2 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2024-8096.patch b/meta/recipes-support/curl/curl/CVE-2024-8096.patch
new file mode 100644
index 0000000000..a26a6253c9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-8096.patch
@@ -0,0 +1,207 @@
+From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Aug 2024 16:14:39 +0200
+Subject: [PATCH] gtls: fix OCSP stapling management
+Reported-by: Hiroki Kurosawa
+Closes #14642
+ 
+Upstream-Status: Backport [https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f]
+CVE: CVE-2024-8096
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
+ 1 file changed, 73 insertions(+), 73 deletions(-)
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 6eaa6a8..7dd7df8 100644
+--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
+@@ -538,6 +538,13 @@ CURLcode gtls_client_init(struct Curl_easy *data,
+   init_flags |= GNUTLS_NO_TICKETS;
+ #endif
+ 
+#if defined(GNUTLS_NO_STATUS_REQUEST)
+  if(!config->verifystatus)
+    /* Disable the "status_request" TLS extension, enabled by default since
+       GnuTLS 3.8.0. */
+    init_flags |= GNUTLS_NO_STATUS_REQUEST;
+#endif
+
+   rc = gnutls_init(&gtls->session, init_flags);
+   if(rc != GNUTLS_E_SUCCESS) {
+     failf(data, "gnutls_init() failed: %d", rc);
+@@ -923,104 +930,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+     infof(data, "  server certificate verification SKIPPED");
+ 
+   if(config->verifystatus) {
+-    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
+-      gnutls_datum_t status_request;
+-      gnutls_ocsp_resp_t ocsp_resp;
+    gnutls_datum_t status_request;
+    gnutls_ocsp_resp_t ocsp_resp;
+    gnutls_ocsp_cert_status_t status;
+    gnutls_x509_crl_reason_t reason;
+ 
+-      gnutls_ocsp_cert_status_t status;
+-      gnutls_x509_crl_reason_t reason;
+    rc = gnutls_ocsp_status_request_get(session, &status_request);
+ 
+-      rc = gnutls_ocsp_status_request_get(session, &status_request);
+    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+      failf(data, "No OCSP response received");
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+ 
+-      infof(data, " server certificate status verification FAILED");
+    if(rc < 0) {
+      failf(data, "Invalid OCSP response received");
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+ 
+-      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+-        failf(data, "No OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
+    gnutls_ocsp_resp_init(&ocsp_resp);
+ 
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
+    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+    if(rc < 0) {
+      failf(data, "Invalid OCSP response received");
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+ 
+-      gnutls_ocsp_resp_init(&ocsp_resp);
+    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+                                      &status, NULL, NULL, NULL, &reason);
+ 
+-      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
+    switch(status) {
+    case GNUTLS_OCSP_CERT_GOOD:
+      break;
+ 
+-      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+-                                        &status, NULL, NULL, NULL, &reason);
+    case GNUTLS_OCSP_CERT_REVOKED: {
+      const char *crl_reason;
+ 
+-      switch(status) {
+-      case GNUTLS_OCSP_CERT_GOOD:
+      switch(reason) {
+      default:
+      case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+        crl_reason = "unspecified reason";
+         break;
+ 
+-      case GNUTLS_OCSP_CERT_REVOKED: {
+-        const char *crl_reason;
+-
+-        switch(reason) {
+-          default:
+-          case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+-            crl_reason = "unspecified reason";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+-            crl_reason = "private key compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+-            crl_reason = "CA compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+-            crl_reason = "affiliation has changed";
+-            break;
+      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+        crl_reason = "private key compromised";
+        break;
+ 
+-          case GNUTLS_X509_CRLREASON_SUPERSEDED:
+-            crl_reason = "certificate superseded";
+-            break;
+      case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+        crl_reason = "CA compromised";
+        break;
+ 
+-          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+-            crl_reason = "operation has ceased";
+-            break;
+      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+        crl_reason = "affiliation has changed";
+        break;
+ 
+-          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+-            crl_reason = "certificate is on hold";
+-            break;
+      case GNUTLS_X509_CRLREASON_SUPERSEDED:
+        crl_reason = "certificate superseded";
+        break;
