diff options
Diffstat (limited to 'meta/recipes-support/curl')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22945.patch | 35 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22946.patch | 333 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22947.patch | 357 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.75.0.bb | 8 |
4 files changed, 733 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22945.patch b/meta/recipes-support/curl/curl/CVE-2021-22945.patch new file mode 100644 index 0000000000..44c42632ed --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22945.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 43157490a5054bd24256fe12876931e8abc9df49 Mon Sep 17 00:00:00 2001 | ||
2 | From: z2_ on hackerone <> | ||
3 | Date: Tue, 24 Aug 2021 09:50:33 +0200 | ||
4 | Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds | ||
5 | |||
6 | CVE-2021-22945 | ||
7 | |||
8 | Bug: https://curl.se/docs/CVE-2021-22945.html | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/curl/curl/commit/43157490a5054bd24256fe12876931e8abc9df49] | ||
11 | |||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | |||
14 | --- | ||
15 | lib/mqtt.c | 4 ++++ | ||
16 | 1 file changed, 4 insertions(+) | ||
17 | |||
18 | diff --git a/lib/mqtt.c b/lib/mqtt.c | ||
19 | index f077e6c3d..fcd40b41e 100644 | ||
20 | --- a/lib/mqtt.c | ||
21 | +++ b/lib/mqtt.c | ||
22 | @@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data, | ||
23 | mq->sendleftovers = sendleftovers; | ||
24 | mq->nsend = nsend; | ||
25 | } | ||
26 | + else { | ||
27 | + mq->sendleftovers = NULL; | ||
28 | + mq->nsend = 0; | ||
29 | + } | ||
30 | return result; | ||
31 | } | ||
32 | |||
33 | -- | ||
34 | 2.34.1 | ||
35 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch new file mode 100644 index 0000000000..1cb95f0ea7 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch | |||
@@ -0,0 +1,333 @@ | |||
1 | From 7c6e072216001fb1280d1868adfdcb54e3372ce7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Monnerat <patrick@monnerat.net> | ||
3 | Date: Wed, 8 Sep 2021 11:56:22 +0200 | ||
4 | Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd | ||
5 | |||
6 | In imap and pop3, check if TLS is required even when capabilities | ||
7 | request has failed. | ||
8 | |||
9 | In ftp, ignore preauthentication (230 status of server greeting) if TLS | ||
10 | is required. | ||
11 | |||
12 | Bug: https://curl.se/docs/CVE-2021-22946.html | ||
13 | |||
14 | CVE-2021-22946 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca] | ||
17 | |||
18 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
19 | |||
20 | --- | ||
21 | lib/ftp.c | 9 ++++--- | ||
22 | lib/imap.c | 24 ++++++++---------- | ||
23 | lib/pop3.c | 33 +++++++++++------------- | ||
24 | tests/data/Makefile.inc | 2 ++ | ||
25 | tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ | ||
26 | tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ | ||
27 | tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ | ||
28 | 7 files changed, 195 insertions(+), 36 deletions(-) | ||
29 | create mode 100644 tests/data/test984 | ||
30 | create mode 100644 tests/data/test985 | ||
31 | create mode 100644 tests/data/test986 | ||
32 | |||
33 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
34 | index 3818a9e..8b3fe1d 100644 | ||
35 | --- a/lib/ftp.c | ||
36 | +++ b/lib/ftp.c | ||
37 | @@ -2665,9 +2665,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, | ||
38 | /* we have now received a full FTP server response */ | ||
39 | switch(ftpc->state) { | ||
40 | case FTP_WAIT220: | ||
41 | - if(ftpcode == 230) | ||
42 | - /* 230 User logged in - already! */ | ||
43 | - return ftp_state_user_resp(data, ftpcode, ftpc->state); | ||
44 | + if(ftpcode == 230) { | ||
45 | + /* 230 User logged in - already! Take as 220 if TLS required. */ | ||
