curl: backport Debian patch for CVE-2024-8096

import patch from ubuntu to fix CVE-2024-8096 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f] Reference: https://curl.se/docs/CVE-2024-8096.html (From OE-Core rev: 5383b18d4f8023b49cdadf7c777aaecf55d95dc1) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-09-23 11:19:38 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-10-07 05:43:22 -0700
commit: f5c9fab6c4849e8ab475eae740d377bab0850b33 (patch)
tree: cb1964c46176a4d514723d8f584f4f947b1b1bcc /meta
parent: 47ffa50db25a5ceeb73a3a0600dd9e68274d184f (diff)
download: poky-f5c9fab6c4849e8ab475eae740d377bab0850b33.tar.gz
2 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2024-8096.patch b/meta/recipes-support/curl/curl/CVE-2024-8096.patch
new file mode 100644
index 0000000000..777b3fe587
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-8096.patch
@@ -0,0 +1,210 @@
+Backport of:
+From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Aug 2024 16:14:39 +0200
+Subject: [PATCH] gtls: fix OCSP stapling management
+Reported-by: Hiroki Kurosawa
+Closes #14642
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-8096.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f]
+CVE: CVE-2024-8096
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
+ 1 file changed, 73 insertions(+), 73 deletions(-)
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -530,6 +530,13 @@ gtls_connect_step1(struct Curl_easy *dat
+   init_flags |= GNUTLS_NO_TICKETS;
+ #endif
+ 
+#if defined(GNUTLS_NO_STATUS_REQUEST)
+  if(!config->verifystatus)
+    /* Disable the "status_request" TLS extension, enabled by default since
+       GnuTLS 3.8.0. */
+    init_flags |= GNUTLS_NO_STATUS_REQUEST;
+#endif
+
+   rc = gnutls_init(&backend->session, init_flags);
+   if(rc != GNUTLS_E_SUCCESS) {
+     failf(data, "gnutls_init() failed: %d", rc);
+@@ -929,104 +936,97 @@ Curl_gtls_verifyserver(struct Curl_easy
+     infof(data, "  server certificate verification SKIPPED");
+ 
+   if(SSL_CONN_CONFIG(verifystatus)) {
+-    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
+-      gnutls_datum_t status_request;
+-      gnutls_ocsp_resp_t ocsp_resp;
+    gnutls_datum_t status_request;
+    gnutls_ocsp_resp_t ocsp_resp;
+    gnutls_ocsp_cert_status_t status;
+    gnutls_x509_crl_reason_t reason;
+ 
+-      gnutls_ocsp_cert_status_t status;
+-      gnutls_x509_crl_reason_t reason;
+    rc = gnutls_ocsp_status_request_get(session, &status_request);
+ 
+-      rc = gnutls_ocsp_status_request_get(session, &status_request);
+    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+      failf(data, "No OCSP response received");
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+ 
+-      infof(data, " server certificate status verification FAILED");
+    if(rc < 0) {
+      failf(data, "Invalid OCSP response received");
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+ 
+-      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+-        failf(data, "No OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
+    gnutls_ocsp_resp_init(&ocsp_resp);
+ 
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
+    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+    if(rc < 0) {
+      failf(data, "Invalid OCSP response received");
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+ 
+-      gnutls_ocsp_resp_init(&ocsp_resp);
+    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+                                      &status, NULL, NULL, NULL, &reason);
+ 
+-      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
+    switch(status) {
+    case GNUTLS_OCSP_CERT_GOOD:
+      break;
+ 
+-      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+-                                        &status, NULL, NULL, NULL, &reason);
+    case GNUTLS_OCSP_CERT_REVOKED: {
+      const char *crl_reason;
+ 
+-      switch(status) {
+-      case GNUTLS_OCSP_CERT_GOOD:
+      switch(reason) {
+      default:
+      case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+        crl_reason = "unspecified reason";
+         break;
+ 
+-      case GNUTLS_OCSP_CERT_REVOKED: {
+-        const char *crl_reason;
+      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+        crl_reason = "private key compromised";
+        break;
+ 
+-        switch(reason) {
+-          default:
+-          case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+-            crl_reason = "unspecified reason";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+-            crl_reason = "private key compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+-            crl_reason = "CA compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+-            crl_reason = "affiliation has changed";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_SUPERSEDED:
+-            crl_reason = "certificate superseded";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+-            crl_reason = "operation has ceased";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+-            crl_reason = "certificate is on hold";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+-            crl_reason = "will be removed from delta CRL";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+-            crl_reason = "privilege withdrawn";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+-            crl_reason = "AA compromised";
