diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22924.patch | 226 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22925.patch | 43 | ||||
-rw-r--r-- | meta/recipes-support/curl/curl_7.69.1.bb | 3 |
3 files changed, 272 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..68fde45ddf --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch | |||
@@ -0,0 +1,226 @@ | |||
1 | Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and | ||
2 | case sensitivity CVE-2021-22924 | ||
3 | |||
4 | Reported-by: Harry Sintonen | ||
5 | Bug: https://curl.se/docs/CVE-2021-22924.html | ||
6 | CVE: CVE-2021-22924 | ||
7 | Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 | ||
8 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
9 | --- | ||
10 | lib/url.c | 5 +++-- | ||
11 | lib/urldata.h | 2 +- | ||
12 | lib/vtls/gtls.c | 10 +++++----- | ||
13 | lib/vtls/nss.c | 4 ++-- | ||
14 | lib/vtls/openssl.c | 12 ++++++------ | ||
15 | lib/vtls/vtls.c | 23 ++++++++++++++++++----- | ||
16 | 6 files changed, 35 insertions(+), 21 deletions(-) | ||
17 | |||
18 | diff --git a/lib/url.c b/lib/url.c | ||
19 | index 47fc66aed..eebad8d32 100644 | ||
20 | --- a/lib/url.c | ||
21 | +++ b/lib/url.c | ||
22 | @@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
23 | data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; | ||
24 | data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; | ||
25 | data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; | ||
26 | + data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; | ||
27 | + data->set.proxy_ssl.primary.issuercert = | ||
28 | + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; | ||
29 | data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; | ||
30 | data->set.proxy_ssl.primary.random_file = | ||
31 | data->set.str[STRING_SSL_RANDOM_FILE]; | ||
32 | @@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data, | ||
33 | |||
34 | data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; | ||
35 | data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; | ||
36 | - data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; | ||
37 | - data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; | ||
38 | data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; | ||
39 | data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; | ||
40 | data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; | ||
41 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
42 | index fbb8b645e..615fbf369 100644 | ||
43 | --- a/lib/urldata.h | ||
44 | +++ b/lib/urldata.h | ||
45 | @@ -224,6 +224,7 @@ struct ssl_primary_config { | ||
46 | long version_max; /* max supported version the client wants to use*/ | ||
47 | char *CApath; /* certificate dir (doesn't work on windows) */ | ||
48 | char *CAfile; /* certificate to verify peer against */ | ||
49 | + char *issuercert; /* optional issuer certificate filename */ | ||
50 | char *clientcert; | ||
51 | char *random_file; /* path to file containing "random" data */ | ||
52 | char *egdsocket; /* path to file containing the EGD daemon socket */ | ||
53 | @@ -240,7 +241,6 @@ struct ssl_config_data { | ||
54 | struct ssl_primary_config primary; | ||
55 | long certverifyresult; /* result from the certificate verification */ | ||
56 | char *CRLfile; /* CRL to check certificate revocation */ | ||
57 | - char *issuercert;/* optional issuer certificate filename */ | ||
58 | curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ | ||
59 | void *fsslctxp; /* parameter for call back */ | ||
60 | char *cert; /* client certificate file name */ | ||
61 | diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c | ||
62 | index 46e149c7d..8c051024f 100644 | ||
63 | --- a/lib/vtls/gtls.c | ||
64 | +++ b/lib/vtls/gtls.c | ||
65 | @@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn, | ||
66 | if(!chainp) { | ||
67 | if(SSL_CONN_CONFIG(verifypeer) || | ||
68 | SSL_CONN_CONFIG(verifyhost) || | ||
69 | - SSL_SET_OPTION(issuercert)) { | ||
70 | + SSL_CONN_CONFIG(issuercert)) { | ||
71 | #ifdef USE_TLS_SRP | ||
72 | if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP | ||
73 | && SSL_SET_OPTION(username) != NULL | ||
74 | @@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn, | ||
75 | gnutls_x509_crt_t format */ | ||
76 | gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); | ||
77 | |||
78 | - if(SSL_SET_OPTION(issuercert)) { | ||
79 | + if(SSL_CONN_CONFIG(issuercert)) { | ||
80 | gnutls_x509_crt_init(&x509_issuer); | ||
81 | - issuerp = load_file(SSL_SET_OPTION(issuercert)); | ||
82 | + issuerp = load_file(SSL_CONN_CONFIG(issuercert)); | ||