46 | + if(data->set.use_ssl <= CURLUSESSL_TRY || | ||
47 | + conn->bits.ftp_use_control_ssl) | ||
48 | + return ftp_state_user_resp(data, ftpcode, ftpc->state); | ||
49 | + } | ||
50 | else if(ftpcode != 220) { | ||
51 | failf(data, "Got a %03d ftp-server response when 220 was expected", | ||
52 | ftpcode); | ||
53 | diff --git a/lib/imap.c b/lib/imap.c | ||
54 | index 2d80699..b056208 100644 | ||
55 | --- a/lib/imap.c | ||
56 | +++ b/lib/imap.c | ||
57 | @@ -933,22 +933,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, | ||
58 | line += wordlen; | ||
59 | } | ||
60 | } | ||
61 | - else if(imapcode == IMAP_RESP_OK) { | ||
62 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
63 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
64 | - if(imapc->tls_supported) | ||
65 | - /* Switch to TLS connection now */ | ||
66 | - result = imap_perform_starttls(data, conn); | ||
67 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
68 | - /* Fallback and carry on with authentication */ | ||
69 | - result = imap_perform_authentication(data, conn); | ||
70 | - else { | ||
71 | - failf(data, "STARTTLS not supported."); | ||
72 | - result = CURLE_USE_SSL_FAILED; | ||
73 | - } | ||
74 | + else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
75 | + /* PREAUTH is not compatible with STARTTLS. */ | ||
76 | + if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { | ||
77 | + /* Switch to TLS connection now */ | ||
78 | + result = imap_perform_starttls(data, conn); | ||
79 | } | ||
80 | - else | ||
81 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
82 | result = imap_perform_authentication(data, conn); | ||
83 | + else { | ||
84 | + failf(data, "STARTTLS not available."); | ||
85 | + result = CURLE_USE_SSL_FAILED; | ||
86 | + } | ||
87 | } | ||
88 | else | ||
89 | result = imap_perform_authentication(data, conn); | ||
90 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
91 | index 0ed3d3e..018fda1 100644 | ||
92 | --- a/lib/pop3.c | ||
93 | +++ b/lib/pop3.c | ||
94 | @@ -738,28 +738,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, | ||
95 | } | ||
96 | } | ||
97 | } | ||
98 | - else if(pop3code == '+') { | ||
99 | - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { | ||
100 | - /* We don't have a SSL/TLS connection yet, but SSL is requested */ | ||
101 | - if(pop3c->tls_supported) | ||
102 | - /* Switch to TLS connection now */ | ||
103 | - result = pop3_perform_starttls(data, conn); | ||
104 | - else if(data->set.use_ssl == CURLUSESSL_TRY) | ||
105 | - /* Fallback and carry on with authentication */ | ||
106 | - result = pop3_perform_authentication(data, conn); | ||
107 | - else { | ||
108 | - failf(data, "STLS not supported."); | ||
109 | - result = CURLE_USE_SSL_FAILED; | ||
110 | - } | ||
111 | - } | ||
112 | - else | ||
113 | - result = pop3_perform_authentication(data, conn); | ||
114 | - } | ||
115 | else { | ||
116 | /* Clear text is supported when CAPA isn't recognised */ | ||
117 | - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
118 | + if(pop3code != '+') | ||
119 | + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; | ||
120 | |||
121 | - result = pop3_perform_authentication(data, conn); | ||
122 | + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) | ||
123 | + result = pop3_perform_authentication(data, conn); | ||
124 | + else if(pop3code == '+' && pop3c->tls_supported) | ||
125 | + /* Switch to TLS connection now */ | ||
126 | + result = pop3_perform_starttls(data, conn); | ||
127 | + else if(data->set.use_ssl <= CURLUSESSL_TRY) | ||
128 | + /* Fallback and carry on with authentication */ | ||
129 | + result = pop3_perform_authentication(data, conn); | ||
130 | + else { | ||
131 | + failf(data, "STLS not supported."); | ||
132 | + result = CURLE_USE_SSL_FAILED; | ||
133 | + } | ||
134 | } | ||
135 | |||
136 | return result; | ||