+-            break;
+-        }
+      case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+        crl_reason = "CA compromised";
+        break;
+ 
+-        failf(data, "Server certificate was revoked: %s", crl_reason);
+      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+        crl_reason = "affiliation has changed";
+         break;
+-      }
+ 
+-      default:
+-      case GNUTLS_OCSP_CERT_UNKNOWN:
+-        failf(data, "Server certificate status is unknown");
+      case GNUTLS_X509_CRLREASON_SUPERSEDED:
+        crl_reason = "certificate superseded";
+        break;
+
+      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+        crl_reason = "operation has ceased";
+        break;
+
+      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+        crl_reason = "certificate is on hold";
+        break;
+
+      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+        crl_reason = "will be removed from delta CRL";
+        break;
+
+      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+        crl_reason = "privilege withdrawn";
+        break;
+
+      case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+        crl_reason = "AA compromised";
+         break;
+       }
+ 
+-      gnutls_ocsp_resp_deinit(ocsp_resp);
+      failf(data, "Server certificate was revoked: %s", crl_reason);
+      break;
+    }
+
+    default:
+    case GNUTLS_OCSP_CERT_UNKNOWN:
+      failf(data, "Server certificate status is unknown");
+      break;
+    }
+ 
+    gnutls_ocsp_resp_deinit(ocsp_resp);
+    if(status != GNUTLS_OCSP_CERT_GOOD)
+       return CURLE_SSL_INVALIDCERTSTATUS;
+-    }
+-    else
+-      infof(data, "  server certificate status verification OK");
+   }
+   else
+     infof(data, "  server certificate status verification SKIPPED");
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 308b508072..a613e93780 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -60,6 +60,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2024-2398.patch \
           file://CVE-2024-7264_1.patch \
           file://CVE-2024-7264_2.patch \
+           file://CVE-2024-8096.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-09-23 11:19:38 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-10-07 05:43:22 -0700
commit	f5c9fab6c4849e8ab475eae740d377bab0850b33 (patch)
tree	cb1964c46176a4d514723d8f584f4f947b1b1bcc /meta
parent	47ffa50db25a5ceeb73a3a0600dd9e68274d184f (diff)
download	poky-f5c9fab6c4849e8ab475eae740d377bab0850b33.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2024-8096.patch b/meta/recipes-support/curl/curl/CVE-2024-8096.patch new file mode 100644 index 0000000000..777b3fe587 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-8096.patch
@@ -0,0 +1,210 @@
		1	Backport of:
		2
		3	From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
		4	From: Daniel Stenberg <daniel@haxx.se>
		5	Date: Tue, 20 Aug 2024 16:14:39 +0200
		6	Subject: [PATCH] gtls: fix OCSP stapling management
		7
		8	Reported-by: Hiroki Kurosawa
		9	Closes #14642
		10
		11	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-8096.patch?h=ubuntu/jammy-security
		12	Upstream commit https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f]
		13	CVE: CVE-2024-8096
		14	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		15	---
		16	lib/vtls/gtls.c \| 146 ++++++++++++++++++++++++------------------------
		17	1 file changed, 73 insertions(+), 73 deletions(-)
		18
		19	--- a/lib/vtls/gtls.c
		20	+++ b/lib/vtls/gtls.c
		21	@@ -530,6 +530,13 @@ gtls_connect_step1(struct Curl_easy *dat
		22	init_flags \|= GNUTLS_NO_TICKETS;
		23	#endif
		24
		25	+#if defined(GNUTLS_NO_STATUS_REQUEST)
		26	+ if(!config->verifystatus)
		27	+ /* Disable the "status_request" TLS extension, enabled by default since
		28	+ GnuTLS 3.8.0. */
		29	+ init_flags \|= GNUTLS_NO_STATUS_REQUEST;
		30	+#endif
		31	+
		32	rc = gnutls_init(&backend->session, init_flags);
		33	if(rc != GNUTLS_E_SUCCESS) {
		34	failf(data, "gnutls_init() failed: %d", rc);
		35	@@ -929,104 +936,97 @@ Curl_gtls_verifyserver(struct Curl_easy
		36	infof(data, " server certificate verification SKIPPED");
		37
		38	if(SSL_CONN_CONFIG(verifystatus)) {
		39	- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
		40	- gnutls_datum_t status_request;
		41	- gnutls_ocsp_resp_t ocsp_resp;
		42	+ gnutls_datum_t status_request;
		43	+ gnutls_ocsp_resp_t ocsp_resp;
		44	+ gnutls_ocsp_cert_status_t status;
		45	+ gnutls_x509_crl_reason_t reason;
		46
		47	- gnutls_ocsp_cert_status_t status;
		48	- gnutls_x509_crl_reason_t reason;
		49	+ rc = gnutls_ocsp_status_request_get(session, &status_request);
		50
		51	- rc = gnutls_ocsp_status_request_get(session, &status_request);
		52	+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		53	+ failf(data, "No OCSP response received");
		54	+ return CURLE_SSL_INVALIDCERTSTATUS;
		55	+ }
		56
		57	- infof(data, " server certificate status verification FAILED");
		58	+ if(rc < 0) {
		59	+ failf(data, "Invalid OCSP response received");
		60	+ return CURLE_SSL_INVALIDCERTSTATUS;
		61	+ }
		62
