curl: fix CVE-2023-38545

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. (From OE-Core rev: 9b0867861a9c053f19bdb99bd6cba44ee5cb64e1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-10-12 13:33:16 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-10-18 05:25:19 -1000
commit: d1c80c5f4abbc064f23e01d8ce950b09f6a3c161 (patch)
tree: acb8b6ccf86b13378d0a17f45d4db14714abfadc
parent: f9694145e9bb9f94f9d5968220c7383a66b912d6 (diff)
download: poky-d1c80c5f4abbc064f23e01d8ce950b09f6a3c161.tar.gz
2 files changed, 134 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
new file mode 100644
index 0000000000..b90677fa5f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,133 @@
+From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+Bug: https://curl.se/docs/CVE-2023-38545.html
+Upstream-Status: Backport [https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147]
+CVE: CVE-2023-38545
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/socks.c             |  8 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test722      | 64 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test722
+diff --git a/lib/socks.c b/lib/socks.c
+index 95c2b00..8cf694d 100644
+--- a/lib/socks.c
+++ b/lib/socks.c
+@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
+      failf(data, "SOCKS5: the destination hostname is too long to be "
+            "resolved remotely by the proxy.");
+      return CURLPX_LONG_HOSTNAME;
+     }
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -904,7 +904,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
+        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7ed03a2..643c9fe 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
+test718 test719 test720 test721 test722 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test722 b/tests/data/test722
+new file mode 100644
+index 0000000..05bcf28
+--- /dev/null
+++ b/tests/data/test722
+@@ -0,0 +1,64 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+SOCKS5
+SOCKS5h
+followlocation
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+# The hostname in this redirect is 256 characters and too long (> 255) for
+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
+<data>
+HTTP/1.1 301 Moved Permanently
+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
+Content-Length: 0
+Connection: close
+
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+proxy
+</features>
+<server>
+http
+socks5
+</server>
+ <name>
+SOCKS5h with HTTP redirect to hostname too long
+ </name>
+ <command>
+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+97
+</errorcode>
+# the error message is verified because error code CURLE_PROXY (97) may be
+# returned for any number of reasons and we need to make sure it is
+# specifically for the reason below so that we know the check is working.
+<stderr mode="text">
+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
+</stderr>
+</verify>
+</testcase>
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_8.0.1.bb b/meta/recipes-support/curl/curl_8.0.1.bb
index 708f622fe1..bdffe7be34 100644
--- a/meta/recipes-support/curl/curl_8.0.1.bb
+++ b/meta/recipes-support/curl/curl_8.0.1.bb
@@ -19,6 +19,7 @@ SRC_URI = " \
    file://CVE-2023-28321.patch \
    file://CVE-2023-32001.patch \
    file://CVE-2023-28320-fol1.patch \
+    file://CVE-2023-38545.patch \
 "
 SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0"
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-10-12 13:33:16 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-10-18 05:25:19 -1000
commit	d1c80c5f4abbc064f23e01d8ce950b09f6a3c161 (patch)
tree	acb8b6ccf86b13378d0a17f45d4db14714abfadc
parent	f9694145e9bb9f94f9d5968220c7383a66b912d6 (diff)
download	poky-d1c80c5f4abbc064f23e01d8ce950b09f6a3c161.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch new file mode 100644 index 0000000000..b90677fa5f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,133 @@
		1	From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
		2	From: Jay Satiro <raysatiro@yahoo.com>
		3	Date: Wed, 11 Oct 2023 07:34:19 +0200
		4	Subject: [PATCH] socks: return error if hostname too long for remote resolve
		5
		6	Prior to this change the state machine attempted to change the remote
		7	resolve to a local resolve if the hostname was longer than 255
		8	characters. Unfortunately that did not work as intended and caused a
		9	security issue.
