5 | |||
6 | Also move static function safecmp() as non-static Curl_safecmp() since | ||
7 | its purpose is needed at several places. | ||
8 | |||
9 | Bug: https://curl.se/docs/CVE-2022-22576.html | ||
10 | |||
11 | CVE-2022-22576 | ||
12 | |||
13 | Closes #8746 | ||
14 | --- | ||
15 | lib/strcase.c | 10 ++++++++++ | ||
16 | lib/strcase.h | 2 ++ | ||
17 | lib/url.c | 13 ++++++++++++- | ||
18 | lib/urldata.h | 1 + | ||
19 | lib/vtls/vtls.c | 21 ++++++--------------- | ||
20 | 5 files changed, 31 insertions(+), 16 deletions(-) | ||
21 | |||
22 | CVE: CVE-2022-22576 | ||
23 | Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch] | ||
24 | Comment: Refreshed patch | ||
25 | Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> | ||
26 | |||
27 | diff --git a/lib/strcase.c b/lib/strcase.c | ||
28 | index dd46ca1ba0e5..692a3f14aee7 100644 | ||
29 | --- a/lib/strcase.c | ||
30 | +++ b/lib/strcase.c | ||
31 | @@ -251,6 +251,16 @@ | ||
32 | } while(*src++ && --n); | ||
33 | } | ||
34 | |||
35 | +/* Compare case-sensitive NUL-terminated strings, taking care of possible | ||
36 | + * null pointers. Return true if arguments match. | ||
37 | + */ | ||
38 | +bool Curl_safecmp(char *a, char *b) | ||
39 | +{ | ||
40 | + if(a && b) | ||
41 | + return !strcmp(a, b); | ||
42 | + return !a && !b; | ||
43 | +} | ||
44 | + | ||
45 | /* --- public functions --- */ | ||
46 | |||
47 | int curl_strequal(const char *first, const char *second) | ||
48 | diff --git a/lib/strcase.h b/lib/strcase.h | ||
49 | index b234d3815220..2635f5117e99 100644 | ||
50 | --- a/lib/strcase.h | ||
51 | +++ b/lib/strcase.h | ||
52 | @@ -48,4 +48,6 @@ | ||
53 | void Curl_strntoupper(char *dest, const char *src, size_t n); | ||
54 | void Curl_strntolower(char *dest, const char *src, size_t n); | ||
55 | |||
56 | +bool Curl_safecmp(char *a, char *b); | ||
57 | + | ||
58 | #endif /* HEADER_CURL_STRCASE_H */ | ||
59 | diff --git a/lib/url.c b/lib/url.c | ||
60 | index 9a988b4d58d8..e1647b133854 100644 | ||
61 | --- a/lib/url.c | ||
62 | +++ b/lib/url.c | ||
63 | @@ -730,6 +730,7 @@ | ||
64 | Curl_safefree(conn->allocptr.host); | ||
65 | Curl_safefree(conn->allocptr.cookiehost); | ||
66 | Curl_safefree(conn->allocptr.rtsp_transport); | ||
67 | + Curl_safefree(conn->oauth_bearer); | ||
68 | Curl_safefree(conn->trailer); | ||
69 | Curl_safefree(conn->host.rawalloc); /* host name buffer */ | ||
70 | Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ | ||
71 | @@ -1251,7 +1252,9 @@ | ||
72 | /* This protocol requires credentials per connection, | ||
73 | so verify that we're using the same name and password as well */ | ||
74 | if(strcmp(needle->user, check->user) || | ||
75 | - strcmp(needle->passwd, check->passwd)) { | ||
76 | + strcmp(needle->passwd, check->passwd) || | ||
77 | + !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || | ||
78 | + !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
79 | /* one of them was different */ | ||
80 | continue; | ||
81 | } | ||
82 | @@ -3392,6 +3395,14 @@ | ||
83 | result = CURLE_OUT_OF_MEMORY; | ||
84 | goto out; | ||
85 | } | ||
86 | + } | ||
87 | + | ||
88 | + if(data->set.str[STRING_BEARER]) { | ||
89 | + conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); | ||
90 | + if(!conn->oauth_bearer) { | ||
91 | + result = CURLE_OUT_OF_MEMORY; | ||
92 | + goto out; | ||
93 | + } | ||
94 | } | ||
95 | |||
96 | #ifdef USE_UNIX_SOCKETS | ||
97 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
98 | index 07eb19b87034..1d89b8d7fa68 100644 | ||
99 | --- a/lib/urldata.h | ||
100 | +++ b/lib/urldata.h | ||
101 | @@ -949,6 +949,8 @@ | ||
102 | |||
103 | char *sasl_authzid; /* authorisation identity string, allocated */ | ||
104 | |||
105 | + char *oauth_bearer; /* OAUTH2 bearer, allocated */ | ||
106 | + | ||
107 | int httpversion; /* the HTTP version*10 reported by the server */ | ||
108 | int rtspversion; /* the RTSP version*10 reported by the server */ | ||
109 | |||
110 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
111 | index 03b85ba065e5..a40ac06f684f 100644 | ||
112 | --- a/lib/vtls/vtls.c | ||
113 | +++ b/lib/vtls/vtls.c | ||
114 | @@ -82,15 +82,6 @@ | ||
115 | else \ | ||
116 | dest->var = NULL; | ||
117 | |||
118 | -static bool safecmp(char *a, char *b) | ||
119 | -{ | ||
120 | - if(a && b) | ||
121 | - return !strcmp(a, b); | ||
122 | - else if(!a && !b) | ||
123 | - return TRUE; /* match */ | ||
124 | - return FALSE; /* no match */ | ||
125 | -} | ||
126 | - | ||
127 | |||
128 | bool | ||
129 | Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
130 | @@ -101,12 +101,12 @@ | ||
131 | (data->verifypeer == needle->verifypeer) && | ||
132 | (data->verifyhost == needle->verifyhost) && | ||
133 | (data->verifystatus == needle->verifystatus) && | ||
134 | - safecmp(data->CApath, needle->CApath) && | ||
135 | - safecmp(data->CAfile, needle->CAfile) && | ||
136 | - safecmp(data->issuercert, needle->issuercert) && | ||
137 | - safecmp(data->clientcert, needle->clientcert) && | ||
138 | - safecmp(data->random_file, needle->random_file) && | ||
139 | - safecmp(data->egdsocket, needle->egdsocket) && | ||
140 | + Curl_safecmp(data->CApath, needle->CApath) && | ||
141 | + Curl_safecmp(data->CAfile, needle->CAfile) && | ||
142 | + Curl_safecmp(data->issuercert, needle->issuercert) && | ||
143 | + Curl_safecmp(data->clientcert, needle->clientcert) && | ||
144 | + Curl_safecmp(data->random_file, needle->random_file) && | ||
145 | + Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
146 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
147 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
148 | Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch new file mode 100644 index 0000000000..063c11712a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 2a797e099731facf62a2c675396334bc2ad3bc7c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 16:24:33 +0200 | ||
4 | Subject: [PATCH] connect: store "conn_remote_port" in the info struct | ||
5 | |||
6 | To make it available after the connection ended. | ||
7 | |||
8 | Prerequisite for the patches that address CVE-2022-27774. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] | ||
11 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
12 | --- | ||
13 | lib/connect.c | 1 + | ||
14 | lib/urldata.h | 6 +++++- | ||
15 | 2 files changed, 6 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/lib/connect.c b/lib/connect.c | ||
18 | index b3d4057..a977d67 100644 | ||
19 | --- a/lib/connect.c | ||
20 | +++ b/lib/connect.c | ||
21 | @@ -624,6 +624,7 @@ void Curl_persistconninfo(struct connectdata *conn) | ||
22 | conn->data->info.conn_scheme = conn->handler->scheme; | ||
23 | conn->data->info.conn_protocol = conn->handler->protocol; | ||
24 | conn->data->info.conn_primary_port = conn->primary_port; | ||
25 | + conn->data->info.conn_remote_port = conn->remote_port; | ||
26 | conn->data->info.conn_local_port = conn->local_port; | ||
27 | } | ||
28 | |||
29 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
30 | index fafb7a3..ab1b267 100644 | ||
31 | --- a/lib/urldata.h | ||
32 | +++ b/lib/urldata.h | ||
33 | @@ -1148,7 +1148,11 @@ struct PureInfo { | ||
34 | reused, in the connection cache. */ | ||
35 | |||
36 | char conn_primary_ip[MAX_IPADR_LEN]; | ||
37 | - long conn_primary_port; | ||
38 | + long conn_primary_port; /* this is the destination port to the connection, | ||
39 | + which might have been a proxy */ | ||
40 | + long conn_remote_port; /* this is the "remote port", which is the port | ||
41 | + number of the used URL, independent of proxy or | ||
42 | + not */ | ||
43 | char conn_local_ip[MAX_IPADR_LEN]; | ||
44 | long conn_local_port; | ||
45 | const char *conn_scheme; | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch new file mode 100644 index 0000000000..c64d614194 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 5c2f3b3a5f115625134669d90d591de9c5aafc8e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 16:24:33 +0200 | ||
4 | Subject: [PATCH] transfer: redirects to other protocols or ports clear auth | ||
5 | |||
6 | ... unless explicitly permitted. | ||
7 | |||
8 | Bug: https://curl.se/docs/CVE-2022-27774.html | ||
9 | Reported-by: Harry Sintonen | ||
10 | Closes #8748 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- | ||
16 | 1 file changed, 48 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
19 | index 744e1c0..ac69d27 100644 | ||
20 | --- a/lib/transfer.c | ||
21 | +++ b/lib/transfer.c | ||
22 | @@ -1627,10 +1627,57 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
23 | return CURLE_OUT_OF_MEMORY; | ||
24 | } | ||
25 | else { | ||
26 | - | ||
27 | uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); | ||
28 | if(uc) | ||
29 | return Curl_uc_to_curlcode(uc); | ||
30 | + | ||
31 | + /* Clear auth if this redirects to a different port number or protocol, | ||
32 | + unless permitted */ | ||
33 | + if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { | ||
34 | + char *portnum; | ||
35 | + int port; | ||
36 | + bool clear = FALSE; | ||
37 | + | ||
38 | + if(data->set.use_port && data->state.allow_port) | ||
39 | + /* a custom port is used */ | ||
40 | + port = (int)data->set.use_port; | ||
41 | + else { | ||
42 | + uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, | ||
43 | + CURLU_DEFAULT_PORT); | ||
44 | + if(uc) { | ||
45 | + free(newurl); | ||
46 | + return Curl_uc_to_curlcode(uc); | ||
47 | + } | ||
48 | + port = atoi(portnum); | ||
49 | + free(portnum); | ||
50 | + } | ||
51 | + if(port != data->info.conn_remote_port) { | ||
52 | + infof(data, "Clear auth, redirects to port from %u to %u", | ||
53 | + data->info.conn_remote_port, port); | ||
54 | + clear = TRUE; | ||
55 | + } | ||
56 | + else { | ||
57 | + char *scheme; | ||
58 | + const struct Curl_handler *p; | ||
59 | + uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); | ||
60 | + if(uc) { | ||
61 | + free(newurl); | ||
62 | + return Curl_uc_to_curlcode(uc); | ||
63 | + } | ||
64 | + | ||
65 | + p = Curl_builtin_scheme(scheme); | ||
66 | + if(p && (p->protocol != data->info.conn_protocol)) { | ||
67 | + infof(data, "Clear auth, redirects scheme from %s to %s", | ||
68 | + data->info.conn_scheme, scheme); | ||
69 | + clear = TRUE; | ||
70 | + } | ||
71 | + free(scheme); | ||
72 | + } | ||
73 | + if(clear) { | ||
74 | + Curl_safefree(data->set.str[STRING_USERNAME]); | ||
75 | + Curl_safefree(data->set.str[STRING_PASSWORD]); | ||
76 | + } | ||
77 | + } | ||
78 | } | ||
79 | |||
80 | if(type == FOLLOW_FAKE) { | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch new file mode 100644 index 0000000000..a585f6a8fa --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 5dccf21ad49eed925e8f76b0cb844877239ce23d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 17:59:15 +0200 | ||
4 | Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either | ||
5 | |||
6 | Follow-up to 620ea21410030 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #8751 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | lib/http.c | 10 +++++----- | ||
15 | lib/http.h | 6 ++++++ | ||
16 | lib/vtls/openssl.c | 3 ++- | ||
17 | 3 files changed, 13 insertions(+), 6 deletions(-) | ||
18 | |||
19 | diff --git a/lib/http.c b/lib/http.c | ||
20 | index 8b16c09..5291c07 100644 | ||
21 | --- a/lib/http.c | ||
22 | +++ b/lib/http.c | ||
23 | @@ -732,10 +732,10 @@ output_auth_headers(struct connectdata *conn, | ||
24 | } | ||
25 | |||
26 | /* | ||
27 | - * allow_auth_to_host() tells if autentication, cookies or other "sensitive | ||
28 | - * data" can (still) be sent to this host. | ||
29 | + * Curl_allow_auth_to_host() tells if authentication, cookies or other | ||
30 | + * "sensitive data" can (still) be sent to this host. | ||
31 | */ | ||
32 | -static bool allow_auth_to_host(struct Curl_easy *data) | ||
33 | +bool Curl_allow_auth_to_host(struct Curl_easy *data) | ||
34 | { | ||
35 | struct connectdata *conn = data->conn; | ||
36 | return (!data->state.this_is_a_follow || | ||
37 | @@ -816,7 +816,7 @@ Curl_http_output_auth(struct connectdata *conn, | ||
38 | |||
39 | /* To prevent the user+password to get sent to other than the original host | ||
40 | due to a location-follow */ | ||
41 | - if(allow_auth_to_host(data) | ||
42 | + if(Curl_allow_auth_to_host(data) | ||
43 | || conn->bits.netrc | ||
44 | ) | ||
45 | result = output_auth_headers(conn, authhost, request, path, FALSE); | ||
46 | @@ -1891,7 +1891,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, | ||
47 | checkprefix("Cookie:", compare)) && | ||
48 | /* be careful of sending this potentially sensitive header to | ||
49 | other hosts */ | ||
50 | - !allow_auth_to_host(data)) | ||
51 | + !Curl_allow_auth_to_host(data)) | ||
52 | ; | ||
53 | else { | ||
54 | result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); | ||
55 | diff --git a/lib/http.h b/lib/http.h | ||
56 | index 4c1825f..4fbae1d 100644 | ||
57 | --- a/lib/http.h | ||
58 | +++ b/lib/http.h | ||
59 | @@ -273,4 +273,10 @@ Curl_http_output_auth(struct connectdata *conn, | ||
60 | bool proxytunnel); /* TRUE if this is the request setting | ||
61 | up the proxy tunnel */ | ||
62 | |||
63 | +/* | ||
64 | + * Curl_allow_auth_to_host() tells if authentication, cookies or other | ||
65 | + * "sensitive data" can (still) be sent to this host. | ||
66 | + */ | ||
67 | +bool Curl_allow_auth_to_host(struct Curl_easy *data); | ||
68 | + | ||
69 | #endif /* HEADER_CURL_HTTP_H */ | ||
70 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
71 | index 006a8c8..a14cecc 100644 | ||
72 | --- a/lib/vtls/openssl.c | ||
73 | +++ b/lib/vtls/openssl.c | ||
74 | @@ -2739,7 +2739,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
75 | #endif | ||
76 | |||
77 | #ifdef USE_TLS_SRP | ||
78 | - if(ssl_authtype == CURL_TLSAUTH_SRP) { | ||
79 | + if((ssl_authtype == CURL_TLSAUTH_SRP) && | ||
80 | + Curl_allow_auth_to_host(data)) { | ||
81 | char * const ssl_username = SSL_SET_OPTION(username); | ||
82 | |||
83 | infof(data, "Using TLS-SRP username: %s\n", ssl_username); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch new file mode 100644 index 0000000000..2258681cab --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 7395752e2f7b87dc8c8f2a7137075e2da554aaea Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 26 Apr 2022 07:46:19 +0200 | ||
4 | Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects | ||
5 | |||
6 | Follow-up to 620ea21410030 and 139a54ed0a172a | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #8752 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | lib/vtls/gtls.c | 6 +++--- | ||
15 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
16 | |||
17 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
18 | index 8c05102..3d0758d 100644 | ||
19 | --- a/lib/vtls/gtls.c | ||
20 | +++ b/lib/vtls/gtls.c | ||
21 | @@ -581,11 +581,11 @@ gtls_connect_step1(struct connectdata *conn, | ||
22 | } | ||
23 | |||
24 | #ifdef USE_TLS_SRP | ||
25 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { | ||
26 | + if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && | ||
27 | + Curl_allow_auth_to_host(data)) { | ||
28 | infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); | ||
29 | |||
30 | - rc = gnutls_srp_allocate_client_credentials( | ||
31 | - &BACKEND->srp_client_cred); | ||
32 | + rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); | ||
33 | if(rc != GNUTLS_E_SUCCESS) { | ||
34 | failf(data, "gnutls_srp_allocate_client_cred() failed: %s", | ||
35 | gnutls_strerror(rc)); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch new file mode 100644 index 0000000000..b3fe7b4494 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 11:48:00 +0200 | ||
4 | Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey | ||
5 | |||
6 | Make connections to two separate IPv6 zone ids create separate | ||
7 | connections. | ||
8 | |||
9 | Reported-by: Harry Sintonen | ||
10 | Bug: https://curl.se/docs/CVE-2022-27775.html | ||
11 | Closes #8747 | ||
12 | --- | ||
13 | lib/conncache.c | 8 ++++++-- | ||
14 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
15 | |||
16 | CVE: CVE-2022-27775 | ||
17 | Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch] | ||
18 | Comment: Refreshed patch | ||
19 | Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> | ||
20 | |||
21 | diff --git a/lib/conncache.c b/lib/conncache.c | ||
22 | index ec669b971dc3..8948b53fa500 100644 | ||
23 | --- a/lib/conncache.c | ||
24 | +++ b/lib/conncache.c | ||
25 | @@ -156,8 +156,12 @@ | ||
26 | /* report back which name we used */ | ||
27 | *hostp = hostname; | ||
28 | |||
29 | - /* put the number first so that the hostname gets cut off if too long */ | ||
30 | - msnprintf(buf, len, "%ld%s", port, hostname); | ||
31 | + /* put the numbers first so that the hostname gets cut off if too long */ | ||
32 | +#ifdef ENABLE_IPV6 | ||
33 | + msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); | ||
34 | +#else | ||
35 | + msnprintf(buf, len, "%ld/%s", port, hostname); | ||
36 | +#endif | ||
37 | } | ||
38 | |||
39 | /* Returns number of connections currently held in the connection cache. | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..1a13df2d95 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 13:05:40 +0200 | ||
4 | Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port | ||
5 | |||
6 | CVE-2022-27776 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27776.html | ||
10 | Closes #8749 | ||
11 | --- | ||
12 | lib/http.c | 34 ++++++++++++++++++++++------------ | ||
13 | lib/urldata.h | 16 +++++++++------- | ||
14 | 2 files changed, 31 insertions(+), 19 deletions(-) | ||
15 | |||
16 | CVE: CVE-2022-27776 | ||
17 | Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch] | ||
18 | Comment: Refreshed patch | ||
19 | Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> | ||
20 | |||
21 | diff --git a/lib/http.c b/lib/http.c | ||
22 | index ce79fc4e31c8..f0476f3b9272 100644 | ||
23 | --- a/lib/http.c | ||
24 | +++ b/lib/http.c | ||
25 | @@ -731,6 +731,21 @@ | ||
26 | return CURLE_OK; | ||
27 | } | ||
28 | |||
29 | +/* | ||
30 | + * allow_auth_to_host() tells if autentication, cookies or other "sensitive | ||
31 | + * data" can (still) be sent to this host. | ||
32 | + */ | ||
33 | +static bool allow_auth_to_host(struct Curl_easy *data) | ||
34 | +{ | ||
35 | + struct connectdata *conn = data->conn; | ||
36 | + return (!data->state.this_is_a_follow || | ||
37 | + data->set.allow_auth_to_other_hosts || | ||
38 | + (data->state.first_host && | ||
39 | + strcasecompare(data->state.first_host, conn->host.name) && | ||
40 | + (data->state.first_remote_port == conn->remote_port) && | ||
41 | + (data->state.first_remote_protocol == conn->handler->protocol))); | ||
42 | +} | ||
43 | + | ||
44 | /** | ||
45 | * Curl_http_output_auth() setups the authentication headers for the | ||
46 | * host/proxy and the correct authentication | ||
47 | @@ -799,15 +799,12 @@ | ||
48 | with it */ | ||
49 | authproxy->done = TRUE; | ||
50 | |||
51 | - /* To prevent the user+password to get sent to other than the original | ||
52 | - host due to a location-follow, we do some weirdo checks here */ | ||
53 | - if(!data->state.this_is_a_follow || | ||
54 | - conn->bits.netrc || | ||
55 | - !data->state.first_host || | ||
56 | - data->set.allow_auth_to_other_hosts || | ||
57 | - strcasecompare(data->state.first_host, conn->host.name)) { | ||
58 | + /* To prevent the user+password to get sent to other than the original host | ||
59 | + due to a location-follow */ | ||
60 | + if(allow_auth_to_host(data) | ||
61 | + || conn->bits.netrc | ||
62 | + ) | ||
63 | result = output_auth_headers(conn, authhost, request, path, FALSE); | ||
64 | - } | ||
65 | else | ||
66 | authhost->done = TRUE; | ||
67 | |||
68 | @@ -1879,10 +1891,7 @@ | ||
69 | checkprefix("Cookie:", compare)) && | ||
70 | /* be careful of sending this potentially sensitive header to | ||
71 | other hosts */ | ||
72 | - (data->state.this_is_a_follow && | ||
73 | - data->state.first_host && | ||
74 | - !data->set.allow_auth_to_other_hosts && | ||
75 | - !strcasecompare(data->state.first_host, conn->host.name))) | ||
76 | + !allow_auth_to_host(data)) | ||
77 | ; | ||
78 | else { | ||
79 | result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); | ||
80 | @@ -2065,6 +2074,7 @@ | ||
81 | return CURLE_OUT_OF_MEMORY; | ||
82 | |||
83 | data->state.first_remote_port = conn->remote_port; | ||
84 | + data->state.first_remote_protocol = conn->handler->protocol; | ||
85 | } | ||
86 | |||
87 | if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && | ||
88 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
89 | index 1d89b8d7fa68..ef2174d9e727 100644 | ||
90 | --- a/lib/urldata.h | ||
91 | +++ b/lib/urldata.h | ||
92 | @@ -1342,13 +1342,15 @@ | ||