137 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
138 | index e08cfc7..e6e2551 100644 | ||
139 | --- a/tests/data/Makefile.inc | ||
140 | +++ b/tests/data/Makefile.inc | ||
141 | @@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ | ||
142 | test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
143 | test963 test964 test965 test966 test967 test968 test969 test970 test971 \ | ||
144 | \ | ||
145 | +test984 test985 test986 \ | ||
146 | +\ | ||
147 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
148 | test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ | ||
149 | test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ | ||
150 | diff --git a/tests/data/test984 b/tests/data/test984 | ||
151 | new file mode 100644 | ||
152 | index 0000000..e573f23 | ||
153 | --- /dev/null | ||
154 | +++ b/tests/data/test984 | ||
155 | @@ -0,0 +1,56 @@ | ||
156 | +<testcase> | ||
157 | +<info> | ||
158 | +<keywords> | ||
159 | +IMAP | ||
160 | +STARTTLS | ||
161 | +</keywords> | ||
162 | +</info> | ||
163 | + | ||
164 | +# | ||
165 | +# Server-side | ||
166 | +<reply> | ||
167 | +<servercmd> | ||
168 | +REPLY CAPABILITY A001 BAD Not implemented | ||
169 | +</servercmd> | ||
170 | +</reply> | ||
171 | + | ||
172 | +# | ||
173 | +# Client-side | ||
174 | +<client> | ||
175 | +<features> | ||
176 | +SSL | ||
177 | +</features> | ||
178 | +<server> | ||
179 | +imap | ||
180 | +</server> | ||
181 | + <name> | ||
182 | +IMAP require STARTTLS with failing capabilities | ||
183 | + </name> | ||
184 | + <command> | ||
185 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd | ||
186 | +</command> | ||
187 | +<file name="log/upload%TESTNUMBER"> | ||
188 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
189 | +From: Fred Foobar <foobar@example.COM> | ||
190 | +Subject: afternoon meeting | ||
191 | +To: joe@example.com | ||
192 | +Message-Id: <B27397-0100000@example.COM> | ||
193 | +MIME-Version: 1.0 | ||
194 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
195 | + | ||
196 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
197 | +</file> | ||
198 | +</client> | ||
199 | + | ||
200 | +# | ||
201 | +# Verify data after the test has been "shot" | ||
202 | +<verify> | ||
203 | +# 64 is CURLE_USE_SSL_FAILED | ||
204 | +<errorcode> | ||
205 | +64 | ||
206 | +</errorcode> | ||
207 | +<protocol> | ||
208 | +A001 CAPABILITY | ||
209 | +</protocol> | ||
210 | +</verify> | ||
211 | +</testcase> | ||
212 | diff --git a/tests/data/test985 b/tests/data/test985 | ||
213 | new file mode 100644 | ||
214 | index 0000000..d0db4aa | ||
215 | --- /dev/null | ||
216 | +++ b/tests/data/test985 | ||
217 | @@ -0,0 +1,54 @@ | ||
218 | +<testcase> | ||
219 | +<info> | ||
220 | +<keywords> | ||
221 | +POP3 | ||
222 | +STARTTLS | ||
223 | +</keywords> | ||
224 | +</info> | ||
225 | + | ||
226 | +# | ||
227 | +# Server-side | ||
228 | +<reply> | ||
229 | +<servercmd> | ||
230 | +REPLY CAPA -ERR Not implemented | ||
231 | +</servercmd> | ||
232 | +<data nocheck="yes"> | ||
233 | +From: me@somewhere | ||
234 | +To: fake@nowhere | ||
235 | + | ||
236 | +body | ||
237 | + | ||
238 | +-- | ||
239 | + yours sincerely | ||
240 | +</data> | ||
241 | +</reply> | ||
242 | + | ||
243 | +# | ||
244 | +# Client-side | ||
245 | +<client> | ||
246 | +<features> | ||
247 | +SSL | ||
248 | +</features> | ||
249 | +<server> | ||
250 | +pop3 | ||
251 | +</server> | ||
252 | + <name> | ||
253 | +POP3 require STARTTLS with failing capabilities | ||
254 | + </name> | ||
255 | + <command> | ||
256 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd | ||
257 | + </command> | ||
258 | +</client> | ||
259 | + | ||
260 | +# | ||
261 | +# Verify data after the test has been "shot" | ||
262 | +<verify> | ||
263 | +# 64 is CURLE_USE_SSL_FAILED | ||
264 | +<errorcode> | ||
265 | +64 | ||
266 | +</errorcode> | ||
267 | +<protocol> | ||