83 | gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); | ||
84 | rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); | ||
85 | gnutls_x509_crt_deinit(x509_issuer); | ||
86 | unload_file(issuerp); | ||
87 | if(rc <= 0) { | ||
88 | failf(data, "server certificate issuer check failed (IssuerCert: %s)", | ||
89 | - SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); | ||
90 | + SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); | ||
91 | gnutls_x509_crt_deinit(x509_cert); | ||
92 | return CURLE_SSL_ISSUER_ERROR; | ||
93 | } | ||
94 | infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", | ||
95 | - SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); | ||
96 | + SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); | ||
97 | } | ||
98 | |||
99 | size = sizeof(certbuf); | ||
100 | diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c | ||
101 | index ef51b0d91..375c78b1b 100644 | ||
102 | --- a/lib/vtls/nss.c | ||
103 | +++ b/lib/vtls/nss.c | ||
104 | @@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) | ||
105 | if(result) | ||
106 | goto error; | ||
107 | |||
108 | - if(SSL_SET_OPTION(issuercert)) { | ||
109 | + if(SSL_CONN_CONFIG(issuercert)) { | ||
110 | SECStatus ret = SECFailure; | ||
111 | - char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); | ||
112 | + char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); | ||
113 | if(nickname) { | ||
114 | /* we support only nicknames in case of issuercert for now */ | ||
115 | ret = check_issuer_cert(BACKEND->handle, nickname); | ||
116 | diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c | ||
117 | index 64f43605a..7e81fd3a0 100644 | ||
118 | --- a/lib/vtls/openssl.c | ||
119 | +++ b/lib/vtls/openssl.c | ||
120 | @@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
121 | deallocating the certificate. */ | ||
122 | |||
123 | /* e.g. match issuer name with provided issuer certificate */ | ||
124 | - if(SSL_SET_OPTION(issuercert)) { | ||
125 | + if(SSL_CONN_CONFIG(issuercert)) { | ||
126 | fp = BIO_new(BIO_s_file()); | ||
127 | if(fp == NULL) { | ||
128 | failf(data, | ||
129 | @@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn, | ||
130 | return CURLE_OUT_OF_MEMORY; | ||
131 | } | ||
132 | |||
133 | - if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { | ||
134 | + if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { | ||
135 | if(strict) | ||
136 | failf(data, "SSL: Unable to open issuer cert (%s)", | ||
137 | - SSL_SET_OPTION(issuercert)); | ||
138 | + SSL_CONN_CONFIG(issuercert)); | ||
139 | BIO_free(fp); | ||
140 | X509_free(BACKEND->server_cert); | ||
141 | BACKEND->server_cert = NULL; | ||
142 | @@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
143 | if(!issuer) { | ||
144 | if(strict) | ||
145 | failf(data, "SSL: Unable to read issuer cert (%s)", | ||
146 | - SSL_SET_OPTION(issuercert)); | ||
147 | + SSL_CONN_CONFIG(issuercert)); | ||
148 | BIO_free(fp); | ||
149 | X509_free(issuer); | ||
150 | X509_free(BACKEND->server_cert); | ||
151 | @@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
152 | if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { | ||
153 | if(strict) | ||
154 | failf(data, "SSL: Certificate issuer check failed (%s)", | ||
155 | - SSL_SET_OPTION(issuercert)); | ||
156 | + SSL_CONN_CONFIG(issuercert)); | ||
157 | BIO_free(fp); | ||
158 | X509_free(issuer); | ||
159 | X509_free(BACKEND->server_cert); | ||
160 | @@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn, | ||
161 | } | ||
162 | |||
163 | infof(data, " SSL certificate issuer check ok (%s)\n", | ||
164 | - SSL_SET_OPTION(issuercert)); | ||
165 | + SSL_CONN_CONFIG(issuercert)); | ||
166 | BIO_free(fp); | ||
167 | X509_free(issuer); | ||
168 | } | ||
169 | diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c | ||
170 | index aaf73ef8f..8c681da14 100644 | ||
171 | --- a/lib/vtls/vtls.c | ||
172 | +++ b/lib/vtls/vtls.c | ||
173 | @@ -82,6 +82,16 @@ | ||
174 | else \ | ||
175 | dest->var = NULL; | ||
176 | |||
177 | +static bool safecmp(char *a, char *b) | ||
178 | +{ | ||
179 | + if(a && b) | ||
180 | + return !strcmp(a, b); | ||
181 | + else if(!a && !b) | ||
182 | + return TRUE; /* match */ | ||
183 | + return FALSE; /* no match */ | ||
184 | +} | ||
185 | + | ||
186 | + | ||
187 | bool | ||
188 | Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
189 | struct ssl_primary_config* needle) | ||
190 | @@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, | ||
191 | (data->verifypeer == needle->verifypeer) && | ||
192 | (data->verifyhost == needle->verifyhost) && | ||
193 | (data->verifystatus == needle->verifystatus) && | ||