93 | char *ulbuf; /* allocated upload buffer or NULL */ | ||
94 | curl_off_t current_speed; /* the ProgressShow() function sets this, | ||
95 | bytes / second */ | ||
96 | - char *first_host; /* host name of the first (not followed) request. | ||
97 | - if set, this should be the host name that we will | ||
98 | - sent authorization to, no else. Used to make Location: | ||
99 | - following not keep sending user+password... This is | ||
100 | - strdup() data. | ||
101 | - */ | ||
102 | - int first_remote_port; /* remote port of the first (not followed) request */ | ||
103 | + | ||
104 | + /* host name, port number and protocol of the first (not followed) request. | ||
105 | + if set, this should be the host name that we will sent authorization to, | ||
106 | + no else. Used to make Location: following not keep sending user+password. | ||
107 | + This is strdup()ed data. */ | ||
108 | + char *first_host; | ||
109 | + int first_remote_port; | ||
110 | + unsigned int first_remote_protocol; | ||
111 | + | ||
112 | struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ | ||
113 | long sessionage; /* number of the most recent session */ | ||
114 | unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch new file mode 100644 index 0000000000..ea1bc22928 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 7a1f183039a6a6c9099a114f5e5c94777413c767 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 10:07:15 +0200 | ||
4 | Subject: [PATCH] nss: return error if seemingly stuck in a cert loop | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | CVE-2022-27781 | ||
10 | |||
11 | Reported-by: Florian Kohnhäuser | ||
12 | Bug: https://curl.se/docs/CVE-2022-27781.html | ||
13 | Closes #8822 | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] | ||
16 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
17 | --- | ||
18 | lib/vtls/nss.c | 8 ++++++++ | ||
19 | 1 file changed, 8 insertions(+) | ||
20 | |||
21 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
22 | index 375c78b..86102f7 100644 | ||
23 | --- a/lib/vtls/nss.c | ||
24 | +++ b/lib/vtls/nss.c | ||
25 | @@ -950,6 +950,9 @@ static void display_cert_info(struct Curl_easy *data, | ||
26 | PR_Free(common_name); | ||
27 | } | ||
28 | |||
29 | +/* A number of certs that will never occur in a real server handshake */ | ||
30 | +#define TOO_MANY_CERTS 300 | ||
31 | + | ||
32 | static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) | ||
33 | { | ||
34 | CURLcode result = CURLE_OK; | ||
35 | @@ -986,6 +989,11 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) | ||
36 | cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); | ||
37 | while(cert2) { | ||
38 | i++; | ||
39 | + if(i >= TOO_MANY_CERTS) { | ||
40 | + CERT_DestroyCertificate(cert2); | ||
41 | + failf(data, "certificate loop"); | ||
42 | + return CURLE_SSL_CERTPROBLEM; | ||
43 | + } | ||
44 | if(cert2->isRoot) { | ||
45 | CERT_DestroyCertificate(cert2); | ||
46 | break; | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..6b6d0e1938 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch | |||
@@ -0,0 +1,363 @@ | |||
1 | From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 23:13:53 +0200 | ||
4 | Subject: [PATCH] tls: check more TLS details for connection reuse | ||
5 | |||
6 | CVE-2022-27782 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27782.html | ||
10 | Closes #8825 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/setopt.c | 29 +++++++++++++++++------------ | ||
16 | lib/url.c | 17 ++++++++++------- | ||
17 | lib/urldata.h | 13 +++++++------ | ||
18 | lib/vtls/gtls.c | 30 ++++++++++++++++-------------- | ||
19 | lib/vtls/mbedtls.c | 2 +- | ||
20 | lib/vtls/nss.c | 6 +++--- | ||
21 | lib/vtls/openssl.c | 10 +++++----- | ||
22 | lib/vtls/vtls.c | 1 + | ||
23 | 8 files changed, 60 insertions(+), 48 deletions(-) | ||
24 | |||
25 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
26 | index 4648c87..bebb2e4 100644 | ||
27 | --- a/lib/setopt.c | ||
28 | +++ b/lib/setopt.c | ||
29 | @@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
30 | |||
31 | case CURLOPT_SSL_OPTIONS: | ||
32 | arg = va_arg(param, long); | ||
33 | + data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); | ||
34 | data->set.ssl.enable_beast = | ||
35 | (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); | ||
36 | data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||
37 | @@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
38 | #ifndef CURL_DISABLE_PROXY | ||
39 | case CURLOPT_PROXY_SSL_OPTIONS: | ||
40 | arg = va_arg(param, long); | ||
41 | + data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); | ||
42 | data->set.proxy_ssl.enable_beast = | ||
43 | (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); | ||
44 | data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||
45 | @@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
46 | case CURLOPT_TLSAUTH_USERNAME: | ||
47 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], | ||
48 | va_arg(param, char *)); | ||
49 | - if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) | ||
50 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
51 | + if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && | ||
52 | + !data->set.ssl.primary.authtype) | ||
53 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
54 | break; | ||
55 | case CURLOPT_PROXY_TLSAUTH_USERNAME: | ||
56 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], | ||
57 | va_arg(param, char *)); | ||
58 | if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && | ||
59 | - !data->set.proxy_ssl.authtype) | ||
60 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
61 | + !data->set.proxy_ssl.primary.authtype) | ||
62 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to | ||
63 | + SRP */ | ||
64 | break; | ||
65 | case CURLOPT_TLSAUTH_PASSWORD: | ||
66 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], | ||
67 | va_arg(param, char *)); | ||
68 | - if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) | ||
69 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
70 | + if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && | ||
71 | + !data->set.ssl.primary.authtype) | ||
72 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
73 | break; | ||
74 | case CURLOPT_PROXY_TLSAUTH_PASSWORD: | ||
75 | result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], | ||
76 | va_arg(param, char *)); | ||
77 | if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && | ||
78 | - !data->set.proxy_ssl.authtype) | ||
79 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ | ||
80 | + !data->set.proxy_ssl.primary.authtype) | ||
81 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ | ||
82 | break; | ||
83 | case CURLOPT_TLSAUTH_TYPE: | ||
84 | argptr = va_arg(param, char *); | ||
85 | if(!argptr || | ||
86 | strncasecompare(argptr, "SRP", strlen("SRP"))) | ||
87 | - data->set.ssl.authtype = CURL_TLSAUTH_SRP; | ||
88 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; | ||
89 | else | ||
90 | - data->set.ssl.authtype = CURL_TLSAUTH_NONE; | ||
91 | + data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
92 | break; | ||
93 | case CURLOPT_PROXY_TLSAUTH_TYPE: | ||
94 | argptr = va_arg(param, char *); | ||
95 | if(!argptr || | ||
96 | strncasecompare(argptr, "SRP", strlen("SRP"))) | ||
97 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; | ||
98 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; | ||
99 | else | ||
100 | - data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; | ||
101 | + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
102 | break; | ||
103 | #endif | ||
104 | #ifdef USE_ARES | ||
105 | diff --git a/lib/url.c b/lib/url.c | ||
106 | index efa3dc7..6518be9 100644 | ||
107 | --- a/lib/url.c | ||
108 | +++ b/lib/url.c | ||
109 | @@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) | ||
110 | set->ssl.primary.verifypeer = TRUE; | ||
111 | set->ssl.primary.verifyhost = TRUE; | ||
112 | #ifdef USE_TLS_SRP | ||
113 | - set->ssl.authtype = CURL_TLSAUTH_NONE; | ||
114 | + set->ssl.primary.authtype = CURL_TLSAUTH_NONE; | ||
115 | #endif | ||
116 | set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth | ||
117 | type */ | ||
118 | @@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
119 | data->set.proxy_ssl.primary.pinned_key = | ||
120 | data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; | ||
121 | |||
122 | - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; | ||
123 | - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
124 | + data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; | ||
125 | + data->set.proxy_ssl.primary.CRLfile = | ||
126 | + data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
127 | data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; | ||
128 | data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; | ||
129 | data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; | ||
130 | @@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
131 | data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; | ||
132 | data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; | ||
133 | #ifdef USE_TLS_SRP | ||
134 | - data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; | ||
135 | - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; | ||
136 | - data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; | ||
137 | - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; | ||
138 | + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; | ||
139 | + data->set.proxy_ssl.primary.username = | ||
140 | + data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; | ||
141 | + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; | ||
142 | + data->set.proxy_ssl.primary.password = | ||
143 | + data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; | ||
144 | #endif | ||
145 | |||
146 | if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, | ||
147 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
148 | index ab1b267..ad0ef8f 100644 | ||
149 | --- a/lib/urldata.h | ||
150 | +++ b/lib/urldata.h | ||
151 | @@ -231,6 +231,13 @@ struct ssl_primary_config { | ||
152 | char *cipher_list; /* list of ciphers to use */ | ||
153 | char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ | ||
154 | char *pinned_key; | ||
155 | + char *CRLfile; /* CRL to check certificate revocation */ | ||
156 | + #ifdef USE_TLS_SRP | ||
157 | + char *username; /* TLS username (for, e.g., SRP) */ | ||
158 | + char *password; /* TLS password (for, e.g., SRP) */ | ||
159 | + enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ | ||
160 | + #endif | ||
161 | + unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ | ||
162 | BIT(verifypeer); /* set TRUE if this is desired */ | ||
163 | BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ | ||
164 | BIT(verifystatus); /* set TRUE if certificate status must be checked */ | ||
165 | @@ -240,7 +247,6 @@ struct ssl_primary_config { | ||
166 | struct ssl_config_data { | ||
167 | struct ssl_primary_config primary; | ||
168 | long certverifyresult; /* result from the certificate verification */ | ||
169 | - char *CRLfile; /* CRL to check certificate revocation */ | ||
170 | curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ | ||
171 | void *fsslctxp; /* parameter for call back */ | ||
172 | char *cert; /* client certificate file name */ | ||
173 | @@ -248,11 +254,6 @@ struct ssl_config_data { | ||
174 | char *key; /* private key file name */ | ||
175 | char *key_type; /* format for private key (default: PEM) */ | ||
176 | char *key_passwd; /* plain text private key password */ | ||
177 | -#ifdef USE_TLS_SRP | ||
178 | - char *username; /* TLS username (for, e.g., SRP) */ | ||
179 | - char *password; /* TLS password (for, e.g., SRP) */ | ||
180 | - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ | ||
181 | -#endif | ||
182 | BIT(certinfo); /* gather lots of certificate info */ | ||
183 | BIT(falsestart); | ||
184 | BIT(enable_beast); /* allow this flaw for interoperability's sake*/ | ||
185 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
186 | index 3d0758d..92c301c 100644 | ||
187 | --- a/lib/vtls/gtls.c | ||
188 | +++ b/lib/vtls/gtls.c | ||
189 | @@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn, | ||
190 | } | ||
191 | |||
192 | #ifdef USE_TLS_SRP | ||
193 | - if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && | ||
194 | + if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && | ||
195 | Curl_allow_auth_to_host(data)) { | ||
196 | - infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); | ||
197 | + infof(data, "Using TLS-SRP username: %s\n", | ||
198 | + SSL_SET_OPTION(primary.username)); | ||
199 | |||
200 | rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); | ||
201 | if(rc != GNUTLS_E_SUCCESS) { | ||
202 | @@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn, | ||
203 | } | ||
204 | |||
205 | rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred, | ||
206 | - SSL_SET_OPTION(username), | ||
207 | - SSL_SET_OPTION(password)); | ||
208 | + SSL_SET_OPTION(primary.username), | ||
209 | + SSL_SET_OPTION(primary.password)); | ||
210 | if(rc != GNUTLS_E_SUCCESS) { | ||
211 | failf(data, "gnutls_srp_set_client_cred() failed: %s", | ||
212 | gnutls_strerror(rc)); | ||
213 | @@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn, | ||
214 | } | ||
215 | #endif | ||
216 | |||
217 | - if(SSL_SET_OPTION(CRLfile)) { | ||
218 | + if(SSL_SET_OPTION(primary.CRLfile)) { | ||
219 | /* set the CRL list file */ | ||
220 | rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred, | ||
221 | - SSL_SET_OPTION(CRLfile), | ||
222 | + SSL_SET_OPTION(primary.CRLfile), | ||
223 | GNUTLS_X509_FMT_PEM); | ||
224 | if(rc < 0) { | ||
225 | failf(data, "error reading crl file %s (%s)", | ||
226 | - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); | ||
227 | + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); | ||
228 | return CURLE_SSL_CRL_BADFILE; | ||
229 | } | ||
230 | else | ||
231 | infof(data, "found %d CRL in %s\n", | ||
232 | - rc, SSL_SET_OPTION(CRLfile)); | ||
233 | + rc, SSL_SET_OPTION(primary.CRLfile)); | ||
234 | } | ||
235 | |||
236 | /* Initialize TLS session as a client */ | ||
237 | @@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn, | ||
238 | |||
239 | #ifdef USE_TLS_SRP | ||
240 | /* put the credentials to the current session */ | ||
241 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { | ||
242 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { | ||
243 | rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, | ||
244 | BACKEND->srp_client_cred); | ||
245 | if(rc != GNUTLS_E_SUCCESS) { | ||
246 | @@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
247 | SSL_CONN_CONFIG(verifyhost) || | ||
248 | SSL_CONN_CONFIG(issuercert)) { | ||
249 | #ifdef USE_TLS_SRP | ||
250 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
251 | - && SSL_SET_OPTION(username) != NULL | ||
252 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP | ||
253 | + && SSL_SET_OPTION(primary.username) != NULL | ||
254 | && !SSL_CONN_CONFIG(verifypeer) | ||
255 | && gnutls_cipher_get(session)) { | ||
256 | /* no peer cert, but auth is ok if we have SRP user and cipher and no | ||
257 | @@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn, | ||
258 | failf(data, "server certificate verification failed. CAfile: %s " | ||
259 | "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): | ||
260 | "none", | ||
261 | - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); | ||
262 | + SSL_SET_OPTION(primary.CRLfile) ? | ||
263 | + SSL_SET_OPTION(primary.CRLfile) : "none"); | ||
264 | return CURLE_PEER_FAILED_VERIFICATION; | ||
265 | } | ||
266 | else | ||
267 | @@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) | ||
268 | gnutls_certificate_free_credentials(BACKEND->cred); | ||
269 | |||
270 | #ifdef USE_TLS_SRP | ||
271 | - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
272 | - && SSL_SET_OPTION(username) != NULL) | ||
273 | + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP | ||
274 | + && SSL_SET_OPTION(primary.username) != NULL) | ||
275 | gnutls_srp_free_client_credentials(BACKEND->srp_client_cred); | ||
276 | #endif | ||
277 | |||
278 | diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c | ||
279 | index 19df847..62d2b00 100644 | ||
280 | --- a/lib/vtls/mbedtls.c | ||
281 | +++ b/lib/vtls/mbedtls.c | ||
282 | @@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn, | ||
283 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
284 | const char * const ssl_capath = SSL_CONN_CONFIG(CApath); | ||
285 | char * const ssl_cert = SSL_SET_OPTION(cert); | ||
286 | - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); | ||
287 | + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); | ||
288 | const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : | ||
289 | conn->host.name; | ||
290 | const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; | ||
291 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
292 | index 86102f7..62fd7a2 100644 | ||
293 | --- a/lib/vtls/nss.c | ||
294 | +++ b/lib/vtls/nss.c | ||
295 | @@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) | ||
296 | } | ||
297 | } | ||
298 | |||
299 | - if(SSL_SET_OPTION(CRLfile)) { | ||
300 | - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); | ||
301 | + if(SSL_SET_OPTION(primary.CRLfile)) { | ||
302 | + const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); | ||
303 | if(rv) { | ||
304 | result = rv; | ||
305 | goto error; | ||
306 | } | ||
307 | - infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); | ||
308 | + infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile)); | ||
309 | } | ||
310 | |||
311 | if(SSL_SET_OPTION(cert)) { | ||
312 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
313 | index a14cecc..ec5a8f5 100644 | ||
314 | --- a/lib/vtls/openssl.c | ||
315 | +++ b/lib/vtls/openssl.c | ||
316 | @@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
317 | &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; | ||
318 | const long int ssl_version = SSL_CONN_CONFIG(version); | ||
319 | #ifdef USE_TLS_SRP | ||
320 | - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); | ||
321 | + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); | ||
322 | #endif | ||
323 | char * const ssl_cert = SSL_SET_OPTION(cert); | ||
324 | const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); | ||
325 | const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); | ||
326 | const char * const ssl_capath = SSL_CONN_CONFIG(CApath); | ||
327 | const bool verifypeer = SSL_CONN_CONFIG(verifypeer); | ||
328 | - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); | ||
329 | + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); | ||
330 | char error_buffer[256]; | ||
331 | |||
332 | DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); | ||
333 | @@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) | ||
334 | #ifdef USE_TLS_SRP | ||
335 | if((ssl_authtype == CURL_TLSAUTH_SRP) && | ||
336 | Curl_allow_auth_to_host(data)) { | ||
337 | - char * const ssl_username = SSL_SET_OPTION(username); | ||
338 | - | ||
339 | + char * const ssl_username = SSL_SET_OPTION(primary.username); | ||
340 | + char * const ssl_password = SSL_SET_OPTION(primary.password); | ||
341 | infof(data, "Using TLS-SRP username: %s\n", ssl_username); | ||
342 | |||
343 | if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) { | ||
344 | failf(data, "Unable to set SRP user name"); | ||
345 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
346 | } | ||
347 | - if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) { | ||
348 | + if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) { | ||
349 | failf(data, "failed setting SRP password"); | ||
350 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
351 | } | ||
352 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
353 | index e38f74e..e8cb70f 100644 | ||
354 | --- a/lib/vtls/vtls.c | ||
355 | +++ b/lib/vtls/vtls.c | ||
356 | @@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
357 | { | ||
358 | if((data->version == needle->version) && | ||
359 | (data->version_max == needle->version_max) && | ||
360 | + (data->ssl_options == needle->ssl_options) && | ||
361 | (data->verifypeer == needle->verifypeer) && | ||
362 | (data->verifyhost == needle->verifyhost) && | ||
363 | (data->verifystatus == needle->verifystatus) && | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch new file mode 100644 index 0000000000..3d56025210 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 9 May 2022 23:13:53 +0200 | ||
4 | Subject: [PATCH] url: check SSH config match on connection reuse | ||
5 | |||
6 | CVE-2022-27782 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27782.html | ||