268 | +CAPA | ||
269 | +</protocol> | ||
270 | +</verify> | ||
271 | +</testcase> | ||
272 | diff --git a/tests/data/test986 b/tests/data/test986 | ||
273 | new file mode 100644 | ||
274 | index 0000000..a709437 | ||
275 | --- /dev/null | ||
276 | +++ b/tests/data/test986 | ||
277 | @@ -0,0 +1,53 @@ | ||
278 | +<testcase> | ||
279 | +<info> | ||
280 | +<keywords> | ||
281 | +FTP | ||
282 | +STARTTLS | ||
283 | +</keywords> | ||
284 | +</info> | ||
285 | + | ||
286 | +# | ||
287 | +# Server-side | ||
288 | +<reply> | ||
289 | +<servercmd> | ||
290 | +REPLY welcome 230 Welcome | ||
291 | +REPLY AUTH 500 unknown command | ||
292 | +</servercmd> | ||
293 | +</reply> | ||
294 | + | ||
295 | +# Client-side | ||
296 | +<client> | ||
297 | +<features> | ||
298 | +SSL | ||
299 | +</features> | ||
300 | +<server> | ||
301 | +ftp | ||
302 | +</server> | ||
303 | + <name> | ||
304 | +FTP require STARTTLS while preauthenticated | ||
305 | + </name> | ||
306 | +<file name="log/test%TESTNUMBER.txt"> | ||
307 | +data | ||
308 | + to | ||
309 | + see | ||
310 | +that FTPS | ||
311 | +works | ||
312 | + so does it? | ||
313 | +</file> | ||
314 | + <command> | ||
315 | +--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret | ||
316 | +</command> | ||
317 | +</client> | ||
318 | + | ||
319 | +# Verify data after the test has been "shot" | ||
320 | +<verify> | ||
321 | +# 64 is CURLE_USE_SSL_FAILED | ||
322 | +<errorcode> | ||
323 | +64 | ||
324 | +</errorcode> | ||
325 | +<protocol> | ||
326 | +AUTH SSL | ||
327 | +AUTH TLS | ||
328 | +</protocol> | ||
329 | +</verify> | ||
330 | +</testcase> | ||
331 | -- | ||
332 | 2.34.1 | ||
333 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch new file mode 100644 index 0000000000..9bd9890d72 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch | |||
@@ -0,0 +1,357 @@ | |||
1 | From f3f2d2554d09ca0e13039e4915b83faaa55961c4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Monnerat <patrick@monnerat.net> | ||
3 | Date: Tue, 7 Sep 2021 13:26:42 +0200 | ||
4 | Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response | ||
5 | |||
6 | pipelining | ||
7 | |||
8 | If a server pipelines future responses within the STARTTLS response, the | ||
9 | former are preserved in the pingpong cache across TLS negotiation and | ||
10 | used as responses to the encrypted commands. | ||
11 | |||
12 | This fix detects pipelined STARTTLS responses and rejects them with an | ||
13 | error. | ||
14 | |||
15 | CVE-2021-22947 | ||
16 | |||
17 | Bug: https://curl.se/docs/CVE-2021-22947.html | ||
18 | |||
19 | Upstream-Status: Backport [https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68] | ||
20 | |||
21 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
22 | |||
23 | --- | ||
24 | lib/ftp.c | 3 +++ | ||
25 | lib/imap.c | 4 +++ | ||
26 | lib/pop3.c | 4 +++ | ||
27 | lib/smtp.c | 4 +++ | ||
28 | tests/data/Makefile.inc | 2 +- | ||
29 | tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ | ||
30 | tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ | ||
31 | tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ | ||
32 | tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ | ||
33 | 9 files changed, 236 insertions(+), 1 deletion(-) | ||
34 | create mode 100644 tests/data/test980 | ||
35 | create mode 100644 tests/data/test981 | ||
36 | create mode 100644 tests/data/test982 | ||
37 | create mode 100644 tests/data/test983 | ||
38 | |||
39 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
40 | index 8b3fe1d..a55566a 100644 | ||
41 | --- a/lib/ftp.c | ||
42 | +++ b/lib/ftp.c | ||
43 | @@ -2727,6 +2727,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, | ||
44 | case FTP_AUTH: | ||
45 | /* we have gotten the response to a previous AUTH command */ | ||
46 | |||
47 | + if(pp->cache_size) | ||
48 | + return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ | ||