		10
		11	Bug: https://curl.se/docs/CVE-2023-38545.html
		12
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147]
		14	CVE: CVE-2023-38545
		15	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		16	---
		17	lib/socks.c \| 8 +++---
		18	tests/data/Makefile.inc \| 2 +-
		19	tests/data/test722 \| 64 +++++++++++++++++++++++++++++++++++++++++
		20	3 files changed, 69 insertions(+), 5 deletions(-)
		21	create mode 100644 tests/data/test722
		22
		23	diff --git a/lib/socks.c b/lib/socks.c
		24	index 95c2b00..8cf694d 100644
		25	--- a/lib/socks.c
		26	+++ b/lib/socks.c
		27	@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
		28
		29	/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
		30	if(!socks5_resolve_local && hostname_len > 255) {
		31	- infof(data, "SOCKS5: server resolving disabled for hostnames of "
		32	- "length > 255 [actual len=%zu]", hostname_len);
		33	- socks5_resolve_local = TRUE;
		34	+ failf(data, "SOCKS5: the destination hostname is too long to be "
		35	+ "resolved remotely by the proxy.");
		36	+ return CURLPX_LONG_HOSTNAME;
		37	}
		38
		39	if(auth & ~(CURLAUTH_BASIC \| CURLAUTH_GSSAPI))
		40	@@ -904,7 +904,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
		41	}
		42	else {
		43	socksreq[len++] = 3;
		44	- socksreq[len++] = (char) hostname_len; /* one byte address length */
		45	+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
		46	memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
		47	len += hostname_len;
		48	}
		49	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		50	index 7ed03a2..643c9fe 100644
		51	--- a/tests/data/Makefile.inc
		52	+++ b/tests/data/Makefile.inc
		53	@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \
		54	\
		55	test700 test701 test702 test703 test704 test705 test706 test707 test708 \
		56	test709 test710 test711 test712 test713 test714 test715 test716 test717 \
		57	-test718 test719 test720 test721 \
		58	+test718 test719 test720 test721 test722 \
		59	\
		60	test800 test801 test802 test803 test804 test805 test806 test807 test808 \
		61	test809 test810 test811 test812 test813 test814 test815 test816 test817 \
		62	diff --git a/tests/data/test722 b/tests/data/test722
		63	new file mode 100644
		64	index 0000000..05bcf28
		65	--- /dev/null
		66	+++ b/tests/data/test722
		67	@@ -0,0 +1,64 @@
		68	+<testcase>
		69	+<info>
		70	+<keywords>
		71	+HTTP
		72	+HTTP GET
		73	+SOCKS5
		74	+SOCKS5h
		75	+followlocation
		76	+</keywords>
		77	+</info>
		78	+
		79	+#
		80	+# Server-side
		81	+<reply>
		82	+# The hostname in this redirect is 256 characters and too long (> 255) for
		83	+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
		84	+<data>
		85	+HTTP/1.1 301 Moved Permanently
		86	+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
		87	+Content-Length: 0
		88	+Connection: close
		89	+
		90	+</data>
		91	+</reply>
		92	+
		93	+#
		94	+# Client-side
		95	+<client>
		96	+<features>
		97	+proxy
		98	+</features>
		99	+<server>
		100	+http
		101	+socks5
		102	+</server>
		103	+ <name>
		104	+SOCKS5h with HTTP redirect to hostname too long
		105	+ </name>
		106	+ <command>
		107	+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
		108	+</command>
		109	+</client>
		110	+
		111	+#
		112	+# Verify data after the test has been "shot"
		113	+<verify>
		114	+<protocol crlf="yes">
		115	+GET /%TESTNUMBER HTTP/1.1
		116	+Host: %HOSTIP:%HTTPPORT
		117	+User-Agent: curl/%VERSION
		118	+Accept: /
		119	+
		120	+</protocol>
		121	+<errorcode>
		122	+97
		123	+</errorcode>
		124	+# the error message is verified because error code CURLE_PROXY (97) may be
		125	+# returned for any number of reasons and we need to make sure it is
		126	+# specifically for the reason below so that we know the check is working.
		127	+<stderr mode="text">
		128	+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
		129	+</stderr>
		130	+</verify>
		131	+</testcase>
		132	--
		133	2.40.0


diff --git a/meta/recipes-support/curl/curl_8.0.1.bb b/meta/recipes-support/curl/curl_8.0.1.bb index 708f622fe1..bdffe7be34 100644 --- a/meta/recipes-support/curl/curl_8.0.1.bb +++ b/meta/recipes-support/curl/curl_8.0.1.bb
@@ -19,6 +19,7 @@ SRC_URI = " \
19	file://CVE-2023-28321.patch \	19	file://CVE-2023-28321.patch \
20	file://CVE-2023-32001.patch \	20	file://CVE-2023-32001.patch \
21	file://CVE-2023-28320-fol1.patch \	21	file://CVE-2023-28320-fol1.patch \
		22	file://CVE-2023-38545.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0"	24	SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0"
24		25