10 | Closes #8825 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] | ||
13 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
14 | --- | ||
15 | lib/url.c | 11 +++++++++++ | ||
16 | lib/vssh/ssh.h | 6 +++--- | ||
17 | 2 files changed, 14 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/lib/url.c b/lib/url.c | ||
20 | index 6518be9..8da0245 100644 | ||
21 | --- a/lib/url.c | ||
22 | +++ b/lib/url.c | ||
23 | @@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data) | ||
24 | } | ||
25 | } | ||
26 | |||
27 | +static bool ssh_config_matches(struct connectdata *one, | ||
28 | + struct connectdata *two) | ||
29 | +{ | ||
30 | + return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && | ||
31 | + Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); | ||
32 | +} | ||
33 | /* | ||
34 | * Given one filled in connection struct (named needle), this function should | ||
35 | * detect if there already is one that has all the significant details | ||
36 | @@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data, | ||
37 | } | ||
38 | } | ||
39 | |||
40 | + if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { | ||
41 | + if(!ssh_config_matches(needle, check)) | ||
42 | + continue; | ||
43 | + } | ||
44 | + | ||
45 | if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || | ||
46 | needle->bits.tunnel_proxy) { | ||
47 | /* The requested connection does not use a HTTP proxy or it uses SSL or | ||
48 | diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h | ||
49 | index 0d4ee52..8f2632e 100644 | ||
50 | --- a/lib/vssh/ssh.h | ||
51 | +++ b/lib/vssh/ssh.h | ||
52 | @@ -7,7 +7,7 @@ | ||
53 | * | (__| |_| | _ <| |___ | ||
54 | * \___|\___/|_| \_\_____| | ||
55 | * | ||
56 | - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
57 | + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
58 | * | ||
59 | * This software is licensed as described in the file COPYING, which | ||
60 | * you should have received as part of this distribution. The terms | ||
61 | @@ -120,8 +120,8 @@ struct ssh_conn { | ||
62 | |||
63 | /* common */ | ||
64 | const char *passphrase; /* pass-phrase to use */ | ||
65 | - char *rsa_pub; /* path name */ | ||
66 | - char *rsa; /* path name */ | ||
67 | + char *rsa_pub; /* strdup'ed public key file */ | ||
68 | + char *rsa; /* strdup'ed private key file */ | ||
69 | bool authed; /* the connection has been authenticated fine */ | ||
70 | sshstate state; /* always use ssh.c:state() to change state! */ | ||
71 | sshstate nextstate; /* the state to goto after stopping */ | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch new file mode 100644 index 0000000000..3d76aeb43d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 25e7be39be5f8ed696b6085ced9cf6c17e6128f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 16 May 2022 16:28:13 +0200 | ||
4 | Subject: [PATCH] content_encoding: return error on too many compression steps | ||
5 | |||
6 | The max allowed steps is arbitrarily set to 5. | ||
7 | |||
8 | Bug: https://curl.se/docs/CVE-2022-32206.html | ||
9 | CVE-2022-32206 | ||
10 | Reported-by: Harry Sintonen | ||
11 | Closes #9049 | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43] | ||
14 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
15 | --- | ||
16 | lib/content_encoding.c | 9 +++++++++ | ||
17 | 1 file changed, 9 insertions(+) | ||
18 | |||
19 | diff --git a/lib/content_encoding.c b/lib/content_encoding.c | ||
20 | index 6d47537..91e621f 100644 | ||
21 | --- a/lib/content_encoding.c | ||
22 | +++ b/lib/content_encoding.c | ||
23 | @@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len) | ||
24 | return NULL; | ||
25 | } | ||
26 | |||
27 | +/* allow no more than 5 "chained" compression steps */ | ||
28 | +#define MAX_ENCODE_STACK 5 | ||
29 | + | ||
30 | /* Set-up the unencoding stack from the Content-Encoding header value. | ||
31 | * See RFC 7231 section 3.1.2.2. */ | ||
32 | CURLcode Curl_build_unencoding_stack(struct connectdata *conn, | ||
33 | @@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, | ||
34 | { | ||
35 | struct Curl_easy *data = conn->data; | ||
36 | struct SingleRequest *k = &data->req; | ||
37 | + int counter = 0; | ||
38 | |||
39 | do { | ||
40 | const char *name; | ||
41 | @@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, | ||
42 | if(!encoding) | ||
43 | encoding = &error_encoding; /* Defer error at stack use. */ | ||
44 | |||
45 | + if(++counter >= MAX_ENCODE_STACK) { | ||
46 | + failf(data, "Reject response due to %u content encodings", | ||
47 | + counter); | ||
48 | + return CURLE_BAD_CONTENT_ENCODING; | ||
49 | + } | ||
50 | /* Stack the unencoding stage. */ | ||
51 | writer = new_unencoding_writer(conn, encoding, k->writer_stack); | ||
52 | if(!writer) | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch new file mode 100644 index 0000000000..f75aaecd64 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch | |||
@@ -0,0 +1,284 @@ | |||
1 | From af92181055d7d64dfc0bc9d5a13c8b98af3196be Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Wed, 25 May 2022 10:09:53 +0200 | ||
4 | Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files | ||
5 | |||
6 | Bug: https://curl.se/docs/CVE-2022-32207.html | ||
7 | CVE-2022-32207 | ||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #9050 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | CMakeLists.txt | 1 + | ||
15 | configure.ac | 1 + | ||
16 | lib/Makefile.inc | 4 +- | ||
17 | lib/cookie.c | 19 ++----- | ||
18 | lib/curl_config.h.cmake | 3 ++ | ||
19 | lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ | ||
20 | lib/fopen.h | 30 +++++++++++ | ||
21 | 7 files changed, 155 insertions(+), 16 deletions(-) | ||
22 | create mode 100644 lib/fopen.c | ||
23 | create mode 100644 lib/fopen.h | ||
24 | |||
25 | diff --git a/CMakeLists.txt b/CMakeLists.txt | ||
26 | index 73b053b..cc587b0 100644 | ||
27 | --- a/CMakeLists.txt | ||
28 | +++ b/CMakeLists.txt | ||
29 | @@ -869,6 +869,7 @@ elseif(HAVE_LIBSOCKET) | ||
30 | set(CMAKE_REQUIRED_LIBRARIES socket) | ||
31 | endif() | ||
32 | |||
33 | +check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) | ||
34 | check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) | ||
35 | check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) | ||
36 | check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) | ||
37 | diff --git a/configure.ac b/configure.ac | ||
38 | index d090622..7071077 100755 | ||
39 | --- a/configure.ac | ||
40 | +++ b/configure.ac | ||
41 | @@ -4059,6 +4059,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se | ||
42 | |||
43 | |||
44 | AC_CHECK_FUNCS([fnmatch \ | ||
45 | + fchmod \ | ||
46 | geteuid \ | ||
47 | getpass_r \ | ||
48 | getppid \ | ||
49 | diff --git a/lib/Makefile.inc b/lib/Makefile.inc | ||
50 | index 46ded90..79307d8 100644 | ||
51 | --- a/lib/Makefile.inc | ||
52 | +++ b/lib/Makefile.inc | ||
53 | @@ -63,7 +63,7 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ | ||
54 | curl_multibyte.c hostcheck.c conncache.c dotdot.c \ | ||
55 | x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \ | ||
56 | mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \ | ||
57 | - doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c | ||
58 | + doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c fopen.c | ||
59 | |||
60 | LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \ | ||
61 | formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h \ | ||
62 | @@ -84,7 +84,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \ | ||
63 | x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \ | ||
64 | curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \ | ||
65 | curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h \ | ||
66 | - curl_get_line.h altsvc.h quic.h socketpair.h rename.h | ||
67 | + curl_get_line.h altsvc.h quic.h socketpair.h rename.h fopen.h | ||
68 | |||
69 | LIB_RCFILES = libcurl.rc | ||
70 | |||
71 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
72 | index 68054e1..a9ad20a 100644 | ||
73 | --- a/lib/cookie.c | ||
74 | +++ b/lib/cookie.c | ||
75 | @@ -97,8 +97,8 @@ Example set of cookies: | ||
76 | #include "curl_memrchr.h" | ||
77 | #include "inet_pton.h" | ||
78 | #include "parsedate.h" | ||
79 | -#include "rand.h" | ||
80 | #include "rename.h" | ||
81 | +#include "fopen.h" | ||
82 | |||
83 | /* The last 3 #include files should be in this order */ | ||
84 | #include "curl_printf.h" | ||
85 | @@ -1524,18 +1524,9 @@ static int cookie_output(struct Curl_easy *data, | ||
86 | use_stdout = TRUE; | ||
87 | } | ||
88 | else { | ||
89 | - unsigned char randsuffix[9]; | ||
90 | - | ||
91 | - if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) | ||
92 | - return 2; | ||
93 | - | ||
94 | - tempstore = aprintf("%s.%s.tmp", filename, randsuffix); | ||
95 | - if(!tempstore) | ||
96 | - return 1; | ||
97 | - | ||
98 | - out = fopen(tempstore, FOPEN_WRITETEXT); | ||
99 | - if(!out) | ||
100 | - goto error; | ||
101 | + error = Curl_fopen(data, filename, &out, &tempstore); | ||
102 | + if(error) | ||
103 | + goto error; | ||
104 | } | ||
105 | |||
106 | fputs("# Netscape HTTP Cookie File\n" | ||
107 | @@ -1581,7 +1572,7 @@ static int cookie_output(struct Curl_easy *data, | ||
108 | if(!use_stdout) { | ||
109 | fclose(out); | ||
110 | out = NULL; | ||
111 | - if(Curl_rename(tempstore, filename)) { | ||
112 | + if(tempstore && Curl_rename(tempstore, filename)) { | ||
113 | unlink(tempstore); | ||
114 | goto error; | ||
115 | } | ||
116 | diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake | ||
117 | index 98cdf51..fe43751 100644 | ||
118 | --- a/lib/curl_config.h.cmake | ||
119 | +++ b/lib/curl_config.h.cmake | ||
120 | @@ -124,6 +124,9 @@ | ||
121 | /* Define to 1 if you have the <assert.h> header file. */ | ||
122 | #cmakedefine HAVE_ASSERT_H 1 | ||
123 | |||
124 | +/* Define to 1 if you have the `fchmod' function. */ | ||
125 | +#cmakedefine HAVE_FCHMOD 1 | ||
126 | + | ||
127 | /* Define to 1 if you have the `basename' function. */ | ||
128 | #cmakedefine HAVE_BASENAME 1 | ||
129 | |||
130 | diff --git a/lib/fopen.c b/lib/fopen.c | ||
131 | new file mode 100644 | ||
132 | index 0000000..ad3691b | ||
133 | --- /dev/null | ||
134 | +++ b/lib/fopen.c | ||
135 | @@ -0,0 +1,113 @@ | ||
136 | +/*************************************************************************** | ||
137 | + * _ _ ____ _ | ||
138 | + * Project ___| | | | _ \| | | ||
139 | + * / __| | | | |_) | | | ||
140 | + * | (__| |_| | _ <| |___ | ||
141 | + * \___|\___/|_| \_\_____| | ||
142 | + * | ||
143 | + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
144 | + * | ||
145 | + * This software is licensed as described in the file COPYING, which | ||
146 | + * you should have received as part of this distribution. The terms | ||
147 | + * are also available at https://curl.se/docs/copyright.html. | ||
148 | + * | ||
149 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
150 | + * copies of the Software, and permit persons to whom the Software is | ||
151 | + * furnished to do so, under the terms of the COPYING file. | ||
152 | + * | ||
153 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
154 | + * KIND, either express or implied. | ||
155 | + * | ||
156 | + * SPDX-License-Identifier: curl | ||
157 | + * | ||
158 | + ***************************************************************************/ | ||
159 | + | ||
160 | +#include "curl_setup.h" | ||
161 | + | ||
162 | +#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ | ||
163 | + !defined(CURL_DISABLE_HSTS) | ||
164 | + | ||
165 | +#ifdef HAVE_FCNTL_H | ||
166 | +#include <fcntl.h> | ||
167 | +#endif | ||
168 | + | ||
169 | +#include "urldata.h" | ||
170 | +#include "rand.h" | ||
171 | +#include "fopen.h" | ||
172 | +/* The last 3 #include files should be in this order */ | ||
173 | +#include "curl_printf.h" | ||
174 | +#include "curl_memory.h" | ||
175 | +#include "memdebug.h" | ||
176 | + | ||
177 | +/* | ||
178 | + * Curl_fopen() opens a file for writing with a temp name, to be renamed | ||
179 | + * to the final name when completed. If there is an existing file using this | ||
180 | + * name at the time of the open, this function will clone the mode from that | ||
181 | + * file. if 'tempname' is non-NULL, it needs a rename after the file is | ||
182 | + * written. | ||
183 | + */ | ||
184 | +CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, | ||
185 | + FILE **fh, char **tempname) | ||
186 | +{ | ||
187 | + CURLcode result = CURLE_WRITE_ERROR; | ||
188 | + unsigned char randsuffix[9]; | ||
189 | + char *tempstore = NULL; | ||
190 | + struct_stat sb; | ||
191 | + int fd = -1; | ||
192 | + *tempname = NULL; | ||
193 | + | ||
194 | + if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { | ||
195 | + /* a non-regular file, fallback to direct fopen() */ | ||
196 | + *fh = fopen(filename, FOPEN_WRITETEXT); | ||
197 | + if(*fh) | ||
198 | + return CURLE_OK; | ||
199 | + goto fail; | ||
200 | + } | ||
201 | + | ||
202 | + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); | ||
203 | + if(result) | ||
204 | + goto fail; | ||
205 | + | ||
206 | + tempstore = aprintf("%s.%s.tmp", filename, randsuffix); | ||
207 | + if(!tempstore) { | ||
208 | + result = CURLE_OUT_OF_MEMORY; | ||
209 | + goto fail; | ||
210 | + } | ||
211 | + | ||
212 | + result = CURLE_WRITE_ERROR; | ||
213 | + fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); | ||
214 | + if(fd == -1) | ||
215 | + goto fail; | ||
216 | + | ||
217 | +#ifdef HAVE_FCHMOD | ||
218 | + { | ||
219 | + struct_stat nsb; | ||
220 | + if((fstat(fd, &nsb) != -1) && | ||
221 | + (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { | ||
222 | + /* if the user and group are the same, clone the original mode */ | ||
223 | + if(fchmod(fd, sb.st_mode) == -1) | ||
224 | + goto fail; | ||
225 | + } | ||
226 | + } | ||
227 | +#endif | ||
228 | + | ||
229 | + *fh = fdopen(fd, FOPEN_WRITETEXT); | ||
230 | + if(!*fh) | ||
231 | + goto fail; | ||
232 | + | ||
233 | + *tempname = tempstore; | ||
234 | + return CURLE_OK; | ||
235 | + | ||
236 | +fail: | ||
237 | + if(fd != -1) { | ||
238 | + close(fd); | ||
239 | + unlink(tempstore); | ||
240 | + } | ||
241 | + | ||
242 | + free(tempstore); | ||
243 | + | ||
244 | + *tempname = NULL; | ||
245 | + return result; | ||
246 | +} | ||
247 | + | ||
248 | +#endif /* ! disabled */ | ||
249 | diff --git a/lib/fopen.h b/lib/fopen.h | ||
250 | new file mode 100644 | ||
251 | index 0000000..289e55f | ||
252 | --- /dev/null | ||
253 | +++ b/lib/fopen.h | ||
254 | @@ -0,0 +1,30 @@ | ||
255 | +#ifndef HEADER_CURL_FOPEN_H | ||
256 | +#define HEADER_CURL_FOPEN_H | ||
257 | +/*************************************************************************** | ||
258 | + * _ _ ____ _ | ||
259 | + * Project ___| | | | _ \| | | ||
260 | + * / __| | | | |_) | | | ||
261 | + * | (__| |_| | _ <| |___ | ||
262 | + * \___|\___/|_| \_\_____| | ||
263 | + * | ||
264 | + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
265 | + * | ||
266 | + * This software is licensed as described in the file COPYING, which | ||
267 | + * you should have received as part of this distribution. The terms | ||
268 | + * are also available at https://curl.se/docs/copyright.html. | ||
269 | + * | ||
270 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
271 | + * copies of the Software, and permit persons to whom the Software is | ||
272 | + * furnished to do so, under the terms of the COPYING file. | ||
273 | + * | ||
274 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
275 | + * KIND, either express or implied. | ||
276 | + * | ||
277 | + * SPDX-License-Identifier: curl | ||
278 | + * | ||
279 | + ***************************************************************************/ | ||
280 | + | ||
281 | +CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, | ||
282 | + FILE **fh, char **tempname); | ||
283 | + | ||
284 | +#endif | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch new file mode 100644 index 0000000000..2939314d09 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 9 Jun 2022 09:27:24 +0200 | ||
4 | Subject: [PATCH] krb5: return error properly on decode errors | ||
5 | |||
6 | Bug: https://curl.se/docs/CVE-2022-32208.html | ||
7 | CVE-2022-32208 | ||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #9051 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | lib/krb5.c | 5 +---- | ||
15 | lib/security.c | 13 ++++++++++--- | ||
16 | 2 files changed, 11 insertions(+), 7 deletions(-) | ||
17 | |||
18 | diff --git a/lib/krb5.c b/lib/krb5.c | ||
19 | index f50287a..5b77e35 100644 | ||
20 | --- a/lib/krb5.c | ||
21 | +++ b/lib/krb5.c | ||
22 | @@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len, | ||
23 | enc.value = buf; | ||
24 | enc.length = len; | ||
25 | maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); | ||
26 | - if(maj != GSS_S_COMPLETE) { | ||
27 | - if(len >= 4) | ||
28 | - strcpy(buf, "599 "); | ||
29 | + if(maj != GSS_S_COMPLETE) | ||
30 | return -1; | ||
31 | - } | ||
32 | |||
33 | memcpy(buf, dec.value, dec.length); | ||
34 | len = curlx_uztosi(dec.length); | ||
35 | diff --git a/lib/security.c b/lib/security.c | ||
36 | index fbfa707..3542210 100644 | ||
37 | --- a/lib/security.c | ||
38 | +++ b/lib/security.c | ||
39 | @@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn, | ||
40 | { | ||
41 | int len; | ||
42 | CURLcode result; | ||
43 | + int nread; | ||
44 | |||
45 | result = socket_read(fd, &len, sizeof(len)); | ||
46 | if(result) | ||
47 | @@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn, | ||
48 | if(len) { | ||
49 | /* only realloc if there was a length */ | ||
50 | len = ntohl(len); | ||
51 | - buf->data = Curl_saferealloc(buf->data, len); | ||
52 | + if(len > CURL_MAX_INPUT_LENGTH) | ||
53 | + len = 0; | ||
54 | + else | ||
55 | + buf->data = Curl_saferealloc(buf->data, len); | ||
56 | } | ||
57 | if(!len || !buf->data) | ||
58 | return CURLE_OUT_OF_MEMORY; | ||
59 | @@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn, | ||
60 | result = socket_read(fd, buf->data, len); | ||
61 | if(result) | ||
62 | return result; | ||
63 | - buf->size = conn->mech->decode(conn->app_data, buf->data, len, | ||
64 | - conn->data_prot, conn); | ||
65 | + nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len, | ||
66 | + conn->data_prot, conn); | ||
67 | + if(nread < 0) | ||
68 | + return CURLE_RECV_ERROR; | ||
69 | + buf->size = (size_t)nread; | ||
70 | buf->index = 0; | ||
71 | return CURLE_OK; | ||
72 | } | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..8e662abd3a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 75c04a3e75e8e3025a17ca3033ca307da9691cd0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vivek Kumbhar <vkumbhar@mvista.com> | ||
3 | Date: Fri, 11 Nov 2022 10:49:58 +0530 | ||
4 | Subject: [PATCH] CVE-2022-32221 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6] | ||
7 | CVE: CVE-2022-32221 | ||
8 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
9 | |||
10 | setopt: when POST is set, reset the 'upload' field. | ||
11 | --- | ||
12 | lib/setopt.c | 1 + | ||
13 | 1 file changed, 1 insertion(+) | ||
14 | |||
15 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
16 | index bebb2e4..4d96f6b 100644 | ||
17 | --- a/lib/setopt.c | ||
18 | +++ b/lib/setopt.c | ||
19 | @@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
20 | } | ||
21 | else | ||
22 | data->set.httpreq = HTTPREQ_GET; | ||
23 | + data->set.upload = FALSE; | ||
24 | break; | ||
25 | |||
26 | case CURLOPT_COPYPOSTFIELDS: | ||
27 | -- | ||
28 | 2.25.1 | ||
29 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch new file mode 100644 index 0000000000..a5160c01f4 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From c9212bdb21f0cc90a1a60dfdbb716deefe78fd40 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 29 Aug 2022 00:09:17 +0200 | ||
4 | Subject: [PATCH] cookie: reject cookies with "control bytes" | ||
5 | |||
6 | Rejects 0x01 - 0x1f (except 0x09) plus 0x7f | ||
7 | |||
8 | Reported-by: Axel Chong | ||
9 | |||
10 | Bug: https://curl.se/docs/CVE-2022-35252.html | ||
11 | |||
12 | CVE-2022-35252 | ||
13 | |||
14 | Closes #9381 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb] | ||
17 | |||
18 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
19 | --- | ||
20 | lib/cookie.c | 29 +++++++++++++++++++++++++++++ | ||
21 | 1 file changed, 29 insertions(+) | ||
22 | |||
23 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
24 | index a9ad20a..66c7715 100644 | ||
25 | --- a/lib/cookie.c | ||
26 | +++ b/lib/cookie.c | ||
27 | @@ -412,6 +412,30 @@ static bool bad_domain(const char *domain) | ||
28 | return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); | ||
29 | } | ||
30 | |||
31 | +/* | ||
