diff options
author | J0WI <J0WI@users.noreply.github.com> | 2021-07-22 15:17:12 +0200 |
---|---|---|
committer | J0WI <J0WI@users.noreply.github.com> | 2021-07-25 15:21:46 +0200 |
commit | 33c24a34a046bdbd3f12734fbde33215b2e9a8c4 (patch) | |
tree | a68bd4ff32391ca34a39d98405a46ff9f96037d8 | |
parent | 46c3c3b9b94ed251528dd748bc64cc676d6b0f02 (diff) |
main/curl: patch CVE-2021-22925 CVE-2021-22926
-rw-r--r-- | main/curl/APKBUILD | 15 | ||||
-rw-r--r-- | main/curl/CVE-2021-22925.patch | 41 | ||||
-rw-r--r-- | main/curl/CVE-2021-22926.patch | 70 |
3 files changed, 123 insertions, 3 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 28c58b59519..d3d5cb0fd57 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.67.0 -pkgrel=4 +pkgrel=5 pkgdesc="URL retrival utility and library" url="https://curl.haxx.se/" arch="all" @@ -21,9 +21,14 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz CVE-2020-8285.patch CVE-2020-8286.patch CVE-2021-22898.patch + CVE-2021-22925.patch + CVE-2021-22926.patch " # secfixes: +# 7.67.0-r5: +# - CVE-2021-22925 +# - CVE-2021-22926 # 7.67.0-r4: # - CVE-2021-22898 # 7.67.0-r3: @@ -149,10 +154,14 @@ static() { mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib } -sha512sums="1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29 curl-7.67.0.tar.xz +sha512sums=" +1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29 curl-7.67.0.tar.xz 4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch d43f92378c11824e73204b55a8e0952294e5cb17c89503e6fcd4932f812dda244a66c81e20606b4ececed7198bda37e0ca511631bf2ba91e2e9f336290ba5d4b CVE-2020-8177.patch d5f4421e5ac6f89220d00fb156c803edbb64679e9064ca8328269eea3582ee7780f77522b5069a1288cc09e968567175c94139249cc337906243c95d0bc3e684 CVE-2020-8231.patch 2765302f147ad29b7187d334edfb66076ab81088583dd681ba37aed96eee6a5108ca8281fe185e60494d4aeda003216319d15e05a341f5796698452816fe0f97 CVE-2020-8285.patch 6c42a589a8bc7b588dcd2c3e656a221000608841b6347c66e640ba818f6ff73fcfaf1ae1948dcbd446689559f54476b0ca5e340fb00f44da1defb7c2573d4a8c CVE-2020-8286.patch -c52275bc8ce1463b5a05c5387144b743462a2f551853134254317023ad39445eb53119d88bfb58d17aaa6e5f86985c2f2b540980337eaca1f385ac15818546e6 CVE-2021-22898.patch" +c52275bc8ce1463b5a05c5387144b743462a2f551853134254317023ad39445eb53119d88bfb58d17aaa6e5f86985c2f2b540980337eaca1f385ac15818546e6 CVE-2021-22898.patch +c033c26e79c773a9e76823d1e03efc9c52151bc5c55667aeea1e5a3625b860ac75fba5cdd60538d7fa49eebfc7fa31e503930d77179a07fd7c5721a6004f2fa9 CVE-2021-22925.patch +64b3b81e3a67fdb5c7f28ebeda90170b5b50ed44101d70ec6fcf6c3977a63043d4cd5f9e9dd41a94060bcc32483f1c1dd16ef938420ba6a2d8eef31c174450b0 CVE-2021-22926.patch +" diff --git a/main/curl/CVE-2021-22925.patch b/main/curl/CVE-2021-22925.patch new file mode 100644 index 00000000000..f05caaa5a8c --- /dev/null +++ b/main/curl/CVE-2021-22925.patch @@ -0,0 +1,41 @@ +From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVS-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1d3024ec4d3e..a81bb81c3675 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, diff --git a/main/curl/CVE-2021-22926.patch b/main/curl/CVE-2021-22926.patch new file mode 100644 index 00000000000..fd8094e07ae --- /dev/null +++ b/main/curl/CVE-2021-22926.patch @@ -0,0 +1,70 @@ +From fd9b40bf8dfd43edcbc0d254d613d95a11061c05 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 21 Jun 2021 10:35:09 +0200 +Subject: [PATCH] sectransp: check for client certs by name first, then file + +CVE-2021-22926 + +Bug: https://curl.se/docs/CVE-2021-22926.html + +Assisted-by: Daniel Gustafsson +Reported-by: Harry Sintonen +--- + lib/vtls/sectransp.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 21ca0824bdf6..26b833dd2ac7 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -32,6 +32,7 @@ + #include "curl_base64.h" + #include "strtok.h" + #include "multiif.h" ++#include "strcase.h" + + #ifdef USE_SECTRANSP + +@@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + SecIdentityRef cert_and_key = NULL; + bool is_cert_file = is_file(ssl_cert); + +- /* User wants to authenticate with a client cert. Look for it: +- If we detect that this is a file on disk, then let's load it. +- Otherwise, assume that the user wants to use an identity loaded +- from the Keychain. */ +- if(is_cert_file) { ++ /* User wants to authenticate with a client cert. Look for it. Assume that ++ the user wants to use an identity loaded from the Keychain. If not, try ++ it as a file on disk */ ++ ++ if(!is_cert_data) ++ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); ++ else ++ err = !noErr; ++ if((err != noErr) && (is_cert_file || is_cert_data)) { + if(!SSL_SET_OPTION(cert_type)) +- infof(data, "WARNING: SSL: Certificate type not set, assuming " +- "PKCS#12 format.\n"); +- else if(strncmp(SSL_SET_OPTION(cert_type), "P12", +- strlen(SSL_SET_OPTION(cert_type))) != 0) +- infof(data, "WARNING: SSL: The Security framework only supports " +- "loading identities that are in PKCS#12 format.\n"); ++ infof(data, "SSL: Certificate type not set, assuming " ++ "PKCS#12 format.\n"); ++ else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { ++ failf(data, "SSL: The Security framework only supports " ++ "loading identities that are in PKCS#12 format.\n"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + + err = CopyIdentityFromPKCS12File(ssl_cert, +- SSL_SET_OPTION(key_passwd), &cert_and_key); ++ SSL_SET_OPTION(key_passwd), ++ &cert_and_key); + } +- else +- err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); + + if(err == noErr && cert_and_key) { + SecCertificateRef cert = NULL; |