49 | + | ||
50 | /* RFC2228 (page 5) says: | ||
51 | * | ||
52 | * If the server is willing to accept the named security mechanism, | ||
53 | diff --git a/lib/imap.c b/lib/imap.c | ||
54 | index b056208..9230f17 100644 | ||
55 | --- a/lib/imap.c | ||
56 | +++ b/lib/imap.c | ||
57 | @@ -962,6 +962,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data, | ||
58 | |||
59 | (void)instate; /* no use for this yet */ | ||
60 | |||
61 | + /* Pipelining in response is forbidden. */ | ||
62 | + if(data->conn->proto.imapc.pp.cache_size) | ||
63 | + return CURLE_WEIRD_SERVER_REPLY; | ||
64 | + | ||
65 | if(imapcode != IMAP_RESP_OK) { | ||
66 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
67 | failf(data, "STARTTLS denied"); | ||
68 | diff --git a/lib/pop3.c b/lib/pop3.c | ||
69 | index 018fda1..4f953f7 100644 | ||
70 | --- a/lib/pop3.c | ||
71 | +++ b/lib/pop3.c | ||
72 | @@ -769,6 +769,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data, | ||
73 | CURLcode result = CURLE_OK; | ||
74 | (void)instate; /* no use for this yet */ | ||
75 | |||
76 | + /* Pipelining in response is forbidden. */ | ||
77 | + if(data->conn->proto.pop3c.pp.cache_size) | ||
78 | + return CURLE_WEIRD_SERVER_REPLY; | ||
79 | + | ||
80 | if(pop3code != '+') { | ||
81 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
82 | failf(data, "STARTTLS denied"); | ||
83 | diff --git a/lib/smtp.c b/lib/smtp.c | ||
84 | index 1fc8800..51445f6 100644 | ||
85 | --- a/lib/smtp.c | ||
86 | +++ b/lib/smtp.c | ||
87 | @@ -832,6 +832,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data, | ||
88 | CURLcode result = CURLE_OK; | ||
89 | (void)instate; /* no use for this yet */ | ||
90 | |||
91 | + /* Pipelining in response is forbidden. */ | ||
92 | + if(data->conn->proto.smtpc.pp.cache_size) | ||
93 | + return CURLE_WEIRD_SERVER_REPLY; | ||
94 | + | ||
95 | if(smtpcode != 220) { | ||
96 | if(data->set.use_ssl != CURLUSESSL_TRY) { | ||
97 | failf(data, "STARTTLS denied, code %d", smtpcode); | ||
98 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
99 | index e6e2551..22d7a0b 100644 | ||
100 | --- a/tests/data/Makefile.inc | ||
101 | +++ b/tests/data/Makefile.inc | ||
102 | @@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ | ||
103 | test954 test955 test956 test957 test958 test959 test960 test961 test962 \ | ||
104 | test963 test964 test965 test966 test967 test968 test969 test970 test971 \ | ||
105 | \ | ||
106 | -test984 test985 test986 \ | ||
107 | +test980 test981 test982 test983 test984 test985 test986 \ | ||
108 | \ | ||
109 | test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ | ||
110 | test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ | ||
111 | diff --git a/tests/data/test980 b/tests/data/test980 | ||
112 | new file mode 100644 | ||
113 | index 0000000..97567f8 | ||
114 | --- /dev/null | ||
115 | +++ b/tests/data/test980 | ||
116 | @@ -0,0 +1,52 @@ | ||
117 | +<testcase> | ||
118 | +<info> | ||
119 | +<keywords> | ||
120 | +SMTP | ||
121 | +STARTTLS | ||
122 | +</keywords> | ||
123 | +</info> | ||
124 | + | ||
125 | +# | ||
126 | +# Server-side | ||
127 | +<reply> | ||
128 | +<servercmd> | ||
129 | +CAPA STARTTLS | ||
130 | +AUTH PLAIN | ||
131 | +REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted | ||
132 | +REPLY AUTH 535 5.7.8 Authentication credentials invalid | ||
133 | +</servercmd> | ||
134 | +</reply> | ||
135 | + | ||
136 | +# | ||
137 | +# Client-side | ||
138 | +<client> | ||
139 | +<features> | ||
140 | +SSL | ||
141 | +</features> | ||
142 | +<server> | ||
143 | +smtp | ||
144 | +</server> | ||
145 | + <name> | ||
146 | +SMTP STARTTLS pipelined server response | ||
147 | + </name> | ||
148 | +<stdin> | ||
149 | +mail body | ||
150 | +</stdin> | ||
151 | + <command> | ||
152 | +smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - | ||