32 | + RFC 6265 section 4.1.1 says a server should accept this range: | ||
33 | + | ||
34 | + cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E | ||
35 | + | ||
36 | + But Firefox and Chrome as of June 2022 accept space, comma and double-quotes | ||
37 | + fine. The prime reason for filtering out control bytes is that some HTTP | ||
38 | + servers return 400 for requests that contain such. | ||
39 | +*/ | ||
40 | +static int invalid_octets(const char *p) | ||
41 | +{ | ||
42 | + /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ | ||
43 | + static const char badoctets[] = { | ||
44 | + "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" | ||
45 | + "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" | ||
46 | + "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" | ||
47 | + }; | ||
48 | + size_t vlen, len; | ||
49 | + /* scan for all the octets that are *not* in cookie-octet */ | ||
50 | + len = strcspn(p, badoctets); | ||
51 | + vlen = strlen(p); | ||
52 | + return (len != vlen); | ||
53 | +} | ||
54 | + | ||
55 | /**************************************************************************** | ||
56 | * | ||
57 | * Curl_cookie_add() | ||
58 | @@ -558,6 +582,11 @@ Curl_cookie_add(struct Curl_easy *data, | ||
59 | badcookie = TRUE; | ||
60 | break; | ||
61 | } | ||
62 | + if(invalid_octets(whatptr) || invalid_octets(name)) { | ||
63 | + infof(data, "invalid octets in name/value, cookie dropped"); | ||
64 | + badcookie = TRUE; | ||
65 | + break; | ||
66 | + } | ||
67 | } | ||
68 | else if(!len) { | ||
69 | /* this was a "<name>=" with no content, and we must allow | ||
70 | -- | ||
71 | 2.35.1 | ||
72 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch new file mode 100644 index 0000000000..476c996b0a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 4 Oct 2022 14:37:24 +0200 | ||
4 | Subject: [PATCH] netrc: replace fgets with Curl_get_line | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2022-35260 | ||
8 | Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c | ||
9 | |||
10 | Make the parser only accept complete lines and avoid problems with | ||
11 | overly long lines. | ||
12 | |||
13 | Reported-by: Hiroki Kurosawa | ||
14 | |||
15 | Closes #9789 | ||
16 | --- | ||
17 | lib/curl_get_line.c | 4 ++-- | ||
18 | lib/netrc.c | 5 +++-- | ||
19 | 2 files changed, 5 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c | ||
22 | index c4194851ae09..4b9eea9e631c 100644 | ||
23 | --- a/lib/curl_get_line.c | ||
24 | +++ b/lib/curl_get_line.c | ||
25 | @@ -28,8 +28,8 @@ | ||
26 | #include "memdebug.h" | ||
27 | |||
28 | /* | ||
29 | - * get_line() makes sure to only return complete whole lines that fit in 'len' | ||
30 | - * bytes and end with a newline. | ||
31 | + * Curl_get_line() makes sure to only return complete whole lines that fit in | ||
32 | + * 'len' bytes and end with a newline. | ||
33 | */ | ||
34 | char *Curl_get_line(char *buf, int len, FILE *input) | ||
35 | { | ||
36 | diff --git a/lib/netrc.c b/lib/netrc.c | ||
37 | index 1c9da31993c9..93239132c9d8 100644 | ||
38 | --- a/lib/netrc.c | ||
39 | +++ b/lib/netrc.c | ||
40 | @@ -31,6 +31,7 @@ | ||
41 | #include "netrc.h" | ||
42 | #include "strtok.h" | ||
43 | #include "strcase.h" | ||
44 | +#include "curl_get_line.h" | ||
45 | |||
46 | /* The last 3 #include files should be in this order */ | ||
47 | #include "curl_printf.h" | ||
48 | @@ -83,7 +84,7 @@ static int parsenetrc(const char *host, | ||
49 | char netrcbuffer[4096]; | ||
50 | int netrcbuffsize = (int)sizeof(netrcbuffer); | ||
51 | |||
52 | - while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { | ||
53 | + while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { | ||
54 | tok = strtok_r(netrcbuffer, " \t\n", &tok_buf); | ||
55 | if(tok && *tok == '#') | ||
56 | /* treat an initial hash as a comment line */ | ||
57 | @@ -169,7 +170,7 @@ static int parsenetrc(const char *host, | ||
58 | |||
59 | tok = strtok_r(NULL, " \t\n", &tok_buf); | ||
60 | } /* while(tok) */ | ||
61 | - } /* while fgets() */ | ||
62 | + } /* while Curl_get_line() */ | ||
63 | |||
64 | out: | ||
65 | if(!retcode) { | ||
66 | -- | ||
67 | 2.34.1 | ||
68 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch new file mode 100644 index 0000000000..d729441454 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | rom 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 19 Dec 2022 08:38:37 +0100 | ||
4 | Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() | ||
5 | |||
6 | It is managed by the generic layer. | ||
7 | |||
8 | Reported-by: Trail of Bits | ||
9 | |||
10 | Closes #10112 | ||
11 | |||
12 | CVE: CVE-2022-43552 | ||
13 | Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2] | ||
14 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
15 | --- | ||
16 | lib/smb.c | 14 ++------------ | ||
17 | lib/telnet.c | 3 --- | ||
18 | 2 files changed, 2 insertions(+), 15 deletions(-) | ||
19 | |||
20 | diff --git a/lib/smb.c b/lib/smb.c | ||
21 | index 12f9925..8db3b27 100644 | ||
22 | --- a/lib/smb.c | ||
23 | +++ b/lib/smb.c | ||
24 | @@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done); | ||
25 | static CURLcode smb_connection_state(struct connectdata *conn, bool *done); | ||
26 | static CURLcode smb_do(struct connectdata *conn, bool *done); | ||
27 | static CURLcode smb_request_state(struct connectdata *conn, bool *done); | ||
28 | -static CURLcode smb_done(struct connectdata *conn, CURLcode status, | ||
29 | - bool premature); | ||
30 | static CURLcode smb_disconnect(struct connectdata *conn, bool dead); | ||
31 | static int smb_getsock(struct connectdata *conn, curl_socket_t *socks); | ||
32 | static CURLcode smb_parse_url_path(struct connectdata *conn); | ||
33 | @@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { | ||
34 | "SMB", /* scheme */ | ||
35 | smb_setup_connection, /* setup_connection */ | ||
36 | smb_do, /* do_it */ | ||
37 | - smb_done, /* done */ | ||
38 | + ZERO_NULL, /* done */ | ||
39 | ZERO_NULL, /* do_more */ | ||
40 | smb_connect, /* connect_it */ | ||
41 | smb_connection_state, /* connecting */ | ||
42 | @@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_smbs = { | ||
43 | "SMBS", /* scheme */ | ||
44 | smb_setup_connection, /* setup_connection */ | ||
45 | smb_do, /* do_it */ | ||
46 | - smb_done, /* done */ | ||
47 | + ZERO_NULL, /* done */ | ||
48 | ZERO_NULL, /* do_more */ | ||
49 | smb_connect, /* connect_it */ | ||
50 | smb_connection_state, /* connecting */ | ||
51 | @@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) | ||
52 | return CURLE_OK; | ||
53 | } | ||
54 | |||
55 | -static CURLcode smb_done(struct connectdata *conn, CURLcode status, | ||
56 | - bool premature) | ||
57 | -{ | ||
58 | - (void) premature; | ||
59 | - Curl_safefree(conn->data->req.protop); | ||
60 | - return status; | ||
61 | -} | ||
62 | - | ||
63 | static CURLcode smb_disconnect(struct connectdata *conn, bool dead) | ||
64 | { | ||
65 | struct smb_conn *smbc = &conn->proto.smbc; | ||
66 | diff --git a/lib/telnet.c b/lib/telnet.c | ||
67 | index 3347ad6..e3b9208 100644 | ||
68 | --- a/lib/telnet.c | ||
69 | +++ b/lib/telnet.c | ||
70 | @@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn, | ||
71 | |||
72 | curl_slist_free_all(tn->telnet_vars); | ||
73 | tn->telnet_vars = NULL; | ||
74 | - | ||
75 | - Curl_safefree(conn->data->req.protop); | ||
76 | - | ||
77 | return CURLE_OK; | ||
78 | } | ||
79 | |||
80 | -- | ||
81 | 2.25.1 | ||
82 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch new file mode 100644 index 0000000000..054615963e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch | |||
@@ -0,0 +1,231 @@ | |||
1 | From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Monnerat <patrick@monnerat.net> | ||
3 | Date: Mon, 13 Feb 2023 08:33:09 +0100 | ||
4 | Subject: [PATCH] content_encoding: do not reset stage counter for each header | ||
5 | |||
6 | Test 418 verifies | ||
7 | |||
8 | Closes #10492 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9] | ||
11 | CVE: CVE-2023-23916 | ||
12 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
13 | --- | ||
14 | lib/content_encoding.c | 7 +- | ||
15 | lib/urldata.h | 1 + | ||
16 | tests/data/Makefile.inc | 2 +- | ||
17 | tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ | ||
18 | 4 files changed, 157 insertions(+), 5 deletions(-) | ||
19 | create mode 100644 tests/data/test418 | ||
20 | |||
21 | diff --git a/lib/content_encoding.c b/lib/content_encoding.c | ||
22 | index 91e621f..7e098a5 100644 | ||
23 | --- a/lib/content_encoding.c | ||
24 | +++ b/lib/content_encoding.c | ||
25 | @@ -944,7 +944,6 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, | ||
26 | { | ||
27 | struct Curl_easy *data = conn->data; | ||
28 | struct SingleRequest *k = &data->req; | ||
29 | - int counter = 0; | ||
30 | |||
31 | do { | ||
32 | const char *name; | ||
33 | @@ -979,9 +978,9 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, | ||
34 | if(!encoding) | ||
35 | encoding = &error_encoding; /* Defer error at stack use. */ | ||
36 | |||
37 | - if(++counter >= MAX_ENCODE_STACK) { | ||
38 | - failf(data, "Reject response due to %u content encodings", | ||
39 | - counter); | ||
40 | + if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { | ||
41 | + failf(data, "Reject response due to more than %u content encodings", | ||
42 | + MAX_ENCODE_STACK); | ||
43 | return CURLE_BAD_CONTENT_ENCODING; | ||
44 | } | ||
45 | /* Stack the unencoding stage. */ | ||
46 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
47 | index ad0ef8f..168f874 100644 | ||
48 | --- a/lib/urldata.h | ||
49 | +++ b/lib/urldata.h | ||
50 | @@ -648,6 +648,7 @@ struct SingleRequest { | ||
51 | #ifndef CURL_DISABLE_DOH | ||
52 | struct dohdata doh; /* DoH specific data for this request */ | ||
53 | #endif | ||
54 | + unsigned char writer_stack_depth; /* Unencoding stack depth. */ | ||
55 | BIT(header); /* incoming data has HTTP header */ | ||
56 | BIT(content_range); /* set TRUE if Content-Range: was found */ | ||
57 | BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding | ||
58 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
59 | index 60e8176..40de8bc 100644 | ||
60 | --- a/tests/data/Makefile.inc | ||
61 | +++ b/tests/data/Makefile.inc | ||
62 | @@ -63,7 +63,7 @@ test350 test351 test352 test353 test354 test355 test356 test357 \ | ||
63 | test393 test394 test395 \ | ||
64 | \ | ||
65 | test400 test401 test402 test403 test404 test405 test406 test407 test408 \ | ||
66 | -test409 \ | ||
67 | +test409 test418 \ | ||
68 | \ | ||
69 | test490 test491 test492 \ | ||
70 | \ | ||
71 | diff --git a/tests/data/test418 b/tests/data/test418 | ||
72 | new file mode 100644 | ||
73 | index 0000000..50e974e | ||
74 | --- /dev/null | ||
75 | +++ b/tests/data/test418 | ||
76 | @@ -0,0 +1,152 @@ | ||
77 | +<testcase> | ||
78 | +<info> | ||
79 | +<keywords> | ||
80 | +HTTP | ||
81 | +gzip | ||
82 | +</keywords> | ||
83 | +</info> | ||
84 | + | ||
85 | +# | ||
86 | +# Server-side | ||
87 | +<reply> | ||
88 | +<data nocheck="yes"> | ||
89 | +HTTP/1.1 200 OK | ||
90 | +Transfer-Encoding: gzip | ||
91 | +Transfer-Encoding: gzip | ||
92 | +Transfer-Encoding: gzip | ||
93 | +Transfer-Encoding: gzip | ||
94 | +Transfer-Encoding: gzip | ||
95 | +Transfer-Encoding: gzip | ||
96 | +Transfer-Encoding: gzip | ||
97 | +Transfer-Encoding: gzip | ||
98 | +Transfer-Encoding: gzip | ||
99 | +Transfer-Encoding: gzip | ||
100 | +Transfer-Encoding: gzip | ||
101 | +Transfer-Encoding: gzip | ||
102 | +Transfer-Encoding: gzip | ||
103 | +Transfer-Encoding: gzip | ||
104 | +Transfer-Encoding: gzip | ||
105 | +Transfer-Encoding: gzip | ||
106 | +Transfer-Encoding: gzip | ||
107 | +Transfer-Encoding: gzip | ||
108 | +Transfer-Encoding: gzip | ||
109 | +Transfer-Encoding: gzip | ||
110 | +Transfer-Encoding: gzip | ||
111 | +Transfer-Encoding: gzip | ||
112 | +Transfer-Encoding: gzip | ||
113 | +Transfer-Encoding: gzip | ||
114 | +Transfer-Encoding: gzip | ||
115 | +Transfer-Encoding: gzip | ||
116 | +Transfer-Encoding: gzip | ||
117 | +Transfer-Encoding: gzip | ||
118 | +Transfer-Encoding: gzip | ||
119 | +Transfer-Encoding: gzip | ||
120 | +Transfer-Encoding: gzip | ||
121 | +Transfer-Encoding: gzip | ||
122 | +Transfer-Encoding: gzip | ||
123 | +Transfer-Encoding: gzip | ||
124 | +Transfer-Encoding: gzip | ||
125 | +Transfer-Encoding: gzip | ||
126 | +Transfer-Encoding: gzip | ||
127 | +Transfer-Encoding: gzip | ||
128 | +Transfer-Encoding: gzip | ||
129 | +Transfer-Encoding: gzip | ||
130 | +Transfer-Encoding: gzip | ||
131 | +Transfer-Encoding: gzip | ||
132 | +Transfer-Encoding: gzip | ||
133 | +Transfer-Encoding: gzip | ||
134 | +Transfer-Encoding: gzip | ||
135 | +Transfer-Encoding: gzip | ||
136 | +Transfer-Encoding: gzip | ||
137 | +Transfer-Encoding: gzip | ||
138 | +Transfer-Encoding: gzip | ||
139 | +Transfer-Encoding: gzip | ||
140 | +Transfer-Encoding: gzip | ||
141 | +Transfer-Encoding: gzip | ||
142 | +Transfer-Encoding: gzip | ||
143 | +Transfer-Encoding: gzip | ||
144 | +Transfer-Encoding: gzip | ||
145 | +Transfer-Encoding: gzip | ||
146 | +Transfer-Encoding: gzip | ||
147 | +Transfer-Encoding: gzip | ||
148 | +Transfer-Encoding: gzip | ||
149 | +Transfer-Encoding: gzip | ||
150 | +Transfer-Encoding: gzip | ||
151 | +Transfer-Encoding: gzip | ||
152 | +Transfer-Encoding: gzip | ||
153 | +Transfer-Encoding: gzip | ||
154 | +Transfer-Encoding: gzip | ||
155 | +Transfer-Encoding: gzip | ||
156 | +Transfer-Encoding: gzip | ||
157 | +Transfer-Encoding: gzip | ||
158 | +Transfer-Encoding: gzip | ||
159 | +Transfer-Encoding: gzip | ||
160 | +Transfer-Encoding: gzip | ||
161 | +Transfer-Encoding: gzip | ||
162 | +Transfer-Encoding: gzip | ||
163 | +Transfer-Encoding: gzip | ||
164 | +Transfer-Encoding: gzip | ||
165 | +Transfer-Encoding: gzip | ||
166 | +Transfer-Encoding: gzip | ||
167 | +Transfer-Encoding: gzip | ||
168 | +Transfer-Encoding: gzip | ||
169 | +Transfer-Encoding: gzip | ||
170 | +Transfer-Encoding: gzip | ||
171 | +Transfer-Encoding: gzip | ||
172 | +Transfer-Encoding: gzip | ||
173 | +Transfer-Encoding: gzip | ||
174 | +Transfer-Encoding: gzip | ||
175 | +Transfer-Encoding: gzip | ||
176 | +Transfer-Encoding: gzip | ||
177 | +Transfer-Encoding: gzip | ||
178 | +Transfer-Encoding: gzip | ||
179 | +Transfer-Encoding: gzip | ||
180 | +Transfer-Encoding: gzip | ||
181 | +Transfer-Encoding: gzip | ||
182 | +Transfer-Encoding: gzip | ||
183 | +Transfer-Encoding: gzip | ||
184 | +Transfer-Encoding: gzip | ||
185 | +Transfer-Encoding: gzip | ||
186 | +Transfer-Encoding: gzip | ||
187 | +Transfer-Encoding: gzip | ||
188 | +Transfer-Encoding: gzip | ||
189 | +Transfer-Encoding: gzip | ||
190 | + | ||
191 | +-foo- | ||
192 | +</data> | ||
193 | +</reply> | ||
194 | + | ||
195 | +# | ||
196 | +# Client-side | ||
197 | +<client> | ||
198 | +<server> | ||
199 | +http | ||
200 | +</server> | ||
201 | + <name> | ||
202 | +Response with multiple Transfer-Encoding headers | ||
203 | + </name> | ||
204 | + <command> | ||
205 | +http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS | ||
206 | +</command> | ||
207 | +</client> | ||
208 | + | ||
209 | +# | ||
210 | +# Verify data after the test has been "shot" | ||
211 | +<verify> | ||
212 | +<protocol crlf="yes"> | ||
213 | +GET /%TESTNUMBER HTTP/1.1 | ||
214 | +Host: %HOSTIP:%HTTPPORT | ||
215 | +User-Agent: curl/%VERSION | ||
216 | +Accept: */* | ||
217 | + | ||
218 | +</protocol> | ||
219 | + | ||
220 | +# CURLE_BAD_CONTENT_ENCODING is 61 | ||
221 | +<errorcode> | ||
222 | +61 | ||
223 | +</errorcode> | ||
224 | +<stderr mode="text"> | ||
225 | +curl: (61) Reject response due to more than 5 content encodings | ||
226 | +</stderr> | ||
227 | +</verify> | ||
228 | +</testcase> | ||
229 | -- | ||
230 | 2.25.1 | ||
231 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..64ba135056 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 | ||
4 | From: Daniel Stenberg <daniel@haxx.se> | ||
5 | Date: Mon, 6 Mar 2023 12:07:33 +0100 | ||
6 | Subject: [PATCH] telnet: only accept option arguments in ascii | ||
7 | |||
8 | To avoid embedded telnet negotiation commands etc. | ||
9 | |||
10 | Reported-by: Harry Sintonen | ||
11 | Closes #10728 | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] | ||
15 | CVE: CVE-2023-27533 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | lib/telnet.c | 15 +++++++++++++++ | ||
19 | 1 file changed, 15 insertions(+) | ||
20 | |||
21 | --- a/lib/telnet.c | ||
22 | +++ b/lib/telnet.c | ||
23 | @@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d | ||
24 | } | ||
25 | } | ||
26 | |||
27 | +static bool str_is_nonascii(const char *str) | ||
28 | +{ | ||
29 | + size_t len = strlen(str); | ||
30 | + while(len--) { | ||
31 | + if(*str & 0x80) | ||
32 | + return TRUE; | ||
33 | + str++; | ||
34 | + } | ||
35 | + return FALSE; | ||
36 | +} | ||
37 | + | ||
38 | static CURLcode check_telnet_options(struct connectdata *conn) | ||
39 | { | ||
40 | struct curl_slist *head; | ||
41 | @@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str | ||
42 | /* Add the user name as an environment variable if it | ||
43 | was given on the command line */ | ||
44 | if(conn->bits.user_passwd) { | ||
45 | + if(str_is_nonascii(data->conn->user)) | ||
46 | + return CURLE_BAD_FUNCTION_ARGUMENT; | ||
47 | msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); | ||
48 | beg = curl_slist_append(tn->telnet_vars, option_arg); | ||
49 | if(!beg) { | ||
50 | @@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str | ||
51 | if(sscanf(head->data, "%127[^= ]%*[ =]%255s", | ||
52 | option_keyword, option_arg) == 2) { | ||
53 | |||
54 | + if(str_is_nonascii(option_arg)) | ||
55 | + continue; | ||
56 | + | ||
57 | /* Terminal type */ | ||
58 | if(strcasecompare(option_keyword, "TTYPE")) { | ||
59 | strncpy(tn->subopt_ttype, option_arg, 31); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Vigeant <evigeant@gmail.com> | ||
3 | Date: Wed, 2 Nov 2022 11:47:09 -0400 | ||
4 | Subject: [PATCH] cur_path: do not add '/' if homedir ends with one | ||
5 | |||
6 | When using SFTP and a path relative to the user home, do not add a | ||
7 | trailing '/' to the user home dir if it already ends with one. | ||
8 | |||
9 | Closes #9844 | ||
10 | |||
11 | CVE: CVE-2023-27534 | ||
12 | Note: | ||
13 | - The upstream patch for CVE-2023-27534 does three things: | ||
14 | 1) creates new path with dynbuf(dynamic buffer) | ||
15 | 2) solves the tilde error which causes CVE-2023-27534 | ||
16 | 3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. | ||
17 | - dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. | ||
18 | - This patch completes the 3rd task of the patch which was implemented without using dynbuf | ||
19 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] | ||
20 | |||
21 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
22 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
23 | --- | ||
24 | lib/curl_path.c | 10 +++++++--- | ||
25 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/lib/curl_path.c b/lib/curl_path.c | ||
28 | index f429634..40b92ee 100644 | ||
29 | --- a/lib/curl_path.c | ||
30 | +++ b/lib/curl_path.c | ||
31 | @@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, | ||
32 | /* It is referenced to the home directory, so strip the | ||
33 | leading '/' */ | ||
34 | memcpy(real_path, homedir, homelen); | ||
35 | - real_path[homelen] = '/'; | ||
36 | - real_path[homelen + 1] = '\0'; | ||
37 | + /* Only add a trailing '/' if homedir does not end with one */ | ||
38 | + if(homelen == 0 || real_path[homelen - 1] != '/') { | ||
39 | + real_path[homelen] = '/'; | ||
40 | + homelen++; | ||
41 | + real_path[homelen] = '\0'; | ||
42 | + } | ||
43 | if(working_path_len > 3) { | ||
44 | - memcpy(real_path + homelen + 1, working_path + 3, | ||
45 | + memcpy(real_path + homelen, working_path + 3, | ||
46 | 1 + working_path_len -3); | ||
47 | } | ||
48 | } | ||
49 | -- | ||
50 | 2.24.4 | ||
51 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..3ecd181290 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 9 Mar 2023 16:22:11 +0100 | ||
4 | Subject: [PATCH] curl_path: create the new path with dynbuf | ||
5 | |||
6 | Closes #10729 | ||
7 | |||
8 | CVE: CVE-2023-27534 | ||
9 | Note: This patch is needed to backport CVE-2023-27534 | ||
10 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] | ||
11 | |||
12 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
13 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
14 | --- | ||
15 | lib/curl_path.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/curl_path.c b/lib/curl_path.c | ||
19 | index 40b92ee..598c5dd 100644 | ||
20 | --- a/lib/curl_path.c | ||
21 | +++ b/lib/curl_path.c | ||
22 | @@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, | ||