+ 
+-          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+-            crl_reason = "will be removed from delta CRL";
+-            break;
+      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+        crl_reason = "operation has ceased";
+        break;
+ 
+-          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+-            crl_reason = "privilege withdrawn";
+-            break;
+      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+        crl_reason = "certificate is on hold";
+        break;
+ 
+-          case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+-            crl_reason = "AA compromised";
+-            break;
+-        }
+      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+        crl_reason = "will be removed from delta CRL";
+        break;
+ 
+-        failf(data, "Server certificate was revoked: %s", crl_reason);
+      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+        crl_reason = "privilege withdrawn";
+         break;
+-      }
+ 
+-      default:
+-      case GNUTLS_OCSP_CERT_UNKNOWN:
+-        failf(data, "Server certificate status is unknown");
+      case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+        crl_reason = "AA compromised";
+         break;
+       }
+ 
+-      gnutls_ocsp_resp_deinit(ocsp_resp);
+      failf(data, "Server certificate was revoked: %s", crl_reason);
+      break;
+    }
+
+    default:
+    case GNUTLS_OCSP_CERT_UNKNOWN:
+      failf(data, "Server certificate status is unknown");
+      break;
+    }
+ 
+    gnutls_ocsp_resp_deinit(ocsp_resp);
+    if(status != GNUTLS_OCSP_CERT_GOOD)
+       return CURLE_SSL_INVALIDCERTSTATUS;
+-    }
+-    else
+-      infof(data, "  server certificate status verification OK");
+   }
+   else
+     infof(data, "  server certificate status verification SKIPPED");
+-- 
+2.25.1
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 5442d8d4fd..d094604ea1 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
    file://CVE-2024-6197.patch \
    file://CVE-2024-7264-1.patch \
    file://CVE-2024-7264-2.patch \
+    file://CVE-2024-8096.patch \
 "
 SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"

diff --git a/meta/recipes-support/curl/curl/CVE-2024-8096.patch b/meta/recipes-support/curl/curl/CVE-2024-8096.patch new file mode 100644 index 0000000000..a26a6253c9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-8096.patch
@@ -0,0 +1,207 @@
		1	From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 20 Aug 2024 16:14:39 +0200
		4	Subject: [PATCH] gtls: fix OCSP stapling management
		5
		6	Reported-by: Hiroki Kurosawa
		7	Closes #14642
		8
		9	Upstream-Status: Backport [https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f]
		10	CVE: CVE-2024-8096
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	lib/vtls/gtls.c \| 146 ++++++++++++++++++++++++------------------------
		14	1 file changed, 73 insertions(+), 73 deletions(-)
		15
		16	diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
		17	index 6eaa6a8..7dd7df8 100644
		18	--- a/lib/vtls/gtls.c
		19	+++ b/lib/vtls/gtls.c
		20	@@ -538,6 +538,13 @@ CURLcode gtls_client_init(struct Curl_easy *data,
		21	init_flags \|= GNUTLS_NO_TICKETS;
		22	#endif
		23
		24	+#if defined(GNUTLS_NO_STATUS_REQUEST)
		25	+ if(!config->verifystatus)
		26	+ /* Disable the "status_request" TLS extension, enabled by default since
		27	+ GnuTLS 3.8.0. */
		28	+ init_flags \|= GNUTLS_NO_STATUS_REQUEST;
		29	+#endif
		30	+
		31	rc = gnutls_init(&gtls->session, init_flags);
		32	if(rc != GNUTLS_E_SUCCESS) {
		33	failf(data, "gnutls_init() failed: %d", rc);
		34	@@ -923,104 +930,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
		35	infof(data, " server certificate verification SKIPPED");
		36
		37	if(config->verifystatus) {
		38	- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
		39	- gnutls_datum_t status_request;
		40	- gnutls_ocsp_resp_t ocsp_resp;
		41	+ gnutls_datum_t status_request;
		42	+ gnutls_ocsp_resp_t ocsp_resp;
		43	+ gnutls_ocsp_cert_status_t status;
		44	+ gnutls_x509_crl_reason_t reason;
		45
		46	- gnutls_ocsp_cert_status_t status;
		47	- gnutls_x509_crl_reason_t reason;
		48	+ rc = gnutls_ocsp_status_request_get(session, &status_request);
		49
		50	- rc = gnutls_ocsp_status_request_get(session, &status_request);
		51	+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		52	+ failf(data, "No OCSP response received");
		53	+ return CURLE_SSL_INVALIDCERTSTATUS;
		54	+ }
		55
		56	- infof(data, " server certificate status verification FAILED");
		57	+ if(rc < 0) {
		58	+ failf(data, "Invalid OCSP response received");
		59	+ return CURLE_SSL_INVALIDCERTSTATUS;
		60	+ }
		61
		62	- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
		63	- failf(data, "No OCSP response received");
		64	- return CURLE_SSL_INVALIDCERTSTATUS;
		65	- }
		66	+ gnutls_ocsp_resp_init(&ocsp_resp);
		67
		68	- if(rc < 0) {