153 | +</command> | ||
154 | +</client> | ||
155 | + | ||
156 | +# | ||
157 | +# Verify data after the test has been "shot" | ||
158 | +<verify> | ||
159 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
160 | +<errorcode> | ||
161 | +8 | ||
162 | +</errorcode> | ||
163 | +<protocol> | ||
164 | +EHLO %TESTNUMBER | ||
165 | +STARTTLS | ||
166 | +</protocol> | ||
167 | +</verify> | ||
168 | +</testcase> | ||
169 | diff --git a/tests/data/test981 b/tests/data/test981 | ||
170 | new file mode 100644 | ||
171 | index 0000000..2b98ce4 | ||
172 | --- /dev/null | ||
173 | +++ b/tests/data/test981 | ||
174 | @@ -0,0 +1,59 @@ | ||
175 | +<testcase> | ||
176 | +<info> | ||
177 | +<keywords> | ||
178 | +IMAP | ||
179 | +STARTTLS | ||
180 | +</keywords> | ||
181 | +</info> | ||
182 | + | ||
183 | +# | ||
184 | +# Server-side | ||
185 | +<reply> | ||
186 | +<servercmd> | ||
187 | +CAPA STARTTLS | ||
188 | +REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted | ||
189 | +REPLY LOGIN A003 BAD Authentication credentials invalid | ||
190 | +</servercmd> | ||
191 | +</reply> | ||
192 | + | ||
193 | +# | ||
194 | +# Client-side | ||
195 | +<client> | ||
196 | +<features> | ||
197 | +SSL | ||
198 | +</features> | ||
199 | +<server> | ||
200 | +imap | ||
201 | +</server> | ||
202 | + <name> | ||
203 | +IMAP STARTTLS pipelined server response | ||
204 | + </name> | ||
205 | + <command> | ||
206 | +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl | ||
207 | +</command> | ||
208 | +<file name="log/upload%TESTNUMBER"> | ||
209 | +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) | ||
210 | +From: Fred Foobar <foobar@example.COM> | ||
211 | +Subject: afternoon meeting | ||
212 | +To: joe@example.com | ||
213 | +Message-Id: <B27397-0100000@example.COM> | ||
214 | +MIME-Version: 1.0 | ||
215 | +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII | ||
216 | + | ||
217 | +Hello Joe, do you think we can meet at 3:30 tomorrow? | ||
218 | +</file> | ||
219 | +</client> | ||
220 | + | ||
221 | +# | ||
222 | +# Verify data after the test has been "shot" | ||
223 | +<verify> | ||
224 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
225 | +<errorcode> | ||
226 | +8 | ||
227 | +</errorcode> | ||
228 | +<protocol> | ||
229 | +A001 CAPABILITY | ||
230 | +A002 STARTTLS | ||
231 | +</protocol> | ||
232 | +</verify> | ||
233 | +</testcase> | ||
234 | diff --git a/tests/data/test982 b/tests/data/test982 | ||
235 | new file mode 100644 | ||
236 | index 0000000..9e07cc0 | ||
237 | --- /dev/null | ||
238 | +++ b/tests/data/test982 | ||
239 | @@ -0,0 +1,57 @@ | ||
240 | +<testcase> | ||
241 | +<info> | ||
242 | +<keywords> | ||
243 | +POP3 | ||
244 | +STARTTLS | ||
245 | +</keywords> | ||
246 | +</info> | ||
247 | + | ||
248 | +# | ||
249 | +# Server-side | ||
250 | +<reply> | ||
251 | +<servercmd> | ||
252 | +CAPA STLS USER | ||
253 | +REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated | ||
254 | +REPLY PASS -ERR Authentication credentials invalid | ||
255 | +</servercmd> | ||
256 | +<data nocheck="yes"> | ||
257 | +From: me@somewhere | ||
258 | +To: fake@nowhere | ||
259 | + | ||
260 | +body | ||
261 | + | ||
262 | +-- | ||
263 | + yours sincerely | ||
264 | +</data> | ||
265 | +</reply> | ||
266 | + | ||
267 | +# | ||
268 | +# Client-side | ||
269 | +<client> | ||
270 | +<features> | ||
271 | +SSL | ||
272 | +</features> | ||
273 | +<server> | ||
274 | +pop3 | ||
275 | +</server> | ||
276 | + <name> | ||
277 | +POP3 STARTTLS pipelined server response | ||
278 | + </name> | ||
279 | + <command> | ||
280 | +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl | ||
281 | + </command> | ||
282 | +</client> | ||
283 | + | ||
284 | +# | ||
285 | +# Verify data after the test has been "shot" | ||
286 | +<verify> | ||
287 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