23 | memcpy(real_path, working_path, 1 + working_path_len); | ||
24 | } | ||
25 | else if(conn->handler->protocol & CURLPROTO_SFTP) { | ||
26 | - if((working_path_len > 1) && (working_path[1] == '~')) { | ||
27 | + if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { | ||
28 | size_t homelen = strlen(homedir); | ||
29 | real_path = malloc(homelen + working_path_len + 1); | ||
30 | if(real_path == NULL) { | ||
31 | -- | ||
32 | 2.24.4 | ||
33 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000..034b72f7e6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch | |||
@@ -0,0 +1,236 @@ | |||
1 | From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 6 Oct 2022 00:49:10 +0200 | ||
4 | Subject: [PATCH] strcase: add and use Curl_timestrcmp | ||
5 | |||
6 | This is a strcmp() alternative function for comparing "secrets", | ||
7 | designed to take the same time no matter the content to not leak | ||
8 | match/non-match info to observers based on how fast it is. | ||
9 | |||
10 | The time this function takes is only a function of the shortest input | ||
11 | string. | ||
12 | |||
13 | Reported-by: Trail of Bits | ||
14 | |||
15 | Closes #9658 | ||
16 | |||
17 | Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] | ||
18 | Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | lib/netrc.c | 6 +++--- | ||
22 | lib/strcase.c | 22 ++++++++++++++++++++++ | ||
23 | lib/strcase.h | 1 + | ||
24 | lib/url.c | 33 +++++++++++++-------------------- | ||
25 | lib/vauth/digest_sspi.c | 4 ++-- | ||
26 | lib/vtls/vtls.c | 21 ++++++++++++++++++++- | ||
27 | 6 files changed, 61 insertions(+), 26 deletions(-) | ||
28 | |||
29 | diff --git a/lib/netrc.c b/lib/netrc.c | ||
30 | index 9323913..fe3fd1e 100644 | ||
31 | --- a/lib/netrc.c | ||
32 | +++ b/lib/netrc.c | ||
33 | @@ -124,9 +124,9 @@ static int parsenetrc(const char *host, | ||
34 | /* we are now parsing sub-keywords concerning "our" host */ | ||
35 | if(state_login) { | ||
36 | if(specific_login) { | ||
37 | - state_our_login = strcasecompare(login, tok); | ||
38 | + state_our_login = !Curl_timestrcmp(login, tok); | ||
39 | } | ||
40 | - else if(!login || strcmp(login, tok)) { | ||
41 | + else if(!login || Curl_timestrcmp(login, tok)) { | ||
42 | if(login_alloc) { | ||
43 | free(login); | ||
44 | login_alloc = FALSE; | ||
45 | @@ -142,7 +142,7 @@ static int parsenetrc(const char *host, | ||
46 | } | ||
47 | else if(state_password) { | ||
48 | if((state_our_login || !specific_login) | ||
49 | - && (!password || strcmp(password, tok))) { | ||
50 | + && (!password || Curl_timestrcmp(password, tok))) { | ||
51 | if(password_alloc) { | ||
52 | free(password); | ||
53 | password_alloc = FALSE; | ||
54 | diff --git a/lib/strcase.c b/lib/strcase.c | ||
55 | index 70bf21c..ec776b3 100644 | ||
56 | --- a/lib/strcase.c | ||
57 | +++ b/lib/strcase.c | ||
58 | @@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) | ||
59 | return !a && !b; | ||
60 | } | ||
61 | |||
62 | +/* | ||
63 | + * Curl_timestrcmp() returns 0 if the two strings are identical. The time this | ||
64 | + * function spends is a function of the shortest string, not of the contents. | ||
65 | + */ | ||
66 | +int Curl_timestrcmp(const char *a, const char *b) | ||
67 | +{ | ||
68 | + int match = 0; | ||
69 | + int i = 0; | ||
70 | + | ||
71 | + if(a && b) { | ||
72 | + while(1) { | ||
73 | + match |= a[i]^b[i]; | ||
74 | + if(!a[i] || !b[i]) | ||
75 | + break; | ||
76 | + i++; | ||
77 | + } | ||
78 | + } | ||
79 | + else | ||
80 | + return a || b; | ||
81 | + return match; | ||
82 | +} | ||
83 | + | ||
84 | /* --- public functions --- */ | ||
85 | |||
86 | int curl_strequal(const char *first, const char *second) | ||
87 | diff --git a/lib/strcase.h b/lib/strcase.h | ||
88 | index 8929a53..8077108 100644 | ||
89 | --- a/lib/strcase.h | ||
90 | +++ b/lib/strcase.h | ||
91 | @@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); | ||
92 | void Curl_strntolower(char *dest, const char *src, size_t n); | ||
93 | |||
94 | bool Curl_safecmp(char *a, char *b); | ||
95 | +int Curl_timestrcmp(const char *first, const char *second); | ||
96 | |||
97 | #endif /* HEADER_CURL_STRCASE_H */ | ||
98 | diff --git a/lib/url.c b/lib/url.c | ||
99 | index 9f14a7b..dfbde3b 100644 | ||
100 | --- a/lib/url.c | ||
101 | +++ b/lib/url.c | ||
102 | @@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data, | ||
103 | /* the user information is case-sensitive | ||
104 | or at least it is not defined as case-insensitive | ||
105 | see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ | ||
106 | - if((data->user == NULL) != (needle->user == NULL)) | ||
107 | - return FALSE; | ||
108 | - /* curl_strequal does a case insentive comparison, so do not use it here! */ | ||
109 | - if(data->user && | ||
110 | - needle->user && | ||
111 | - strcmp(data->user, needle->user) != 0) | ||
112 | - return FALSE; | ||
113 | - if((data->passwd == NULL) != (needle->passwd == NULL)) | ||
114 | - return FALSE; | ||
115 | + | ||
116 | /* curl_strequal does a case insentive comparison, so do not use it here! */ | ||
117 | - if(data->passwd && | ||
118 | - needle->passwd && | ||
119 | - strcmp(data->passwd, needle->passwd) != 0) | ||
120 | + if(Curl_timestrcmp(data->user, needle->user) || | ||
121 | + Curl_timestrcmp(data->passwd, needle->passwd)) | ||
122 | return FALSE; | ||
123 | return TRUE; | ||
124 | } | ||
125 | @@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data, | ||
126 | if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { | ||
127 | /* This protocol requires credentials per connection, | ||
128 | so verify that we're using the same name and password as well */ | ||
129 | - if(strcmp(needle->user, check->user) || | ||
130 | - strcmp(needle->passwd, check->passwd) || | ||
131 | - !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || | ||
132 | - !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
133 | + if(Curl_timestrcmp(needle->user, check->user) || | ||
134 | + Curl_timestrcmp(needle->passwd, check->passwd) || | ||
135 | + Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || | ||
136 | + Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { | ||
137 | /* one of them was different */ | ||
138 | continue; | ||
139 | } | ||
140 | @@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data, | ||
141 | possible. (Especially we must not reuse the same connection if | ||
142 | partway through a handshake!) */ | ||
143 | if(wantNTLMhttp) { | ||
144 | - if(strcmp(needle->user, check->user) || | ||
145 | - strcmp(needle->passwd, check->passwd)) { | ||
146 | + if(Curl_timestrcmp(needle->user, check->user) || | ||
147 | + Curl_timestrcmp(needle->passwd, check->passwd)) { | ||
148 | |||
149 | /* we prefer a credential match, but this is at least a connection | ||
150 | that can be reused and "upgraded" to NTLM */ | ||
151 | @@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data, | ||
152 | if(!check->http_proxy.user || !check->http_proxy.passwd) | ||
153 | continue; | ||
154 | |||
155 | - if(strcmp(needle->http_proxy.user, check->http_proxy.user) || | ||
156 | - strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) | ||
157 | + if(Curl_timestrcmp(needle->http_proxy.user, | ||
158 | + check->http_proxy.user) || | ||
159 | + Curl_timestrcmp(needle->http_proxy.passwd, | ||
160 | + check->http_proxy.passwd)) | ||
161 | continue; | ||
162 | } | ||
163 | else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { | ||
164 | diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c | ||
165 | index a109056..3986386 100644 | ||
166 | --- a/lib/vauth/digest_sspi.c | ||
167 | +++ b/lib/vauth/digest_sspi.c | ||
168 | @@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, | ||
169 | has changed then delete that context. */ | ||
170 | if((userp && !digest->user) || (!userp && digest->user) || | ||
171 | (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || | ||
172 | - (userp && digest->user && strcmp(userp, digest->user)) || | ||
173 | - (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { | ||
174 | + (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || | ||
175 | + (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { | ||
176 | if(digest->http_context) { | ||
177 | s_pSecFn->DeleteSecurityContext(digest->http_context); | ||
178 | Curl_safefree(digest->http_context); | ||
179 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
180 | index e8cb70f..70a9391 100644 | ||
181 | --- a/lib/vtls/vtls.c | ||
182 | +++ b/lib/vtls/vtls.c | ||
183 | @@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
184 | Curl_safecmp(data->issuercert, needle->issuercert) && | ||
185 | Curl_safecmp(data->clientcert, needle->clientcert) && | ||
186 | Curl_safecmp(data->random_file, needle->random_file) && | ||
187 | - Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
188 | + Curl_safecmp(data->egdsocket, needle->egdsocket) && | ||
189 | +#ifdef USE_TLS_SRP | ||
190 | + !Curl_timestrcmp(data->username, needle->username) && | ||
191 | + !Curl_timestrcmp(data->password, needle->password) && | ||
192 | + (data->authtype == needle->authtype) && | ||
193 | +#endif | ||
194 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
195 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
196 | + Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && | ||
197 | Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) | ||
198 | return TRUE; | ||
199 | |||
200 | @@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
201 | dest->verifyhost = source->verifyhost; | ||
202 | dest->verifystatus = source->verifystatus; | ||
203 | dest->sessionid = source->sessionid; | ||
204 | +#ifdef USE_TLS_SRP | ||
205 | + dest->authtype = source->authtype; | ||
206 | +#endif | ||
207 | |||
208 | CLONE_STRING(CApath); | ||
209 | CLONE_STRING(CAfile); | ||
210 | @@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
211 | CLONE_STRING(cipher_list); | ||
212 | CLONE_STRING(cipher_list13); | ||
213 | CLONE_STRING(pinned_key); | ||
214 | + CLONE_STRING(CRLfile); | ||
215 | +#ifdef USE_TLS_SRP | ||
216 | + CLONE_STRING(username); | ||
217 | + CLONE_STRING(password); | ||
218 | +#endif | ||
219 | |||
220 | return TRUE; | ||
221 | } | ||
222 | @@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) | ||
223 | Curl_safefree(sslc->cipher_list); | ||
224 | Curl_safefree(sslc->cipher_list13); | ||
225 | Curl_safefree(sslc->pinned_key); | ||
226 | + Curl_safefree(sslc->CRLfile); | ||
227 | +#ifdef USE_TLS_SRP | ||
228 | + Curl_safefree(sslc->username); | ||
229 | + Curl_safefree(sslc->password); | ||
230 | +#endif | ||
231 | } | ||
232 | |||
233 | #ifdef USE_SSL | ||
234 | -- | ||
235 | 2.25.1 | ||
236 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch new file mode 100644 index 0000000000..e38390a57c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch | |||
@@ -0,0 +1,170 @@ | |||
1 | From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 9 Mar 2023 17:47:06 +0100 | ||
4 | Subject: [PATCH] ftp: add more conditions for connection reuse | ||
5 | |||
6 | Reported-by: Harry Sintonen | ||
7 | Closes #10730 | ||
8 | |||
9 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security | ||
10 | Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1] | ||
11 | CVE: CVE-2023-27535 | ||
12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
13 | --- | ||
14 | lib/ftp.c | 30 ++++++++++++++++++++++++++++-- | ||
15 | lib/ftp.h | 5 +++++ | ||
16 | lib/setopt.c | 2 +- | ||
17 | lib/url.c | 16 +++++++++++++++- | ||
18 | lib/urldata.h | 4 ++-- | ||
19 | 5 files changed, 51 insertions(+), 6 deletions(-) | ||
20 | |||
21 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
22 | index 31a34e8..7a82a74 100644 | ||
23 | --- a/lib/ftp.c | ||
24 | +++ b/lib/ftp.c | ||
25 | @@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) | ||
26 | } | ||
27 | |||
28 | freedirs(ftpc); | ||
29 | + free(ftpc->account); | ||
30 | + ftpc->account = NULL; | ||
31 | + free(ftpc->alternative_to_user); | ||
32 | + ftpc->alternative_to_user = NULL; | ||
33 | free(ftpc->prevpath); | ||
34 | ftpc->prevpath = NULL; | ||
35 | free(ftpc->server_os); | ||
36 | @@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) | ||
37 | struct Curl_easy *data = conn->data; | ||
38 | char *type; | ||
39 | struct FTP *ftp; | ||
40 | + struct ftp_conn *ftpc = &conn->proto.ftpc; | ||
41 | |||
42 | - conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); | ||
43 | + ftp = calloc(sizeof(struct FTP), 1); | ||
44 | if(NULL == ftp) | ||
45 | return CURLE_OUT_OF_MEMORY; | ||
46 | |||
47 | + /* clone connection related data that is FTP specific */ | ||
48 | + if(data->set.str[STRING_FTP_ACCOUNT]) { | ||
49 | + ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); | ||
50 | + if(!ftpc->account) { | ||
51 | + free(ftp); | ||
52 | + return CURLE_OUT_OF_MEMORY; | ||
53 | + } | ||
54 | + } | ||
55 | + if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { | ||
56 | + ftpc->alternative_to_user = | ||
57 | + strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); | ||
58 | + if(!ftpc->alternative_to_user) { | ||
59 | + Curl_safefree(ftpc->account); | ||
60 | + free(ftp); | ||
61 | + return CURLE_OUT_OF_MEMORY; | ||
62 | + } | ||
63 | + } | ||
64 | + conn->data->req.protop = ftp; | ||
65 | + | ||
66 | ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ | ||
67 | |||
68 | /* FTP URLs support an extension like ";type=<typecode>" that | ||
69 | @@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) | ||
70 | /* get some initial data into the ftp struct */ | ||
71 | ftp->transfer = FTPTRANSFER_BODY; | ||
72 | ftp->downloadsize = 0; | ||
73 | - conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ | ||
74 | + ftpc->known_filesize = -1; /* unknown size for now */ | ||
75 | + ftpc->use_ssl = data->set.use_ssl; | ||
76 | + ftpc->ccc = data->set.ftp_ccc; | ||
77 | |||
78 | return CURLE_OK; | ||
79 | } | ||
80 | diff --git a/lib/ftp.h b/lib/ftp.h | ||
81 | index 984347f..163dcb3 100644 | ||
82 | --- a/lib/ftp.h | ||
83 | +++ b/lib/ftp.h | ||
84 | @@ -116,6 +116,8 @@ struct FTP { | ||
85 | struct */ | ||
86 | struct ftp_conn { | ||
87 | struct pingpong pp; | ||
88 | + char *account; | ||
89 | + char *alternative_to_user; | ||
90 | char *entrypath; /* the PWD reply when we logged on */ | ||
91 | char **dirs; /* realloc()ed array for path components */ | ||
92 | int dirdepth; /* number of entries used in the 'dirs' array */ | ||
93 | @@ -141,6 +143,9 @@ struct ftp_conn { | ||
94 | ftpstate state; /* always use ftp.c:state() to change state! */ | ||
95 | ftpstate state_saved; /* transfer type saved to be reloaded after | ||
96 | data connection is established */ | ||
97 | + unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or | ||
98 | + IMAP or POP3 or others! (type: curl_usessl)*/ | ||
99 | + unsigned char ccc; /* ccc level for this connection */ | ||
100 | curl_off_t retr_size_saved; /* Size of retrieved file saved */ | ||
101 | char *server_os; /* The target server operating system. */ | ||
102 | curl_off_t known_filesize; /* file size is different from -1, if wildcard | ||
103 | diff --git a/lib/setopt.c b/lib/setopt.c | ||
104 | index 4d96f6b..a91bb70 100644 | ||
105 | --- a/lib/setopt.c | ||
106 | +++ b/lib/setopt.c | ||
107 | @@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) | ||
108 | arg = va_arg(param, long); | ||
109 | if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) | ||
110 | return CURLE_BAD_FUNCTION_ARGUMENT; | ||
111 | - data->set.use_ssl = (curl_usessl)arg; | ||
112 | + data->set.use_ssl = (unsigned char)arg; | ||
113 | break; | ||
114 | |||
115 | case CURLOPT_SSL_OPTIONS: | ||
116 | diff --git a/lib/url.c b/lib/url.c | ||
117 | index dfbde3b..f84375c 100644 | ||
118 | --- a/lib/url.c | ||
119 | +++ b/lib/url.c | ||
120 | @@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data, | ||
121 | } | ||
122 | } | ||
123 | |||
124 | - if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { | ||
125 | +#ifdef USE_SSH | ||
126 | + else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { | ||
127 | if(!ssh_config_matches(needle, check)) | ||
128 | continue; | ||
129 | } | ||
130 | +#endif | ||
131 | +#ifndef CURL_DISABLE_FTP | ||
132 | + else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) { | ||
133 | + /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ | ||
134 | + if(Curl_timestrcmp(needle->proto.ftpc.account, | ||
135 | + check->proto.ftpc.account) || | ||
136 | + Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, | ||
137 | + check->proto.ftpc.alternative_to_user) || | ||
138 | + (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || | ||
139 | + (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) | ||
140 | + continue; | ||
141 | + } | ||
142 | +#endif | ||
143 | |||
144 | if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || | ||
145 | needle->bits.tunnel_proxy) { | ||
146 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
147 | index 168f874..51b793b 100644 | ||
148 | --- a/lib/urldata.h | ||
149 | +++ b/lib/urldata.h | ||
150 | @@ -1730,8 +1730,6 @@ struct UserDefined { | ||
151 | void *ssh_keyfunc_userp; /* custom pointer to callback */ | ||
152 | enum CURL_NETRC_OPTION | ||
153 | use_netrc; /* defined in include/curl.h */ | ||
154 | - curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or | ||
155 | - IMAP or POP3 or others! */ | ||
156 | long new_file_perms; /* Permissions to use when creating remote files */ | ||
157 | long new_directory_perms; /* Permissions to use when creating remote dirs */ | ||
158 | long ssh_auth_types; /* allowed SSH auth types */ | ||
159 | @@ -1851,6 +1849,8 @@ struct UserDefined { | ||
160 | BIT(http09_allowed); /* allow HTTP/0.9 responses */ | ||
161 | BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some | ||
162 | recipients */ | ||
163 | + unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or | ||
164 | + IMAP or POP3 or others! (type: curl_usessl)*/ | ||
165 | }; | ||
166 | |||
167 | struct Names { | ||
168 | -- | ||
169 | 2.25.1 | ||
170 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch new file mode 100644 index 0000000000..b04a77de25 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 10 Mar 2023 09:22:43 +0100 | ||
4 | Subject: [PATCH] url: only reuse connections with same GSS delegation | ||
5 | |||
6 | Reported-by: Harry Sintonen | ||
7 | Closes #10731 | ||
8 | |||
9 | Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] | ||
10 | CVE: CVE-2023-27536 | ||
11 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
12 | --- | ||
13 | lib/url.c | 6 ++++++ | ||
14 | lib/urldata.h | 1 + | ||
15 | 2 files changed, 7 insertions(+) | ||
16 | |||
17 | diff --git a/lib/url.c b/lib/url.c | ||
18 | index f84375c..87f4eb0 100644 | ||
19 | --- a/lib/url.c | ||
20 | +++ b/lib/url.c | ||
21 | @@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data, | ||
22 | } | ||
23 | } | ||
24 | |||
25 | + /* GSS delegation differences do not actually affect every connection | ||
26 | + and auth method, but this check takes precaution before efficiency */ | ||
27 | + if(needle->gssapi_delegation != check->gssapi_delegation) | ||
28 | + continue; | ||
29 | + | ||
30 | #ifdef USE_SSH | ||
31 | else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { | ||
32 | if(!ssh_config_matches(needle, check)) | ||
33 | @@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) | ||
34 | conn->fclosesocket = data->set.fclosesocket; | ||
35 | conn->closesocket_client = data->set.closesocket_client; | ||
36 | conn->lastused = Curl_now(); /* used now */ | ||
37 | + conn->gssapi_delegation = data->set.gssapi_delegation; | ||
38 | |||
39 | return conn; | ||
40 | error: | ||
41 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
42 | index 51b793b..b8a611b 100644 | ||
43 | --- a/lib/urldata.h | ||
44 | +++ b/lib/urldata.h | ||
45 | @@ -1118,6 +1118,7 @@ struct connectdata { | ||
46 | handle */ | ||
47 | BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with | ||
48 | accept() */ | ||
49 | + long gssapi_delegation; /* inherited from set.gssapi_delegation */ | ||
50 | }; | ||
51 | |||
52 | /* The end of connectdata. */ | ||
53 | -- | ||
54 | 2.25.1 | ||
55 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch new file mode 100644 index 0000000000..6c40989d3b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Fri, 10 Mar 2023 08:22:51 +0100 | ||
4 | Subject: [PATCH] url: fix the SSH connection reuse check | ||
5 | |||
6 | Reported-by: Harry Sintonen | ||
7 | Closes #10735 | ||
8 | |||
9 | CVE: CVE-2023-27538 | ||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] | ||
11 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
12 | --- | ||
13 | lib/url.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/lib/url.c b/lib/url.c | ||
17 | index 8da0245..9f14a7b 100644 | ||
18 | --- a/lib/url.c | ||