		69	- failf(data, "Invalid OCSP response received");
		70	- return CURLE_SSL_INVALIDCERTSTATUS;
		71	- }
		72	+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
		73	+ if(rc < 0) {
		74	+ failf(data, "Invalid OCSP response received");
		75	+ return CURLE_SSL_INVALIDCERTSTATUS;
		76	+ }
		77
		78	- gnutls_ocsp_resp_init(&ocsp_resp);
		79	+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
		80	+ &status, NULL, NULL, NULL, &reason);
		81
		82	- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
		83	- if(rc < 0) {
		84	- failf(data, "Invalid OCSP response received");
		85	- return CURLE_SSL_INVALIDCERTSTATUS;
		86	- }
		87	+ switch(status) {
		88	+ case GNUTLS_OCSP_CERT_GOOD:
		89	+ break;
		90
		91	- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
		92	- &status, NULL, NULL, NULL, &reason);
		93	+ case GNUTLS_OCSP_CERT_REVOKED: {
		94	+ const char *crl_reason;
		95
		96	- switch(status) {
		97	- case GNUTLS_OCSP_CERT_GOOD:
		98	+ switch(reason) {
		99	+ default:
		100	+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
		101	+ crl_reason = "unspecified reason";
		102	break;
		103
		104	- case GNUTLS_OCSP_CERT_REVOKED: {
		105	- const char *crl_reason;
		106	-
		107	- switch(reason) {
		108	- default:
		109	- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
		110	- crl_reason = "unspecified reason";
		111	- break;
		112	-
		113	- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
		114	- crl_reason = "private key compromised";
		115	- break;
		116	-
		117	- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
		118	- crl_reason = "CA compromised";
		119	- break;
		120	-
		121	- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
		122	- crl_reason = "affiliation has changed";
		123	- break;
		124	+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
		125	+ crl_reason = "private key compromised";
		126	+ break;
		127
		128	- case GNUTLS_X509_CRLREASON_SUPERSEDED:
		129	- crl_reason = "certificate superseded";
		130	- break;
		131	+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
		132	+ crl_reason = "CA compromised";
		133	+ break;
		134
		135	- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
		136	- crl_reason = "operation has ceased";
		137	- break;
		138	+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
		139	+ crl_reason = "affiliation has changed";
		140	+ break;
		141
		142	- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
		143	- crl_reason = "certificate is on hold";
		144	- break;
		145	+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
		146	+ crl_reason = "certificate superseded";
		147	+ break;
		148
		149	- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
		150	- crl_reason = "will be removed from delta CRL";
		151	- break;
		152	+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
		153	+ crl_reason = "operation has ceased";
		154	+ break;
		155
		156	- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
		157	- crl_reason = "privilege withdrawn";
		158	- break;
		159	+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
		160	+ crl_reason = "certificate is on hold";
		161	+ break;
		162
		163	- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
		164	- crl_reason = "AA compromised";
		165	- break;
		166	- }
		167	+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
		168	+ crl_reason = "will be removed from delta CRL";
		169	+ break;
		170
		171	- failf(data, "Server certificate was revoked: %s", crl_reason);
		172	+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
		173	+ crl_reason = "privilege withdrawn";
		174	break;
		175	- }
		176
		177	- default:
		178	- case GNUTLS_OCSP_CERT_UNKNOWN:
		179	- failf(data, "Server certificate status is unknown");
		180	+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
		181	+ crl_reason = "AA compromised";
		182	break;
		183	}
		184
		185	- gnutls_ocsp_resp_deinit(ocsp_resp);
		186	+ failf(data, "Server certificate was revoked: %s", crl_reason);
		187	+ break;
		188	+ }
		189	+
		190	+ default:
		191	+ case GNUTLS_OCSP_CERT_UNKNOWN:
		192	+ failf(data, "Server certificate status is unknown");
		193	+ break;
		194	+ }
		195
		196	+ gnutls_ocsp_resp_deinit(ocsp_resp);
		197	+ if(status != GNUTLS_OCSP_CERT_GOOD)
		198	return CURLE_SSL_INVALIDCERTSTATUS;
		199	- }
		200	- else
		201	- infof(data, " server certificate status verification OK");
		202	}
		203	else
		204	infof(data, " server certificate status verification SKIPPED");
		205	--
		206	2.25.1
		207


diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 5442d8d4fd..d094604ea1 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
18	file://CVE-2024-6197.patch \	18	file://CVE-2024-6197.patch \
19	file://CVE-2024-7264-1.patch \	19	file://CVE-2024-7264-1.patch \
20	file://CVE-2024-7264-2.patch \	20	file://CVE-2024-7264-2.patch \
		21	file://CVE-2024-8096.patch \
21	"	22	"
22	SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"	23	SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
23		24