288 | +<errorcode> | ||
289 | +8 | ||
290 | +</errorcode> | ||
291 | +<protocol> | ||
292 | +CAPA | ||
293 | +STLS | ||
294 | +</protocol> | ||
295 | +</verify> | ||
296 | +</testcase> | ||
297 | diff --git a/tests/data/test983 b/tests/data/test983 | ||
298 | new file mode 100644 | ||
299 | index 0000000..300ec45 | ||
300 | --- /dev/null | ||
301 | +++ b/tests/data/test983 | ||
302 | @@ -0,0 +1,52 @@ | ||
303 | +<testcase> | ||
304 | +<info> | ||
305 | +<keywords> | ||
306 | +FTP | ||
307 | +STARTTLS | ||
308 | +</keywords> | ||
309 | +</info> | ||
310 | + | ||
311 | +# | ||
312 | +# Server-side | ||
313 | +<reply> | ||
314 | +<servercmd> | ||
315 | +REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete | ||
316 | +REPLY PASS 530 Login incorrect | ||
317 | +</servercmd> | ||
318 | +</reply> | ||
319 | + | ||
320 | +# Client-side | ||
321 | +<client> | ||
322 | +<features> | ||
323 | +SSL | ||
324 | +</features> | ||
325 | +<server> | ||
326 | +ftp | ||
327 | +</server> | ||
328 | + <name> | ||
329 | +FTP STARTTLS pipelined server response | ||
330 | + </name> | ||
331 | +<file name="log/test%TESTNUMBER.txt"> | ||
332 | +data | ||
333 | + to | ||
334 | + see | ||
335 | +that FTPS | ||
336 | +works | ||
337 | + so does it? | ||
338 | +</file> | ||
339 | + <command> | ||
340 | +--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP | ||
341 | +</command> | ||
342 | +</client> | ||
343 | + | ||
344 | +# Verify data after the test has been "shot" | ||
345 | +<verify> | ||
346 | +# 8 is CURLE_WEIRD_SERVER_REPLY | ||
347 | +<errorcode> | ||
348 | +8 | ||
349 | +</errorcode> | ||
350 | +<protocol> | ||
351 | +AUTH SSL | ||
352 | +</protocol> | ||
353 | +</verify> | ||
354 | +</testcase> | ||
355 | -- | ||
356 | 2.34.1 | ||
357 | |||
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index d64e5e1f79..accede604c 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb | |||
@@ -21,6 +21,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
21 | file://CVE-2021-22901.patch \ | 21 | file://CVE-2021-22901.patch \ |
22 | file://CVE-2021-22924.patch \ | 22 | file://CVE-2021-22924.patch \ |
23 | file://CVE-2021-22926.patch \ | 23 | file://CVE-2021-22926.patch \ |
24 | file://CVE-2021-22945.patch \ | ||
25 | file://CVE-2021-22946.patch \ | ||
26 | file://CVE-2021-22947.patch \ | ||
24 | " | 27 | " |
25 | 28 | ||
26 | SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" | 29 | SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" |
@@ -28,6 +31,10 @@ SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb3 | |||
28 | # Curl has used many names over the years... | 31 | # Curl has used many names over the years... |
29 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" | 32 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" |
30 | 33 | ||
34 | # These only apply when using --with-libmetalink, but --without-libmetalink is | ||
35 | # set below. | ||
36 | CVE_CHECK_WHITELIST += "CVE-2021-22922 CVE-2021-22923" | ||
37 | |||
31 | inherit autotools pkgconfig binconfig multilib_header | 38 | inherit autotools pkgconfig binconfig multilib_header |
32 | 39 | ||
33 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib" | 40 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib" |
@@ -65,6 +72,7 @@ PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threade | |||
65 | PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" | 72 | PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" |
66 | PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" | 73 | PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" |
67 | 74 | ||
75 | # Keep --without-libmetalink to mitigate CVE-2021-22922 and CVE-2021-22923 | ||
68 | EXTRA_OECONF = " \ | 76 | EXTRA_OECONF = " \ |
69 | --disable-libcurl-option \ | 77 | --disable-libcurl-option \ |
70 | --disable-ntlm-wb \ | 78 | --disable-ntlm-wb \ |