19 | +++ b/lib/url.c | ||
20 | @@ -1266,7 +1266,7 @@ ConnectionExists(struct Curl_easy *data, | ||
21 | } | ||
22 | } | ||
23 | |||
24 | - if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { | ||
25 | + if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { | ||
26 | if(!ssh_config_matches(needle, check)) | ||
27 | continue; | ||
28 | } | ||
29 | -- | ||
30 | 2.25.1 | ||
31 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch new file mode 100644 index 0000000000..eaa6fdc327 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch | |||
@@ -0,0 +1,197 @@ | |||
1 | From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 16 May 2023 23:40:42 +0200 | ||
4 | Subject: [PATCH] hostip: include easy_lock.h before using | ||
5 | GLOBAL_INIT_IS_THREADSAFE | ||
6 | |||
7 | Since that header file is the only place that define can be defined. | ||
8 | |||
9 | Reported-by: Marc Deslauriers | ||
10 | |||
11 | Follow-up to 13718030ad4b3209 | ||
12 | |||
13 | Closes #11121 | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3] | ||
16 | CVE: CVE-2023-28320 | ||
17 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
18 | --- | ||
19 | lib/easy_lock.h | 109 ++++++++++++++++++++++++++++++++++++++++++++++++ | ||
20 | lib/hostip.c | 10 ++--- | ||
21 | lib/hostip.h | 9 ---- | ||
22 | 3 files changed, 113 insertions(+), 15 deletions(-) | ||
23 | create mode 100644 lib/easy_lock.h | ||
24 | |||
25 | diff --git a/lib/easy_lock.h b/lib/easy_lock.h | ||
26 | new file mode 100644 | ||
27 | index 0000000..6399a39 | ||
28 | --- /dev/null | ||
29 | +++ b/lib/easy_lock.h | ||
30 | @@ -0,0 +1,109 @@ | ||
31 | +#ifndef HEADER_CURL_EASY_LOCK_H | ||
32 | +#define HEADER_CURL_EASY_LOCK_H | ||
33 | +/*************************************************************************** | ||
34 | + * _ _ ____ _ | ||
35 | + * Project ___| | | | _ \| | | ||
36 | + * / __| | | | |_) | | | ||
37 | + * | (__| |_| | _ <| |___ | ||
38 | + * \___|\___/|_| \_\_____| | ||
39 | + * | ||
40 | + * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. | ||
41 | + * | ||
42 | + * This software is licensed as described in the file COPYING, which | ||
43 | + * you should have received as part of this distribution. The terms | ||
44 | + * are also available at https://curl.se/docs/copyright.html. | ||
45 | + * | ||
46 | + * You may opt to use, copy, modify, merge, publish, distribute and/or sell | ||
47 | + * copies of the Software, and permit persons to whom the Software is | ||
48 | + * furnished to do so, under the terms of the COPYING file. | ||
49 | + * | ||
50 | + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
51 | + * KIND, either express or implied. | ||
52 | + * | ||
53 | + * SPDX-License-Identifier: curl | ||
54 | + * | ||
55 | + ***************************************************************************/ | ||
56 | + | ||
57 | +#include "curl_setup.h" | ||
58 | + | ||
59 | +#define GLOBAL_INIT_IS_THREADSAFE | ||
60 | + | ||
61 | +#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 | ||
62 | + | ||
63 | +#ifdef __MINGW32__ | ||
64 | +#ifndef __MINGW64_VERSION_MAJOR | ||
65 | +#if (__MINGW32_MAJOR_VERSION < 5) || \ | ||
66 | + (__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0) | ||
67 | +/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */ | ||
68 | +typedef PVOID SRWLOCK, *PSRWLOCK; | ||
69 | +#endif | ||
70 | +#endif | ||
71 | +#ifndef SRWLOCK_INIT | ||
72 | +#define SRWLOCK_INIT NULL | ||
73 | +#endif | ||
74 | +#endif /* __MINGW32__ */ | ||
75 | + | ||
76 | +#define curl_simple_lock SRWLOCK | ||
77 | +#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT | ||
78 | + | ||
79 | +#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m) | ||
80 | +#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m) | ||
81 | + | ||
82 | +#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H) | ||
83 | +#include <stdatomic.h> | ||
84 | +#if defined(HAVE_SCHED_YIELD) | ||
85 | +#include <sched.h> | ||
86 | +#endif | ||
87 | + | ||
88 | +#define curl_simple_lock atomic_int | ||
89 | +#define CURL_SIMPLE_LOCK_INIT 0 | ||
90 | + | ||
91 | +/* a clang-thing */ | ||
92 | +#ifndef __has_builtin | ||
93 | +#define __has_builtin(x) 0 | ||
94 | +#endif | ||
95 | + | ||
96 | +#ifndef __INTEL_COMPILER | ||
97 | +/* The Intel compiler tries to look like GCC *and* clang *and* lies in its | ||
98 | + __has_builtin() function, so override it. */ | ||
99 | + | ||
100 | +/* if GCC on i386/x86_64 or if the built-in is present */ | ||
101 | +#if ( (defined(__GNUC__) && !defined(__clang__)) && \ | ||
102 | + (defined(__i386__) || defined(__x86_64__))) || \ | ||
103 | + __has_builtin(__builtin_ia32_pause) | ||
104 | +#define HAVE_BUILTIN_IA32_PAUSE | ||
105 | +#endif | ||
106 | + | ||
107 | +#endif | ||
108 | + | ||
109 | +static inline void curl_simple_lock_lock(curl_simple_lock *lock) | ||
110 | +{ | ||
111 | + for(;;) { | ||
112 | + if(!atomic_exchange_explicit(lock, true, memory_order_acquire)) | ||
113 | + break; | ||
114 | + /* Reduce cache coherency traffic */ | ||
115 | + while(atomic_load_explicit(lock, memory_order_relaxed)) { | ||
116 | + /* Reduce load (not mandatory) */ | ||
117 | +#ifdef HAVE_BUILTIN_IA32_PAUSE | ||
118 | + __builtin_ia32_pause(); | ||
119 | +#elif defined(__aarch64__) | ||
120 | + __asm__ volatile("yield" ::: "memory"); | ||
121 | +#elif defined(HAVE_SCHED_YIELD) | ||
122 | + sched_yield(); | ||
123 | +#endif | ||
124 | + } | ||
125 | + } | ||
126 | +} | ||
127 | + | ||
128 | +static inline void curl_simple_lock_unlock(curl_simple_lock *lock) | ||
129 | +{ | ||
130 | + atomic_store_explicit(lock, false, memory_order_release); | ||
131 | +} | ||
132 | + | ||
133 | +#else | ||
134 | + | ||
135 | +#undef GLOBAL_INIT_IS_THREADSAFE | ||
136 | + | ||
137 | +#endif | ||
138 | + | ||
139 | +#endif /* HEADER_CURL_EASY_LOCK_H */ | ||
140 | diff --git a/lib/hostip.c b/lib/hostip.c | ||
141 | index 5231a74..d5bf881 100644 | ||
142 | --- a/lib/hostip.c | ||
143 | +++ b/lib/hostip.c | ||
144 | @@ -68,6 +68,8 @@ | ||
145 | #include "curl_memory.h" | ||
146 | #include "memdebug.h" | ||
147 | |||
148 | +#include "easy_lock.h" | ||
149 | + | ||
150 | #if defined(CURLRES_SYNCH) && \ | ||
151 | defined(HAVE_ALARM) && \ | ||
152 | defined(SIGALRM) && \ | ||
153 | @@ -77,10 +79,6 @@ | ||
154 | #define USE_ALARM_TIMEOUT | ||
155 | #endif | ||
156 | |||
157 | -#ifdef USE_ALARM_TIMEOUT | ||
158 | -#include "easy_lock.h" | ||
159 | -#endif | ||
160 | - | ||
161 | #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ | ||
162 | |||
163 | /* | ||
164 | @@ -259,8 +257,8 @@ void Curl_hostcache_prune(struct Curl_easy *data) | ||
165 | /* Beware this is a global and unique instance. This is used to store the | ||
166 | return address that we can jump back to from inside a signal handler. This | ||
167 | is not thread-safe stuff. */ | ||
168 | -sigjmp_buf curl_jmpenv; | ||
169 | -curl_simple_lock curl_jmpenv_lock; | ||
170 | +static sigjmp_buf curl_jmpenv; | ||
171 | +static curl_simple_lock curl_jmpenv_lock; | ||
172 | #endif | ||
173 | |||
174 | /* lookup address, returns entry if found and not stale */ | ||
175 | diff --git a/lib/hostip.h b/lib/hostip.h | ||
176 | index baf1e58..d7f73d9 100644 | ||
177 | --- a/lib/hostip.h | ||
178 | +++ b/lib/hostip.h | ||
179 | @@ -196,15 +196,6 @@ Curl_cache_addr(struct Curl_easy *data, Curl_addrinfo *addr, | ||
180 | #define CURL_INADDR_NONE INADDR_NONE | ||
181 | #endif | ||
182 | |||
183 | -#ifdef HAVE_SIGSETJMP | ||
184 | -/* Forward-declaration of variable defined in hostip.c. Beware this | ||
185 | - * is a global and unique instance. This is used to store the return | ||
186 | - * address that we can jump back to from inside a signal handler. | ||
187 | - * This is not thread-safe stuff. | ||
188 | - */ | ||
189 | -extern sigjmp_buf curl_jmpenv; | ||
190 | -#endif | ||
191 | - | ||
192 | /* | ||
193 | * Function provided by the resolver backend to set DNS servers to use. | ||
194 | */ | ||
195 | -- | ||
196 | 2.25.1 | ||
197 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch new file mode 100644 index 0000000000..0c9b67440a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Harry Sintonen <sintonen@iki.fi> | ||
3 | Date: Tue, 25 Apr 2023 09:22:26 +0200 | ||
4 | Subject: [PATCH] hostip: add locks around use of global buffer for alarm() | ||
5 | |||
6 | When building with the sync name resolver and timeout ability we now | ||
7 | require thread-safety to be present to enable it. | ||
8 | |||
9 | Closes #11030 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2] | ||
12 | CVE: CVE-2023-28320 | ||
13 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
14 | --- | ||
15 | lib/hostip.c | 19 +++++++++++++++---- | ||
16 | 1 file changed, 15 insertions(+), 4 deletions(-) | ||
17 | |||
18 | diff --git a/lib/hostip.c b/lib/hostip.c | ||
19 | index f5bb634..5231a74 100644 | ||
20 | --- a/lib/hostip.c | ||
21 | +++ b/lib/hostip.c | ||
22 | @@ -68,12 +68,19 @@ | ||
23 | #include "curl_memory.h" | ||
24 | #include "memdebug.h" | ||
25 | |||
26 | -#if defined(CURLRES_SYNCH) && \ | ||
27 | - defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) | ||
28 | +#if defined(CURLRES_SYNCH) && \ | ||
29 | + defined(HAVE_ALARM) && \ | ||
30 | + defined(SIGALRM) && \ | ||
31 | + defined(HAVE_SIGSETJMP) && \ | ||
32 | + defined(GLOBAL_INIT_IS_THREADSAFE) | ||
33 | /* alarm-based timeouts can only be used with all the dependencies satisfied */ | ||
34 | #define USE_ALARM_TIMEOUT | ||
35 | #endif | ||
36 | |||
37 | +#ifdef USE_ALARM_TIMEOUT | ||
38 | +#include "easy_lock.h" | ||
39 | +#endif | ||
40 | + | ||
41 | #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ | ||
42 | |||
43 | /* | ||
44 | @@ -248,11 +255,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) | ||
45 | Curl_share_unlock(data, CURL_LOCK_DATA_DNS); | ||
46 | } | ||
47 | |||
48 | -#ifdef HAVE_SIGSETJMP | ||
49 | +#ifdef USE_ALARM_TIMEOUT | ||
50 | /* Beware this is a global and unique instance. This is used to store the | ||
51 | return address that we can jump back to from inside a signal handler. This | ||
52 | is not thread-safe stuff. */ | ||
53 | sigjmp_buf curl_jmpenv; | ||
54 | +curl_simple_lock curl_jmpenv_lock; | ||
55 | #endif | ||
56 | |||
57 | /* lookup address, returns entry if found and not stale */ | ||
58 | @@ -614,7 +622,6 @@ enum resolve_t Curl_resolv(struct connectdata *conn, | ||
59 | static | ||
60 | RETSIGTYPE alarmfunc(int sig) | ||
61 | { | ||
62 | - /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ | ||
63 | (void)sig; | ||
64 | siglongjmp(curl_jmpenv, 1); | ||
65 | } | ||
66 | @@ -695,6 +702,8 @@ enum resolve_t Curl_resolv_timeout(struct connectdata *conn, | ||
67 | This should be the last thing we do before calling Curl_resolv(), | ||
68 | as otherwise we'd have to worry about variables that get modified | ||
69 | before we invoke Curl_resolv() (and thus use "volatile"). */ | ||
70 | + curl_simple_lock_lock(&curl_jmpenv_lock); | ||
71 | + | ||
72 | if(sigsetjmp(curl_jmpenv, 1)) { | ||
73 | /* this is coming from a siglongjmp() after an alarm signal */ | ||
74 | failf(data, "name lookup timed out"); | ||
75 | @@ -763,6 +772,8 @@ clean_up: | ||
76 | #endif | ||
77 | #endif /* HAVE_SIGACTION */ | ||
78 | |||
79 | + curl_simple_lock_unlock(&curl_jmpenv_lock); | ||
80 | + | ||
81 | /* switch back the alarm() to either zero or to what it was before minus | ||
82 | the time we spent until now! */ | ||
83 | if(prev_alarm) { | ||
84 | -- | ||
85 | 2.25.1 | ||
86 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28321.patch b/meta/recipes-support/curl/curl/CVE-2023-28321.patch new file mode 100644 index 0000000000..da1d1fdcd6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28321.patch | |||
@@ -0,0 +1,272 @@ | |||
1 | Upstream-Status: Backport [import from ubuntu curl_7.68.0-1ubuntu2.20 with | ||
2 | minor change to tests/data/test1397 part so the patch can be apply. | ||
3 | upstream: https://github.com/curl/curl/commit/199f2d440d8659b42 ] | ||
4 | CVE: CVE-2023-28321 | ||
5 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
6 | |||
7 | This backport was obtained from SUSE. | ||
8 | |||
9 | From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 | ||
10 | From: Daniel Stenberg <daniel@haxx.se> | ||
11 | Date: Mon, 24 Apr 2023 21:07:02 +0200 | ||
12 | Subject: [PATCH] hostcheck: fix host name wildcard checking | ||
13 | |||
14 | The leftmost "label" of the host name can now only match against single | ||
15 | '*'. Like the browsers have worked for a long time. | ||
16 | |||
17 | - extended unit test 1397 for this | ||
18 | - move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc | ||
19 | |||
20 | Reported-by: Hiroki Kurosawa | ||
21 | Closes #11018 | ||
22 | --- | ||
23 | lib/hostcheck.c | 50 +++++++-------- | ||
24 | tests/data/test1397 | 10 ++- | ||
25 | tests/unit/Makefile.am | 94 ---------------------------- | ||
26 | tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ | ||
27 | tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- | ||
28 | 5 files changed, 202 insertions(+), 180 deletions(-) | ||
29 | |||
30 | --- a/lib/hostcheck.c | ||
31 | +++ b/lib/hostcheck.c | ||
32 | @@ -58,15 +58,19 @@ | ||
33 | * apparent distinction between a name and an IP. We need to detect the use of | ||
34 | * an IP address and not wildcard match on such names. | ||
35 | * | ||
36 | + * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor | ||
37 | + * "*b". | ||
38 | + * | ||
39 | + * @unittest: 1397 | ||
40 | + * | ||
41 | * NOTE: hostmatch() gets called with copied buffers so that it can modify the | ||
42 | * contents at will. | ||
43 | */ | ||
44 | |||
45 | static int hostmatch(char *hostname, char *pattern) | ||
46 | { | ||
47 | - const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; | ||
48 | - int wildcard_enabled; | ||
49 | - size_t prefixlen, suffixlen; | ||
50 | + const char *pattern_label_end, *hostname_label_end; | ||
51 | + size_t suffixlen; | ||
52 | struct in_addr ignored; | ||
53 | #ifdef ENABLE_IPV6 | ||
54 | struct sockaddr_in6 si6; | ||
55 | @@ -80,13 +84,12 @@ static int hostmatch(char *hostname, cha | ||
56 | if(pattern[len-1]=='.') | ||
57 | pattern[len-1] = 0; | ||
58 | |||
59 | - pattern_wildcard = strchr(pattern, '*'); | ||
60 | - if(pattern_wildcard == NULL) | ||
61 | + if(strncmp(pattern, "*.", 2)) | ||
62 | return strcasecompare(pattern, hostname) ? | ||
63 | CURL_HOST_MATCH : CURL_HOST_NOMATCH; | ||
64 | |||
65 | /* detect IP address as hostname and fail the match if so */ | ||
66 | - if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) | ||
67 | + else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) | ||
68 | return CURL_HOST_NOMATCH; | ||
69 | #ifdef ENABLE_IPV6 | ||
70 | if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) | ||
71 | @@ -95,14 +98,9 @@ static int hostmatch(char *hostname, cha | ||
72 | |||
73 | /* We require at least 2 dots in pattern to avoid too wide wildcard | ||
74 | match. */ | ||
75 | - wildcard_enabled = 1; | ||
76 | pattern_label_end = strchr(pattern, '.'); | ||
77 | - if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL || | ||
78 | - pattern_wildcard > pattern_label_end || | ||
79 | - strncasecompare(pattern, "xn--", 4)) { | ||
80 | - wildcard_enabled = 0; | ||
81 | - } | ||
82 | - if(!wildcard_enabled) | ||
83 | + if(pattern_label_end == NULL || | ||
84 | + strchr(pattern_label_end + 1, '.') == NULL) | ||
85 | return strcasecompare(pattern, hostname) ? | ||
86 | CURL_HOST_MATCH : CURL_HOST_NOMATCH; | ||
87 | |||
88 | @@ -117,11 +115,9 @@ static int hostmatch(char *hostname, cha | ||
89 | if(hostname_label_end - hostname < pattern_label_end - pattern) | ||
90 | return CURL_HOST_NOMATCH; | ||
91 | |||
92 | - prefixlen = pattern_wildcard - pattern; | ||
93 | - suffixlen = pattern_label_end - (pattern_wildcard + 1); | ||
94 | - return strncasecompare(pattern, hostname, prefixlen) && | ||
95 | - strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, | ||
96 | - suffixlen) ? | ||
97 | + suffixlen = pattern_label_end - (pattern + 1); | ||
98 | + return strncasecompare(pattern + 1, hostname_label_end - suffixlen, | ||
99 | + suffixlen) ? | ||
100 | CURL_HOST_MATCH : CURL_HOST_NOMATCH; | ||
101 | } | ||
102 | |||
103 | --- a/tests/data/test1397 | ||
104 | +++ b/tests/data/test1397 | ||
105 | @@ -2,8 +2,7 @@ | ||
106 | <info> | ||
107 | <keywords> | ||
108 | unittest | ||
109 | -ssl | ||
110 | -wildcard | ||
111 | +Curl_cert_hostcheck | ||
112 | </keywords> | ||
113 | </info> | ||
114 | |||
115 | @@ -16,9 +15,8 @@ none | ||
116 | <features> | ||
117 | unittest | ||
118 | </features> | ||
119 | - <name> | ||
120 | -Check wildcard certificate matching function Curl_cert_hostcheck | ||
121 | - </name> | ||
122 | +<name> | ||
123 | +Curl_cert_hostcheck unit tests | ||
124 | +</name> | ||
125 | </client> | ||
126 | - | ||
127 | </testcase> | ||
128 | --- a/tests/unit/unit1397.c | ||
129 | +++ b/tests/unit/unit1397.c | ||
130 | @@ -21,8 +21,6 @@ | ||
131 | ***************************************************************************/ | ||
132 | #include "curlcheck.h" | ||
133 | |||
134 | -#include "hostcheck.h" /* from the lib dir */ | ||
135 | - | ||
136 | static CURLcode unit_setup(void) | ||
137 | { | ||
138 | return CURLE_OK; | ||
139 | @@ -30,50 +28,94 @@ static CURLcode unit_setup(void) | ||
140 | |||
141 | static void unit_stop(void) | ||
142 | { | ||
143 | - /* done before shutting down and exiting */ | ||
144 | } | ||
145 | |||
146 | -UNITTEST_START | ||
147 | +* only these backends define the tested functions */ | ||
148 | +#if defined(USE_OPENSSL) || defined(USE_GSKIT) || \ | ||
149 | + defined(USE_SCHANNEL) | ||
150 | +#include "hostcheck.h" | ||
151 | +struct testcase { | ||
152 | + const char *host; | ||
153 | + const char *pattern; | ||
154 | + bool match; | ||
155 | +}; | ||
156 | + | ||
157 | +static struct testcase tests[] = { | ||
158 | + {"", "", FALSE}, | ||
159 | + {"a", "", FALSE}, | ||
160 | + {"", "b", FALSE}, | ||
161 | + {"a", "b", FALSE}, | ||
162 | + {"aa", "bb", FALSE}, | ||
163 | + {"\xff", "\xff", TRUE}, | ||
164 | + {"aa.aa.aa", "aa.aa.bb", FALSE}, | ||
165 | + {"aa.aa.aa", "aa.aa.aa", TRUE}, | ||
166 | + {"aa.aa.aa", "*.aa.bb", FALSE}, | ||
167 | + {"aa.aa.aa", "*.aa.aa", TRUE}, | ||
168 | + {"192.168.0.1", "192.168.0.1", TRUE}, | ||
169 | + {"192.168.0.1", "*.168.0.1", FALSE}, | ||
170 | + {"192.168.0.1", "*.0.1", FALSE}, | ||
171 | + {"h.ello", "*.ello", FALSE}, | ||
172 | + {"h.ello.", "*.ello", FALSE}, | ||
173 | + {"h.ello", "*.ello.", FALSE}, | ||
174 | + {"h.e.llo", "*.e.llo", TRUE}, | ||
175 | + {"h.e.llo", " *.e.llo", FALSE}, | ||
176 | + {" h.e.llo", "*.e.llo", TRUE}, | ||
177 | + {"h.e.llo.", "*.e.llo", TRUE}, | ||
178 | + {"*.e.llo.", "*.e.llo", TRUE}, | ||
179 | + {"************.e.llo.", "*.e.llo", TRUE}, | ||
180 | + {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | ||
181 | + "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" | ||
182 | + "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" | ||
183 | + "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" | ||
184 | + "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" | ||
185 | + ".e.llo.", "*.e.llo", TRUE}, | ||
186 | + {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, | ||
187 | + {"h.e.llo.", "*.e.llo.", TRUE}, | ||
188 | + {"h.e.llo", "*.e.llo.", TRUE}, | ||
189 | + {".h.e.llo", "*.e.llo.", FALSE}, | ||
190 | + {"h.e.llo", "*.*.llo.", FALSE}, | ||
191 | + {"h.e.llo", "h.*.llo", FALSE}, | ||
192 | + {"h.e.llo", "h.e.*", FALSE}, | ||
193 | + {"hello", "*.ello", FALSE}, | ||
194 | + {"hello", "**llo", FALSE}, | ||
195 | + {"bar.foo.example.com", "*.example.com", FALSE}, | ||
196 | + {"foo.example.com", "*.example.com", TRUE}, | ||
197 | + {"baz.example.net", "b*z.example.net", FALSE}, | ||
198 | + {"foobaz.example.net", "*baz.example.net", FALSE}, | ||
199 | + {"xn--l8j.example.local", "x*.example.local", FALSE}, | ||
200 | + {"xn--l8j.example.net", "*.example.net", TRUE}, | ||
201 | + {"xn--l8j.example.net", "*j.example.net", FALSE}, | ||
202 | + {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, | ||
203 | + {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, | ||
204 | + {"xl8j.example.net", "*.example.net", TRUE}, | ||
205 | + {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, | ||
206 | + {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, | ||
207 | + {NULL, NULL, FALSE} | ||
208 | +}; | ||
209 | |||
210 | -/* only these backends define the tested functions */ | ||
211 | -#if defined(USE_OPENSSL) || defined(USE_GSKIT) | ||
212 | +UNITTEST_START | ||
213 | +{ | ||
214 | + int i; | ||
215 | + for(i = 0; tests[i].host; i++) { | ||
216 | + if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, | ||
217 | + tests[i].host)) { | ||
218 | + fprintf(stderr, | ||