194 | - Curl_safe_strcasecompare(data->CApath, needle->CApath) && | ||
195 | - Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && | ||
196 | - Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && | ||
197 | - Curl_safe_strcasecompare(data->random_file, needle->random_file) && | ||
198 | - Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && | ||
199 | + safecmp(data->CApath, needle->CApath) && | ||
200 | + safecmp(data->CAfile, needle->CAfile) && | ||
201 | + safecmp(data->issuercert, needle->issuercert) && | ||
202 | + safecmp(data->clientcert, needle->clientcert) && | ||
203 | + safecmp(data->random_file, needle->random_file) && | ||
204 | + safecmp(data->egdsocket, needle->egdsocket) && | ||
205 | Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && | ||
206 | Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && | ||
207 | Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) | ||
208 | @@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, | ||
209 | |||
210 | CLONE_STRING(CApath); | ||
211 | CLONE_STRING(CAfile); | ||
212 | + CLONE_STRING(issuercert); | ||
213 | CLONE_STRING(clientcert); | ||
214 | CLONE_STRING(random_file); | ||
215 | CLONE_STRING(egdsocket); | ||
216 | @@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) | ||
217 | { | ||
218 | Curl_safefree(sslc->CApath); | ||
219 | Curl_safefree(sslc->CAfile); | ||
220 | + Curl_safefree(sslc->issuercert); | ||
221 | Curl_safefree(sslc->clientcert); | ||
222 | Curl_safefree(sslc->random_file); | ||
223 | Curl_safefree(sslc->egdsocket); | ||
224 | -- | ||
225 | 2.30.2 | ||
226 | |||
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..13b55f76be --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | Subject: [PATCH] telnet: fix option parser to not send uninitialized | ||
2 | contents CVE-2021-22925 | ||
3 | |||
4 | Reported-by: Red Hat Product Security | ||
5 | Bug: https://curl.se/docs/CVE-2021-22925.html | ||
6 | CVE: CVE-2021-22925 | ||
7 | Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 | ||
8 | Signed-off-by: Mike Crowe <mac@mcrowe.com> | ||
9 | --- | ||
10 | lib/telnet.c | 17 +++++++++++------ | ||
11 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
12 | |||
13 | diff --git a/lib/telnet.c b/lib/telnet.c | ||
14 | index 4bf4c652c..3347ad6d1 100644 | ||
15 | --- a/lib/telnet.c | ||
16 | +++ b/lib/telnet.c | ||
17 | @@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) | ||
18 | size_t tmplen = (strlen(v->data) + 1); | ||
19 | /* Add the variable only if it fits */ | ||
20 | if(len + tmplen < (int)sizeof(temp)-6) { | ||
21 | - if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { | ||
22 | - msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
23 | - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, | ||
24 | - CURL_NEW_ENV_VALUE, varval); | ||
25 | - len += tmplen; | ||
26 | - } | ||
27 | + int rv; | ||
28 | + char sep[2] = ""; | ||
29 | + varval[0] = 0; | ||
30 | + rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); | ||
31 | + if(rv == 1) | ||
32 | + len += msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
33 | + "%c%s", CURL_NEW_ENV_VAR, varname); | ||
34 | + else if(rv >= 2) | ||
35 | + len += msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
36 | + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, | ||
37 | + CURL_NEW_ENV_VALUE, varval); | ||
38 | } | ||
39 | } | ||
40 | msnprintf((char *)&temp[len], sizeof(temp) - len, | ||
41 | -- | ||
42 | 2.30.2 | ||
43 | |||
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 9b510bcf9f..21c673feda 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb | |||
@@ -20,6 +20,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ | |||
20 | file://CVE-2021-22876.patch \ | 20 | file://CVE-2021-22876.patch \ |
21 | file://CVE-2021-22890.patch \ | 21 | file://CVE-2021-22890.patch \ |
22 | file://CVE-2021-22898.patch \ | 22 | file://CVE-2021-22898.patch \ |
23 | file://CVE-2021-22924.patch \ | ||
24 | file://CVE-2021-22925.patch \ | ||
23 | " | 25 | " |
24 | 26 | ||
25 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" | 27 | SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" |
@@ -27,6 +29,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 | |||
27 | 29 | ||
28 | # Curl has used many names over the years... | 30 | # Curl has used many names over the years... |
29 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" | 31 | CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" |
32 | CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926" | ||
30 | 33 | ||
31 | inherit autotools pkgconfig binconfig multilib_header | 34 | inherit autotools pkgconfig binconfig multilib_header |
32 | 35 | ||