		63	- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		64	- failf(data, "No OCSP response received");
		65	- return CURLE_SSL_INVALIDCERTSTATUS;
		66	- }
		67	+ gnutls_ocsp_resp_init(&ocsp_resp);
		68
		69	- if(rc < 0) {
		70	- failf(data, "Invalid OCSP response received");
		71	- return CURLE_SSL_INVALIDCERTSTATUS;
		72	- }
		73	+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
		74	+ if(rc < 0) {
		75	+ failf(data, "Invalid OCSP response received");
		76	+ return CURLE_SSL_INVALIDCERTSTATUS;
		77	+ }
		78
		79	- gnutls_ocsp_resp_init(&ocsp_resp);
		80	+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
		81	+ &status, NULL, NULL, NULL, &reason);
		82
		83	- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
		84	- if(rc < 0) {
		85	- failf(data, "Invalid OCSP response received");
		86	- return CURLE_SSL_INVALIDCERTSTATUS;
		87	- }
		88	+ switch(status) {
		89	+ case GNUTLS_OCSP_CERT_GOOD:
		90	+ break;
		91
		92	- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
		93	- &status, NULL, NULL, NULL, &reason);
		94	+ case GNUTLS_OCSP_CERT_REVOKED: {
		95	+ const char *crl_reason;
		96
		97	- switch(status) {
		98	- case GNUTLS_OCSP_CERT_GOOD:
		99	+ switch(reason) {
		100	+ default:
		101	+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
		102	+ crl_reason = "unspecified reason";
		103	break;
		104
		105	- case GNUTLS_OCSP_CERT_REVOKED: {
		106	- const char *crl_reason;
		107	+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
		108	+ crl_reason = "private key compromised";
		109	+ break;
		110
		111	- switch(reason) {
		112	- default:
		113	- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
		114	- crl_reason = "unspecified reason";
		115	- break;
		116	-
		117	- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
		118	- crl_reason = "private key compromised";
		119	- break;
		120	-
		121	- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
		122	- crl_reason = "CA compromised";
		123	- break;
		124	-
		125	- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
		126	- crl_reason = "affiliation has changed";
		127	- break;
		128	-
		129	- case GNUTLS_X509_CRLREASON_SUPERSEDED:
		130	- crl_reason = "certificate superseded";
		131	- break;
		132	-
		133	- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
		134	- crl_reason = "operation has ceased";
		135	- break;
		136	-
		137	- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
		138	- crl_reason = "certificate is on hold";
		139	- break;
		140	-
		141	- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
		142	- crl_reason = "will be removed from delta CRL";
		143	- break;
		144	-
		145	- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
		146	- crl_reason = "privilege withdrawn";
		147	- break;
		148	-
		149	- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
		150	- crl_reason = "AA compromised";
		151	- break;
		152	- }
		153	+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
		154	+ crl_reason = "CA compromised";
		155	+ break;
		156
		157	- failf(data, "Server certificate was revoked: %s", crl_reason);
		158	+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
		159	+ crl_reason = "affiliation has changed";
		160	break;
		161	- }
		162
		163	- default:
		164	- case GNUTLS_OCSP_CERT_UNKNOWN:
		165	- failf(data, "Server certificate status is unknown");
		166	+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
		167	+ crl_reason = "certificate superseded";
		168	+ break;
		169	+
		170	+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
		171	+ crl_reason = "operation has ceased";
		172	+ break;
		173	+
		174	+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
		175	+ crl_reason = "certificate is on hold";
		176	+ break;
		177	+
		178	+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
		179	+ crl_reason = "will be removed from delta CRL";
		180	+ break;
		181	+
		182	+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
		183	+ crl_reason = "privilege withdrawn";
		184	+ break;
		185	+
		186	+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
		187	+ crl_reason = "AA compromised";
		188	break;
		189	}
		190
		191	- gnutls_ocsp_resp_deinit(ocsp_resp);
		192	+ failf(data, "Server certificate was revoked: %s", crl_reason);
		193	+ break;
		194	+ }
		195	+
		196	+ default:
		197	+ case GNUTLS_OCSP_CERT_UNKNOWN:
		198	+ failf(data, "Server certificate status is unknown");
		199	+ break;
		200	+ }
		201
		202	+ gnutls_ocsp_resp_deinit(ocsp_resp);
		203	+ if(status != GNUTLS_OCSP_CERT_GOOD)
		204	return CURLE_SSL_INVALIDCERTSTATUS;
		205	- }
		206	- else
		207	- infof(data, " server certificate status verification OK");
		208	}
		209	else
		210	infof(data, " server certificate status verification SKIPPED");


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 308b508072..a613e93780 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -60,6 +60,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
60	file://CVE-2024-2398.patch \	60	file://CVE-2024-2398.patch \
61	file://CVE-2024-7264_1.patch \	61	file://CVE-2024-7264_1.patch \
62	file://CVE-2024-7264_2.patch \	62	file://CVE-2024-7264_2.patch \
		63	file://CVE-2024-8096.patch \
63	"	64	"
64	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	65	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
65		66