219 | + "HOST: %s\n" | ||
220 | + "PTRN: %s\n" | ||
221 | + "did %sMATCH\n", | ||
222 | + tests[i].host, | ||
223 | + tests[i].pattern, | ||
224 | + tests[i].match ? "NOT ": ""); | ||
225 | + unitfail++; | ||
226 | + } | ||
227 | + } | ||
228 | +} | ||
229 | |||
230 | - /* here you start doing things and checking that the results are good */ | ||
231 | +UNITTEST_STOP | ||
232 | +#else | ||
233 | |||
234 | -fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"), | ||
235 | - "good 1"); | ||
236 | -fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"), | ||
237 | - "good 2"); | ||
238 | -fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), | ||
239 | - "good 3"); | ||
240 | -fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"), | ||
241 | - "good 4"); | ||
242 | -fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), | ||
243 | - "good 5"); | ||
244 | - | ||
245 | -fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1"); | ||
246 | -fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2"); | ||
247 | -fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3"); | ||
248 | -fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4"); | ||
249 | -fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5"); | ||
250 | -fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6"); | ||
251 | -fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7"); | ||
252 | -fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8"); | ||
253 | -fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9"); | ||
254 | -fail_if(Curl_cert_hostcheck("", "www"), "bad 10"); | ||
255 | -fail_if(Curl_cert_hostcheck("*", "www"), "bad 11"); | ||
256 | -fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12"); | ||
257 | -fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13"); | ||
258 | - | ||
259 | -#ifdef ENABLE_IPV6 | ||
260 | -fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", | ||
261 | - "fe80::3285:a9ff:fe46:b619"), "bad 14"); | ||
262 | -fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", | ||
263 | - "fe80::3285:a9ff:fe46:b619"), "good 6"); | ||
264 | -#endif | ||
265 | +UNITTEST_START | ||
266 | |||
267 | +UNITTEST_STOP | ||
268 | #endif | ||
269 | |||
270 | - /* you end the test code like this: */ | ||
271 | - | ||
272 | -UNITTEST_STOP | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28322.patch b/meta/recipes-support/curl/curl/CVE-2023-28322.patch new file mode 100644 index 0000000000..9351a2c286 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28322.patch | |||
@@ -0,0 +1,380 @@ | |||
1 | CVE: CVE-2023-28322 | ||
2 | Upstream-Status: Backport [ import patch from ubuntu curl_7.68.0-1ubuntu2.20 | ||
3 | upstream https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | Backport of: | ||
7 | |||
8 | From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 | ||
9 | From: Daniel Stenberg <daniel@haxx.se> | ||
10 | Date: Tue, 25 Apr 2023 08:28:01 +0200 | ||
11 | Subject: [PATCH] lib: unify the upload/method handling | ||
12 | |||
13 | By making sure we set state.upload based on the set.method value and not | ||
14 | independently as set.upload, we reduce confusion and mixup risks, both | ||
15 | internally and externally. | ||
16 | |||
17 | Closes #11017 | ||
18 | --- | ||
19 | lib/curl_rtmp.c | 4 ++-- | ||
20 | lib/file.c | 4 ++-- | ||
21 | lib/ftp.c | 8 ++++---- | ||
22 | lib/http.c | 4 ++-- | ||
23 | lib/imap.c | 6 +++--- | ||
24 | lib/rtsp.c | 4 ++-- | ||
25 | lib/setopt.c | 6 ++---- | ||
26 | lib/smb.c | 6 +++--- | ||
27 | lib/smtp.c | 4 ++-- | ||
28 | lib/tftp.c | 8 ++++---- | ||
29 | lib/transfer.c | 4 ++-- | ||
30 | lib/urldata.h | 2 +- | ||
31 | lib/vssh/libssh.c | 6 +++--- | ||
32 | lib/vssh/libssh2.c | 6 +++--- | ||
33 | lib/vssh/wolfssh.c | 2 +- | ||
34 | 15 files changed, 36 insertions(+), 38 deletions(-) | ||
35 | |||
36 | --- a/lib/curl_rtmp.c | ||
37 | +++ b/lib/curl_rtmp.c | ||
38 | @@ -213,7 +213,7 @@ static CURLcode rtmp_connect(struct conn | ||
39 | /* We have to know if it's a write before we send the | ||
40 | * connect request packet | ||
41 | */ | ||
42 | - if(conn->data->set.upload) | ||
43 | + if(conn->data->state.upload) | ||
44 | r->Link.protocol |= RTMP_FEATURE_WRITE; | ||
45 | |||
46 | /* For plain streams, use the buffer toggle trick to keep data flowing */ | ||
47 | @@ -245,7 +245,7 @@ static CURLcode rtmp_do(struct connectda | ||
48 | if(!RTMP_ConnectStream(r, 0)) | ||
49 | return CURLE_FAILED_INIT; | ||
50 | |||
51 | - if(conn->data->set.upload) { | ||
52 | + if(conn->data->state.upload) { | ||
53 | Curl_pgrsSetUploadSize(data, data->state.infilesize); | ||
54 | Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); | ||
55 | } | ||
56 | --- a/lib/file.c | ||
57 | +++ b/lib/file.c | ||
58 | @@ -198,7 +198,7 @@ static CURLcode file_connect(struct conn | ||
59 | file->freepath = real_path; /* free this when done */ | ||
60 | |||
61 | file->fd = fd; | ||
62 | - if(!data->set.upload && (fd == -1)) { | ||
63 | + if(!data->state.upload && (fd == -1)) { | ||
64 | failf(data, "Couldn't open file %s", data->state.up.path); | ||
65 | file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE); | ||
66 | return CURLE_FILE_COULDNT_READ_FILE; | ||
67 | @@ -390,7 +390,7 @@ static CURLcode file_do(struct connectda | ||
68 | |||
69 | Curl_pgrsStartNow(data); | ||
70 | |||
71 | - if(data->set.upload) | ||
72 | + if(data->state.upload) | ||
73 | return file_upload(conn); | ||
74 | |||
75 | file = conn->data->req.protop; | ||
76 | --- a/lib/ftp.c | ||
77 | +++ b/lib/ftp.c | ||
78 | @@ -1371,7 +1371,7 @@ static CURLcode ftp_state_prepare_transf | ||
79 | data->set.str[STRING_CUSTOMREQUEST]: | ||
80 | (data->set.ftp_list_only?"NLST":"LIST")); | ||
81 | } | ||
82 | - else if(data->set.upload) { | ||
83 | + else if(data->state.upload) { | ||
84 | PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file); | ||
85 | } | ||
86 | else { | ||
87 | @@ -3303,7 +3303,7 @@ static CURLcode ftp_done(struct connectd | ||
88 | /* the response code from the transfer showed an error already so no | ||
89 | use checking further */ | ||
90 | ; | ||
91 | - else if(data->set.upload) { | ||
92 | + else if(data->state.upload) { | ||
93 | if((-1 != data->state.infilesize) && | ||
94 | (data->state.infilesize != data->req.writebytecount) && | ||
95 | !data->set.crlf && | ||
96 | @@ -3570,7 +3570,7 @@ static CURLcode ftp_do_more(struct conne | ||
97 | connected back to us */ | ||
98 | } | ||
99 | } | ||
100 | - else if(data->set.upload) { | ||
101 | + else if(data->state.upload) { | ||
102 | result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE); | ||
103 | if(result) | ||
104 | return result; | ||
105 | @@ -4209,7 +4209,7 @@ CURLcode ftp_parse_url_path(struct conne | ||
106 | ftpc->file = NULL; /* instead of point to a zero byte, | ||
107 | we make it a NULL pointer */ | ||
108 | |||
109 | - if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) { | ||
110 | + if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) { | ||
111 | /* We need a file name when uploading. Return error! */ | ||
112 | failf(data, "Uploading to a URL without a file name!"); | ||
113 | free(rawPath); | ||
114 | --- a/lib/http.c | ||
115 | +++ b/lib/http.c | ||
116 | @@ -2080,7 +2080,7 @@ CURLcode Curl_http(struct connectdata *c | ||
117 | } | ||
118 | |||
119 | if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && | ||
120 | - data->set.upload) { | ||
121 | + data->state.upload) { | ||
122 | httpreq = HTTPREQ_PUT; | ||
123 | } | ||
124 | |||
125 | @@ -2261,7 +2261,7 @@ CURLcode Curl_http(struct connectdata *c | ||
126 | if((conn->handler->protocol & PROTO_FAMILY_HTTP) && | ||
127 | (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && | ||
128 | http->postsize < 0) || | ||
129 | - ((data->set.upload || httpreq == HTTPREQ_POST) && | ||
130 | + ((data->state.upload || httpreq == HTTPREQ_POST) && | ||
131 | data->state.infilesize == -1))) { | ||
132 | if(conn->bits.authneg) | ||
133 | /* don't enable chunked during auth neg */ | ||
134 | --- a/lib/imap.c | ||
135 | +++ b/lib/imap.c | ||
136 | @@ -1469,11 +1469,11 @@ static CURLcode imap_done(struct connect | ||
137 | result = status; /* use the already set error code */ | ||
138 | } | ||
139 | else if(!data->set.connect_only && !imap->custom && | ||
140 | - (imap->uid || imap->mindex || data->set.upload || | ||
141 | + (imap->uid || imap->mindex || data->state.upload || | ||
142 | data->set.mimepost.kind != MIMEKIND_NONE)) { | ||
143 | /* Handle responses after FETCH or APPEND transfer has finished */ | ||
144 | |||
145 | - if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) | ||
146 | + if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) | ||
147 | state(conn, IMAP_FETCH_FINAL); | ||
148 | else { | ||
149 | /* End the APPEND command first by sending an empty line */ | ||
150 | @@ -1539,7 +1539,7 @@ static CURLcode imap_perform(struct conn | ||
151 | selected = TRUE; | ||
152 | |||
153 | /* Start the first command in the DO phase */ | ||
154 | - if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) | ||
155 | + if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) | ||
156 | /* APPEND can be executed directly */ | ||
157 | result = imap_perform_append(conn); | ||
158 | else if(imap->custom && (selected || !imap->mailbox)) | ||
159 | --- a/lib/rtsp.c | ||
160 | +++ b/lib/rtsp.c | ||
161 | @@ -499,7 +499,7 @@ static CURLcode rtsp_do(struct connectda | ||
162 | rtspreq == RTSPREQ_SET_PARAMETER || | ||
163 | rtspreq == RTSPREQ_GET_PARAMETER) { | ||
164 | |||
165 | - if(data->set.upload) { | ||
166 | + if(data->state.upload) { | ||
167 | putsize = data->state.infilesize; | ||
168 | data->set.httpreq = HTTPREQ_PUT; | ||
169 | |||
170 | @@ -518,7 +518,7 @@ static CURLcode rtsp_do(struct connectda | ||
171 | result = | ||
172 | Curl_add_bufferf(&req_buffer, | ||
173 | "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", | ||
174 | - (data->set.upload ? putsize : postsize)); | ||
175 | + (data->state.upload ? putsize : postsize)); | ||
176 | if(result) | ||
177 | return result; | ||
178 | } | ||
179 | --- a/lib/setopt.c | ||
180 | +++ b/lib/setopt.c | ||
181 | @@ -258,8 +258,8 @@ CURLcode Curl_vsetopt(struct Curl_easy * | ||
182 | * We want to sent data to the remote host. If this is HTTP, that equals | ||
183 | * using the PUT request. | ||
184 | */ | ||
185 | - data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; | ||
186 | - if(data->set.upload) { | ||
187 | + arg = va_arg(param, long); | ||
188 | + if(arg) { | ||
189 | /* If this is HTTP, PUT is what's needed to "upload" */ | ||
190 | data->set.httpreq = HTTPREQ_PUT; | ||
191 | data->set.opt_no_body = FALSE; /* this is implied */ | ||
192 | @@ -486,7 +486,6 @@ CURLcode Curl_vsetopt(struct Curl_easy * | ||
193 | } | ||
194 | else | ||
195 | data->set.httpreq = HTTPREQ_GET; | ||
196 | - data->set.upload = FALSE; | ||
197 | break; | ||
198 | |||
199 | case CURLOPT_COPYPOSTFIELDS: | ||
200 | @@ -797,7 +796,6 @@ CURLcode Curl_vsetopt(struct Curl_easy * | ||
201 | */ | ||
202 | if(va_arg(param, long)) { | ||
203 | data->set.httpreq = HTTPREQ_GET; | ||
204 | - data->set.upload = FALSE; /* switch off upload */ | ||
205 | data->set.opt_no_body = FALSE; /* this is implied */ | ||
206 | } | ||
207 | break; | ||
208 | --- a/lib/smb.c | ||
209 | +++ b/lib/smb.c | ||
210 | @@ -516,7 +516,7 @@ static CURLcode smb_send_open(struct con | ||
211 | byte_count = strlen(req->path); | ||
212 | msg.name_length = smb_swap16((unsigned short)byte_count); | ||
213 | msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); | ||
214 | - if(conn->data->set.upload) { | ||
215 | + if(conn->data->state.upload) { | ||
216 | msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); | ||
217 | msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); | ||
218 | } | ||
219 | @@ -792,7 +792,7 @@ static CURLcode smb_request_state(struct | ||
220 | smb_m = (const struct smb_nt_create_response*) msg; | ||
221 | req->fid = smb_swap16(smb_m->fid); | ||
222 | conn->data->req.offset = 0; | ||
223 | - if(conn->data->set.upload) { | ||
224 | + if(conn->data->state.upload) { | ||
225 | conn->data->req.size = conn->data->state.infilesize; | ||
226 | Curl_pgrsSetUploadSize(conn->data, conn->data->req.size); | ||
227 | next_state = SMB_UPLOAD; | ||
228 | --- a/lib/smtp.c | ||
229 | +++ b/lib/smtp.c | ||
230 | @@ -1210,7 +1210,7 @@ static CURLcode smtp_done(struct connect | ||
231 | result = status; /* use the already set error code */ | ||
232 | } | ||
233 | else if(!data->set.connect_only && data->set.mail_rcpt && | ||
234 | - (data->set.upload || data->set.mimepost.kind)) { | ||
235 | + (data->state.upload || data->set.mimepost.kind)) { | ||
236 | /* Calculate the EOB taking into account any terminating CRLF from the | ||
237 | previous line of the email or the CRLF of the DATA command when there | ||
238 | is "no mail data". RFC-5321, sect. 4.1.1.4. | ||
239 | @@ -1297,7 +1297,7 @@ static CURLcode smtp_perform(struct conn | ||
240 | smtp->eob = 2; | ||
241 | |||
242 | /* Start the first command in the DO phase */ | ||
243 | - if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) | ||
244 | + if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) | ||
245 | /* MAIL transfer */ | ||
246 | result = smtp_perform_mail(conn); | ||
247 | else | ||
248 | --- a/lib/tftp.c | ||
249 | +++ b/lib/tftp.c | ||
250 | @@ -390,7 +390,7 @@ static CURLcode tftp_parse_option_ack(tf | ||
251 | |||
252 | /* tsize should be ignored on upload: Who cares about the size of the | ||
253 | remote file? */ | ||
254 | - if(!data->set.upload) { | ||
255 | + if(!data->state.upload) { | ||
256 | if(!tsize) { | ||
257 | failf(data, "invalid tsize -:%s:- value in OACK packet", value); | ||
258 | return CURLE_TFTP_ILLEGAL; | ||
259 | @@ -470,7 +470,7 @@ static CURLcode tftp_send_first(tftp_sta | ||
260 | return result; | ||
261 | } | ||
262 | |||
263 | - if(data->set.upload) { | ||
264 | + if(data->state.upload) { | ||
265 | /* If we are uploading, send an WRQ */ | ||
266 | setpacketevent(&state->spacket, TFTP_EVENT_WRQ); | ||
267 | state->conn->data->req.upload_fromhere = | ||
268 | @@ -505,7 +505,7 @@ static CURLcode tftp_send_first(tftp_sta | ||
269 | if(!data->set.tftp_no_options) { | ||
270 | char buf[64]; | ||
271 | /* add tsize option */ | ||
272 | - if(data->set.upload && (data->state.infilesize != -1)) | ||
273 | + if(data->state.upload && (data->state.infilesize != -1)) | ||
274 | msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, | ||
275 | data->state.infilesize); | ||
276 | else | ||
277 | @@ -559,7 +559,7 @@ static CURLcode tftp_send_first(tftp_sta | ||
278 | break; | ||
279 | |||
280 | case TFTP_EVENT_OACK: | ||
281 | - if(data->set.upload) { | ||
282 | + if(data->state.upload) { | ||
283 | result = tftp_connect_for_tx(state, event); | ||
284 | } | ||
285 | else { | ||
286 | --- a/lib/transfer.c | ||
287 | +++ b/lib/transfer.c | ||
288 | @@ -1405,6 +1405,7 @@ void Curl_init_CONNECT(struct Curl_easy | ||
289 | { | ||
290 | data->state.fread_func = data->set.fread_func_set; | ||
291 | data->state.in = data->set.in_set; | ||
292 | + data->state.upload = (data->set.httpreq == HTTPREQ_PUT); | ||
293 | } | ||
294 | |||
295 | /* | ||
296 | @@ -1816,7 +1817,7 @@ CURLcode Curl_retry_request(struct conne | ||
297 | |||
298 | /* if we're talking upload, we can't do the checks below, unless the protocol | ||
299 | is HTTP as when uploading over HTTP we will still get a response */ | ||
300 | - if(data->set.upload && | ||
301 | + if(data->state.upload && | ||
302 | !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) | ||
303 | return CURLE_OK; | ||
304 | |||
305 | --- a/lib/urldata.h | ||
306 | +++ b/lib/urldata.h | ||
307 | @@ -1427,6 +1427,7 @@ struct UrlState { | ||
308 | BIT(stream_depends_e); /* set or don't set the Exclusive bit */ | ||
309 | BIT(previouslypending); /* this transfer WAS in the multi->pending queue */ | ||
310 | BIT(cookie_engine); | ||
311 | + BIT(upload); /* upload request */ | ||
312 | }; | ||
313 | |||
314 | |||
315 | @@ -1762,7 +1763,6 @@ struct UserDefined { | ||
316 | BIT(http_auto_referer); /* set "correct" referer when following | ||
317 | location: */ | ||
318 | BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ | ||
319 | - BIT(upload); /* upload request */ | ||
320 | BIT(verbose); /* output verbosity */ | ||
321 | BIT(krb); /* Kerberos connection requested */ | ||
322 | BIT(reuse_forbid); /* forbidden to be reused, close after use */ | ||
323 | --- a/lib/vssh/libssh.c | ||
324 | +++ b/lib/vssh/libssh.c | ||
325 | @@ -1076,7 +1076,7 @@ static CURLcode myssh_statemach_act(stru | ||
326 | } | ||
327 | |||
328 | case SSH_SFTP_TRANS_INIT: | ||
329 | - if(data->set.upload) | ||
330 | + if(data->state.upload) | ||
331 | state(conn, SSH_SFTP_UPLOAD_INIT); | ||
332 | else { | ||
333 | if(protop->path[strlen(protop->path)-1] == '/') | ||
334 | @@ -1686,7 +1686,7 @@ static CURLcode myssh_statemach_act(stru | ||
335 | /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ | ||
336 | ssh_set_blocking(sshc->ssh_session, 1); | ||
337 | |||
338 | - if(data->set.upload) { | ||
339 | + if(data->state.upload) { | ||
340 | if(data->state.infilesize < 0) { | ||
341 | failf(data, "SCP requires a known file size for upload"); | ||
342 | sshc->actualcode = CURLE_UPLOAD_FAILED; | ||
343 | @@ -1787,7 +1787,7 @@ static CURLcode myssh_statemach_act(stru | ||
344 | break; | ||
345 | } | ||
346 | case SSH_SCP_DONE: | ||
347 | - if(data->set.upload) | ||
348 | + if(data->state.upload) | ||
349 | state(conn, SSH_SCP_SEND_EOF); | ||
350 | else | ||
351 | state(conn, SSH_SCP_CHANNEL_FREE); | ||
352 | --- a/lib/vssh/libssh2.c | ||
353 | +++ b/lib/vssh/libssh2.c | ||
354 | @@ -1664,7 +1664,7 @@ static CURLcode ssh_statemach_act(struct | ||
355 | } | ||
356 | |||
357 | case SSH_SFTP_TRANS_INIT: | ||
358 | - if(data->set.upload) | ||
359 | + if(data->state.upload) | ||
360 | state(conn, SSH_SFTP_UPLOAD_INIT); | ||
361 | else { | ||
362 | if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') | ||
363 | @@ -2366,7 +2366,7 @@ static CURLcode ssh_statemach_act(struct | ||
364 | break; | ||
365 | } | ||
366 | |||
367 | - if(data->set.upload) { | ||
368 | + if(data->state.upload) { | ||
369 | if(data->state.infilesize < 0) { | ||
370 | failf(data, "SCP requires a known file size for upload"); | ||
371 | sshc->actualcode = CURLE_UPLOAD_FAILED; | ||
372 | @@ -2504,7 +2504,7 @@ static CURLcode ssh_statemach_act(struct | ||
373 | break; | ||
374 | |||
375 | case SSH_SCP_DONE: | ||
376 | - if(data->set.upload) | ||
377 | + if(data->state.upload) | ||
378 | state(conn, SSH_SCP_SEND_EOF); | ||
379 | else | ||
380 | state(conn, SSH_SCP_CHANNEL_FREE); | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-32001.patch b/meta/recipes-support/curl/curl/CVE-2023-32001.patch new file mode 100644 index 0000000000..f533992bcd --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-32001.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001 | ||
2 | From: SaltyMilk <soufiane.elmelcaoui@gmail.com> | ||
3 | Date: Mon, 10 Jul 2023 21:43:28 +0200 | ||
4 | Subject: [PATCH] fopen: optimize | ||
5 | |||
6 | Closes #11419 | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6cda615a036b8a2b4125f2c404dde] | ||
9 | CVE: CVE-2023-32001 | ||
10 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
11 | |||
12 | lib/fopen.c | 12 ++++++------ | ||
13 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
14 | |||
15 | diff --git a/lib/fopen.c b/lib/fopen.c | ||
16 | index c9c9e3d6e73a2..b6e3cadddef65 100644 | ||
17 | --- a/lib/fopen.c | ||
18 | +++ b/lib/fopen.c | ||
19 | @@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, | ||
20 | int fd = -1; | ||
21 | *tempname = NULL; | ||
22 | |||
23 | - if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { | ||
24 | - /* a non-regular file, fallback to direct fopen() */ | ||
25 | - *fh = fopen(filename, FOPEN_WRITETEXT); | ||
26 | - if(*fh) | ||
27 | - return CURLE_OK; | ||
28 | + *fh = fopen(filename, FOPEN_WRITETEXT); | ||
29 | + if(!*fh) | ||
30 | goto fail; | ||
31 | - } | ||
32 | + if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) | ||
33 | + return CURLE_OK; | ||
34 | + fclose(*fh); | ||
35 | + *fh = NULL; | ||
36 | |||
37 | result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); | ||
38 | if(result) | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch new file mode 100644 index 0000000000..c6b6726886 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 600a1caeb2312fdee5ef1caf7d613c12a8b2424a Mon Sep 17 00:00:00 2001 | ||
2 | From: Mike Crowe <mac@mcrowe.com> | ||
3 | Date: Wed, 11 Oct 2023 20:50:28 +0100 | ||
4 | Subject: [PATCH] socks: return error if hostname too long for remote resolve | ||
5 | To: libcurl development <curl-library@cool.haxx.se> | ||
6 | |||
7 | Prior to this change the state machine attempted to change the remote | ||
8 | resolve to a local resolve if the hostname was longer than 255 | ||
9 | characters. Unfortunately that did not work as intended and caused a | ||
10 | security issue. | ||
11 | |||
12 | Name resolvers cannot resolve hostnames longer than 255 characters. | ||
13 | |||
14 | Bug: https://curl.se/docs/CVE-2023-38545.html | ||
15 | |||
16 | Unfortunately CURLE_PROXY and CURLPX_LONG_HOSTNAME were introduced in | ||
17 | 7.73.0 so they can't be used in 7.69.1. Let's use | ||
18 | CURLE_COULDNT_RESOLVE_HOST as the best available alternative and update | ||
19 | the test appropriately. | ||
20 | |||
21 | libcurl's test support has been improved considerably since 7.69.1 which | ||
22 | means that the test must be modified to remove use of %VERSION and | ||
23 | %TESTNUMBER and the stderr output can no longer be checked. | ||
24 | |||
25 | CVE: CVE-2023-38545 | ||
26 | Upstream-Status: Backport [fb4415d8aee6c1045be932a34fe6107c2f5ed147] | ||
27 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
28 | --- | ||
29 | lib/socks.c | 13 +++++---- | ||
30 | tests/data/Makefile.inc | 2 +- | ||
31 | tests/data/test728 | 60 +++++++++++++++++++++++++++++++++++++++++ | ||
32 | 3 files changed, 69 insertions(+), 6 deletions(-) | ||
33 | create mode 100644 tests/data/test728 | ||
34 | |||
35 | diff --git a/lib/socks.c b/lib/socks.c | ||
36 | index 37099130e..f3bf40533 100644 | ||
37 | --- a/lib/socks.c | ||
38 | +++ b/lib/socks.c | ||
39 | @@ -521,11 +521,14 @@ CURLcode Curl_SOCKS5(const char *proxy_user, | ||
40 | infof(conn->data, "SOCKS5: connecting to HTTP proxy %s port %d\n", | ||
41 | hostname, remote_port); | ||
42 | |||
43 | - /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ | ||
44 | + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet. */ | ||
45 | if(!socks5_resolve_local && hostname_len > 255) { | ||
46 | - infof(conn->data, "SOCKS5: server resolving disabled for hostnames of " | ||
47 | - "length > 255 [actual len=%zu]\n", hostname_len); | ||
48 | - socks5_resolve_local = TRUE; | ||
49 | + failf(data, "SOCKS5: the destination hostname is too long to be " | ||
50 | + "resolved remotely by the proxy."); | ||
51 | + /* This version of libcurl doesn't have CURLE_PROXY and | ||
52 | + * therefore CURLPX_LONG_HOSTNAME, so let's report the best we | ||
53 | + * can. */ | ||
54 | + return CURLE_COULDNT_RESOLVE_HOST; | ||
55 | } | ||
56 | |||
57 | if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) | ||
58 | @@ -837,7 +840,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user, | ||
59 | |||
60 | if(!socks5_resolve_local) { | ||
61 | socksreq[len++] = 3; /* ATYP: domain name = 3 */ | ||
62 | - socksreq[len++] = (char) hostname_len; /* one byte address length */ | ||
63 | + socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ | ||
64 | memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ | ||
65 | len += hostname_len; | ||
66 | infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n", | ||
67 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
68 | index 3d8565c36..5ee2284ff 100644 | ||
69 | --- a/tests/data/Makefile.inc | ||
70 | +++ b/tests/data/Makefile.inc | ||
71 | @@ -89,7 +89,7 @@ test662 test663 test664 test665 test666 test667 test668 \ | ||
72 | test670 test671 test672 test673 \ | ||
73 | \ | ||
74 | test700 test701 test702 test703 test704 test705 test706 test707 test708 \ | ||
75 | -test709 test710 test711 test712 test713 test714 test715 test716 test717 \ | ||
76 | +test709 test710 test711 test712 test713 test714 test715 test716 test717 test728 \ | ||
77 | \ | ||
78 | test800 test801 test802 test803 test804 test805 test806 test807 test808 \ | ||
79 | test809 test810 test811 test812 test813 test814 test815 test816 test817 \ | ||
80 | diff --git a/tests/data/test728 b/tests/data/test728 | ||
81 | new file mode 100644 | ||
82 | index 000000000..7b1d8b2f3 | ||
83 | --- /dev/null | ||
84 | +++ b/tests/data/test728 | ||
85 | @@ -0,0 +1,60 @@ | ||
86 | +<testcase> | ||
87 | +<info> | ||
88 | +<keywords> | ||
89 | +HTTP | ||
90 | +HTTP GET | ||
91 | +SOCKS5 | ||
92 | +SOCKS5h | ||
93 | +followlocation | ||
94 | +</keywords> | ||
95 | +</info> | ||
96 | + | ||
97 | +# | ||
98 | +# Server-side | ||
99 | +<reply> | ||
100 | +# The hostname in this redirect is 256 characters and too long (> 255) for | ||
101 | +# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. | ||
102 | +<data> | ||
103 | +HTTP/1.1 301 Moved Permanently | ||
104 | +Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ | ||
105 | +Content-Length: 0 | ||
106 | +Connection: close | ||
107 | + | ||
108 | +</data> | ||
109 | +</reply> | ||
110 | + | ||
111 | +# | ||
112 | +# Client-side | ||
113 | +<client> | ||
114 | +<features> | ||
115 | +proxy | ||
116 | +</features> | ||
117 | +<server> | ||
118 | +http | ||
119 | +socks5 | ||
120 | +</server> | ||
121 | + <name> | ||
122 | +SOCKS5h with HTTP redirect to hostname too long | ||
123 | + </name> | ||
124 | + <command> | ||
125 | +--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/728 | ||
126 | +</command> | ||
127 | +</client> | ||
128 | + | ||
129 | +# | ||
130 | +# Verify data after the test has been "shot" | ||
131 | +<verify> | ||
132 | +<strip> | ||
133 | +^User-Agent:.* | ||
134 | +</strip> | ||
135 | +<protocol> | ||
136 | +GET /728 HTTP/1.1 | ||
137 | +Host: %HOSTIP:%HTTPPORT | ||
138 | +Accept: */* | ||
139 | + | ||
140 | +</protocol> | ||
141 | +<errorcode> | ||
142 | +6 | ||
143 | +</errorcode> | ||
144 | +</verify> | ||
145 | +</testcase> | ||
146 | -- | ||
147 | 2.39.2 | ||
148 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch new file mode 100644 index 0000000000..30ef2fd038 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch | |||
@@ -0,0 +1,132 @@ | |||
1 | From 7b67721f12cbe6ed1a41e7332f3b5a7186a5e23f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 14 Sep 2023 23:28:32 +0200 | ||
4 | Subject: [PATCH] cookie: remove unnecessary struct fields | ||
5 | To: libcurl development <curl-library@cool.haxx.se> | ||
6 | |||
7 | Plus: reduce the hash table size from 256 to 63. It seems unlikely to | ||
8 | make much of a speed difference for most use cases but saves 1.5KB of | ||
9 | data per instance. | ||
10 | |||
11 | Closes #11862 | ||
12 | |||
13 | This patch taken from Debian's 7.64.0-4+deb10u7 package which applied with | ||
14 | only a little fuzz. | ||
15 | |||
16 | CVE: CVE-2023-38546 | ||
17 | Upstream-Status: Backport [61275672b46d9abb32857404] | ||
18 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
19 | --- | ||
20 | lib/cookie.c | 13 +------------ | ||
21 | lib/cookie.h | 7 ++----- | ||
22 | lib/easy.c | 4 +--- | ||
23 | 3 files changed, 4 insertions(+), 20 deletions(-) | ||
24 | |||
25 | diff --git a/lib/cookie.c b/lib/cookie.c | ||
26 | index 68054e1c4..a378f28e1 100644 | ||
27 | --- a/lib/cookie.c | ||
28 | +++ b/lib/cookie.c | ||
29 | @@ -114,7 +114,6 @@ static void freecookie(struct Cookie *co) | ||
30 | free(co->name); | ||
31 | free(co->value); | ||
32 | free(co->maxage); | ||
33 | - free(co->version); | ||
34 | free(co); | ||
35 | } | ||
36 | |||
37 | @@ -641,11 +640,7 @@ Curl_cookie_add(struct Curl_easy *data, | ||
38 | } | ||
39 | } | ||
40 | else if(strcasecompare("version", name)) { | ||
41 | - strstore(&co->version, whatptr); | ||
42 | - if(!co->version) { | ||
43 | - badcookie = TRUE; | ||
44 | - break; | ||
45 | - } | ||
46 | + /* just ignore */ | ||
47 | } | ||
48 | else if(strcasecompare("max-age", name)) { | ||
49 | /* Defined in RFC2109: | ||
50 | @@ -1042,7 +1037,6 @@ Curl_cookie_add(struct Curl_easy *data, | ||
51 | free(clist->path); | ||
52 | free(clist->spath); | ||
53 | free(clist->expirestr); | ||
54 | - free(clist->version); | ||
55 | free(clist->maxage); | ||
56 | |||
57 | *clist = *co; /* then store all the new data */ | ||
58 | @@ -1111,9 +1105,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
59 | c = calloc(1, sizeof(struct CookieInfo)); | ||
60 | if(!c) | ||
61 | return NULL; /* failed to get memory */ | ||
62 | - c->filename = strdup(file?file:"none"); /* copy the name just in case */ | ||
63 | - if(!c->filename) | ||
64 | - goto fail; /* failed to get memory */ | ||
65 | } | ||
66 | else { | ||
67 | /* we got an already existing one, use that */ | ||
68 | @@ -1241,7 +1232,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) | ||
69 | CLONE(name); | ||
70 | CLONE(value); | ||
71 | CLONE(maxage); | ||
72 | - CLONE(version); | ||
73 | d->expires = src->expires; | ||
74 | d->tailmatch = src->tailmatch; | ||
75 | d->secure = src->secure; | ||
76 | @@ -1457,7 +1447,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) | ||
77 | { | ||
78 | if(c) { | ||
79 | unsigned int i; | ||
80 | - free(c->filename); | ||
81 | for(i = 0; i < COOKIE_HASH_SIZE; i++) | ||
82 | Curl_cookie_freelist(c->cookies[i]); | ||
83 | free(c); /* free the base struct as well */ | ||
84 | diff --git a/lib/cookie.h b/lib/cookie.h | ||
85 | index b3865e601..2e667cda0 100644 | ||
86 | --- a/lib/cookie.h | ||
87 | +++ b/lib/cookie.h | ||
88 | @@ -36,8 +36,6 @@ struct Cookie { | ||
89 | char *expirestr; /* the plain text version */ | ||
90 | bool tailmatch; /* whether we do tail-matching of the domain name */ | ||
91 | |||
92 | - /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ | ||
93 | - char *version; /* Version = <value> */ | ||
94 | char *maxage; /* Max-Age = <value> */ | ||
95 | |||
96 | bool secure; /* whether the 'secure' keyword was used */ | ||
97 | @@ -54,15 +52,14 @@ struct Cookie { | ||
98 | #define COOKIE_PREFIX__SECURE (1<<0) | ||
99 | #define COOKIE_PREFIX__HOST (1<<1) | ||
100 | |||
101 | -#define COOKIE_HASH_SIZE 256 | ||
102 | +#define COOKIE_HASH_SIZE 63 | ||
103 | |||
104 | struct CookieInfo { | ||
105 | /* linked list of cookies we know of */ | ||
106 | struct Cookie *cookies[COOKIE_HASH_SIZE]; | ||
107 | |||
108 | - char *filename; /* file we read from/write to */ | ||
109 | bool running; /* state info, for cookie adding information */ | ||
110 | - long numcookies; /* number of cookies in the "jar" */ | ||
111 | + int numcookies; /* number of cookies in the "jar" */ | ||
112 | bool newsession; /* new session, discard session cookies on load */ | ||
113 | int lastct; /* last creation-time used in the jar */ | ||
114 | }; | ||
115 | diff --git a/lib/easy.c b/lib/easy.c | ||
116 | index b648e80c1..cdca0fb03 100644 | ||
117 | --- a/lib/easy.c | ||
118 | +++ b/lib/easy.c | ||
119 | @@ -840,9 +840,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) | ||
120 | if(data->cookies) { | ||
121 | /* If cookies are enabled in the parent handle, we enable them | ||
122 | in the clone as well! */ | ||
123 | - outcurl->cookies = Curl_cookie_init(data, | ||
124 | - data->cookies->filename, | ||
125 | - outcurl->cookies, | ||
126 | + outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, | ||
127 | data->set.cookiesession); | ||
128 | if(!outcurl->cookies) | ||
129 | goto fail; | ||
130 | -- | ||
131 | 2.39.2 | ||
132 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch new file mode 100644 index 0000000000..c9677b6a84 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | CVE: CVE-2023-46218 | ||
2 | Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.21.debian.tar.xz upstream https://github.com/curl/curl/commit/2b0994c29a721c91c57 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | Backport of: | ||
6 | |||
7 | From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001 | ||
8 | From: Daniel Stenberg <daniel@haxx.se> | ||
9 | Date: Thu, 23 Nov 2023 08:15:47 +0100 | ||
10 | Subject: [PATCH] cookie: lowercase the domain names before PSL checks | ||
11 | |||
12 | Reported-by: Harry Sintonen | ||
13 | |||
14 | Closes #12387 | ||
15 | --- | ||
16 | lib/cookie.c | 24 ++++++++++++++++-------- | ||
17 | 1 file changed, 16 insertions(+), 8 deletions(-) | ||
18 | |||
19 | --- a/lib/cookie.c | ||
20 | +++ b/lib/cookie.c | ||
21 | @@ -967,15 +967,23 @@ Curl_cookie_add(struct Curl_easy *data, | ||
22 | #ifdef USE_LIBPSL | ||
23 | /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */ | ||
24 | if(domain && co->domain && !isip(co->domain)) { | ||
25 | - const psl_ctx_t *psl = Curl_psl_use(data); | ||
26 | - int acceptable; | ||
27 | - | ||
28 | - if(psl) { | ||
29 | - acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); | ||
30 | - Curl_psl_release(data); | ||
31 | + bool acceptable = FALSE; | ||
32 | + char lcase[256]; | ||
33 | + char lcookie[256]; | ||
34 | + size_t dlen = strlen(domain); | ||
35 | + size_t clen = strlen(co->domain); | ||
36 | + if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { | ||
37 | + const psl_ctx_t *psl = Curl_psl_use(data); | ||
38 | + if(psl) { | ||
39 | + /* the PSL check requires lowercase domain name and pattern */ | ||
40 | + Curl_strntolower(lcase, domain, dlen + 1); | ||
41 | + Curl_strntolower(lcookie, co->domain, clen + 1); | ||
42 | + acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); | ||
43 | + Curl_psl_release(data); | ||
44 | + } | ||
45 | + else | ||
46 | + acceptable = !bad_domain(domain); | ||
47 | } | ||
48 | - else | ||
49 | - acceptable = !bad_domain(domain); | ||
50 | |||
51 | if(!acceptable) { | ||
52 | infof(data, "cookie '%s' dropped, domain '%s' must not " | ||
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..a3840336f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefan Eissing <stefan@eissing.org> | ||
5 | Date: Wed, 6 Mar 2024 09:36:08 +0100 | ||
6 | Subject: [PATCH] http2: push headers better cleanup | ||
7 | |||
8 | - provide common cleanup method for push headers | ||
9 | |||
10 | Closes #13054 | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security | ||
13 | Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] | ||
14 | CVE: CVE-2024-2398 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | lib/http2.c | 34 +++++++++++++++------------------- | ||
18 | 1 file changed, 15 insertions(+), 19 deletions(-) | ||
19 | |||
20 | --- a/lib/http2.c | ||
21 | +++ b/lib/http2.c | ||
22 | @@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc | ||
23 | } | ||
24 | |||
25 | |||
26 | +static void free_push_headers(struct HTTP *stream) | ||
27 | +{ | ||
28 | + size_t i; | ||
29 | + for(i = 0; i<stream->push_headers_used; i++) | ||
30 | + free(stream->push_headers[i]); | ||
31 | + Curl_safefree(stream->push_headers); | ||
32 | + stream->push_headers_used = 0; | ||
33 | +} | ||
34 | + | ||
35 | static int push_promise(struct Curl_easy *data, | ||
36 | struct connectdata *conn, | ||
37 | const nghttp2_push_promise *frame) | ||
38 | @@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy | ||
39 | struct curl_pushheaders heads; | ||
40 | CURLMcode rc; | ||
41 | struct http_conn *httpc; | ||
42 | - size_t i; | ||
43 | /* clone the parent */ | ||
44 | struct Curl_easy *newhandle = duphandle(data); | ||
45 | if(!newhandle) { | ||
46 | @@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy | ||
47 | Curl_set_in_callback(data, false); | ||
48 | |||
49 | /* free the headers again */ | ||
50 | - for(i = 0; i<stream->push_headers_used; i++) | ||
51 | - free(stream->push_headers[i]); | ||
52 | - free(stream->push_headers); | ||
53 | - stream->push_headers = NULL; | ||
54 | - stream->push_headers_used = 0; | ||
55 | + free_push_headers(stream); | ||
56 | |||
57 | if(rv) { | ||
58 | /* denied, kill off the new handle again */ | ||
59 | @@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se | ||
60 | stream->push_headers_alloc) { | ||
61 | char **headp; | ||
62 | stream->push_headers_alloc *= 2; | ||
63 | - headp = Curl_saferealloc(stream->push_headers, | ||
64 | - stream->push_headers_alloc * sizeof(char *)); | ||
65 | + headp = realloc(stream->push_headers, | ||
66 | + stream->push_headers_alloc * sizeof(char *)); | ||
67 | if(!headp) { | ||
68 | - stream->push_headers = NULL; | ||
69 | + free_push_headers(stream); | ||
70 | return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; | ||
71 | } | ||
72 | stream->push_headers = headp; | ||
73 | @@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d | ||
74 | if(http->header_recvbuf) { | ||
75 | Curl_add_buffer_free(&http->header_recvbuf); | ||
76 | Curl_add_buffer_free(&http->trailer_recvbuf); | ||
77 | - if(http->push_headers) { | ||
78 | - /* if they weren't used and then freed before */ | ||
79 | - for(; http->push_headers_used > 0; --http->push_headers_used) { | ||
80 | - free(http->push_headers[http->push_headers_used - 1]); | ||
81 | - } | ||
82 | - free(http->push_headers); | ||
83 | - http->push_headers = NULL; | ||
84 | - } | ||
85 | + free_push_headers(http); | ||
86 | } | ||
87 | |||
88 | if(!httpc->h2) /* not HTTP/2 ? */ | ||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index c3d629108a..2f351d585a 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
@@ -1,4 +1,8 @@ | |||
1 | SUMMARY = "Command line tool and library for client-side URL transfers" | 1 | SUMMARY = "Command line tool and library for client-side URL transfers" |
2 | DESCRIPTION = "It uses URL syntax to transfer data to and from servers. \ | ||
3 | curl is a widely used because of its ability to be flexible and complete \ | ||
4 | complex tasks. For example, you can use curl for things like user authentication, \ | ||
5 | HTTP post, SSL connections, proxy support, FTP uploads, and more!" | ||
2 | HOMEPAGE = "http://curl.haxx.se/" | 6 | HOMEPAGE = "http://curl.haxx.se/" |
3 | BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" | 7 | BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" |
4 | SECTION = "console/network" | 8 | SECTION = "console/network" |
@@ -13,6 +17,48 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
13 | file://CVE-2020-8284.patch \ | 17 | file://CVE-2020-8284.patch \ |
14 | file://CVE-2020-8285.patch \ | 18 | file://CVE-2020-8285.patch \ |
15 | file://CVE-2020-8286.patch \ | 19 | file://CVE-2020-8286.patch \ |
20 | file://CVE-2021-22876.patch \ | ||
21 | file://CVE-2021-22890.patch \ | ||
22 | file://CVE-2021-22898.patch \ | ||
23 | file://CVE-2021-22924.patch \ | ||
24 | file://CVE-2021-22925.patch \ | ||
25 | file://CVE-2021-22946-pre1.patch \ | ||
26 | file://CVE-2021-22946.patch \ | ||
27 | file://CVE-2021-22947.patch \ | ||
28 | file://CVE-2022-27776.patch \ | ||
29 | file://CVE-2022-27775.patch \ | ||
30 | file://CVE-2022-22576.patch \ | ||
31 | file://CVE-2022-27774-1.patch \ | ||
32 | file://CVE-2022-27774-2.patch \ | ||
33 | file://CVE-2022-27774-3.patch \ | ||
34 | file://CVE-2022-27774-4.patch \ | ||
35 | file://CVE-2022-27781.patch \ | ||
36 | file://CVE-2022-27782-1.patch \ | ||
37 | file://CVE-2022-27782-2.patch \ | ||
38 | file://CVE-2022-32206.patch \ | ||
39 | file://CVE-2022-32207.patch \ | ||
40 | file://CVE-2022-32208.patch \ | ||
41 | file://CVE-2022-35252.patch \ | ||
42 | file://CVE-2022-32221.patch \ | ||
43 | file://CVE-2022-35260.patch \ | ||
44 | file://CVE-2022-43552.patch \ | ||
45 | file://CVE-2023-23916.patch \ | ||
46 | file://CVE-2023-27534-pre1.patch \ | ||
47 | file://CVE-2023-27534.patch \ | ||
48 | file://CVE-2023-27538.patch \ | ||
49 | file://CVE-2023-27533.patch \ | ||
50 | file://CVE-2023-27535-pre1.patch \ | ||
51 | file://CVE-2023-27535.patch \ | ||
52 | file://CVE-2023-27536.patch \ | ||
53 | file://CVE-2023-28320.patch \ | ||
54 | file://CVE-2023-28320-fol1.patch \ | ||
55 | file://CVE-2023-32001.patch \ | ||
56 | file://CVE-2023-38545.patch \ | ||
57 | file://CVE-2023-38546.patch \ | ||
58 | file://CVE-2023-28321.patch \ | ||
59 | file://CVE-2023-28322.patch \ | ||
60 | file://CVE-2023-46218.patch \ | ||
61 | file://CVE-2024-2398.patch \ | ||
16 | " | 62 | " |
17 | 63 | ||
18 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" | 64 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" |
@@ -20,6 +66,15 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 | |||
20 | 66 | ||
21 | # Curl has used many names over the years... | 67 | # Curl has used many names over the years... |
22 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" | 68 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" |
69 | CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-22945" | ||
70 | |||
71 | # As per link https://security-tracker.debian.org/tracker/CVE-2021-22897 | ||
72 | # and https://ubuntu.com/security/CVE-2021-22897 | ||
73 | # This CVE issue affects Windows only Hence whitelisting this CVE | ||
74 | CVE_CHECK_WHITELIST += "CVE-2021-22897" | ||
75 | |||
76 | # This CVE reports that apple had to upgrade curl because of other already reported CVEs | ||
77 | CVE_CHECK_WHITELIST += "CVE-2023-42915" | ||
23 | 78 | ||
24 | inherit autotools pkgconfig binconfig multilib_header | 79 | inherit autotools pkgconfig binconfig multilib_header |
25 | 80 | ||