main/curl: patch CVE-2021-22925 CVE-2021-22926

3 files changed, 123 insertions, 3 deletions

diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 28c58b59519..d3d5cb0fd57 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.67.0
-pkgrel=4
+pkgrel=5
 pkgdesc="URL retrival utility and library"
 url="https://curl.haxx.se/"
 arch="all"
@@ -21,9 +21,14 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
 	CVE-2020-8285.patch
 	CVE-2020-8286.patch
 	CVE-2021-22898.patch
+	CVE-2021-22925.patch
+	CVE-2021-22926.patch
 	"
 
 # secfixes:
+#   7.67.0-r5:
+#     - CVE-2021-22925
+#     - CVE-2021-22926
 #   7.67.0-r4:
 #     - CVE-2021-22898
 #   7.67.0-r3:
@@ -149,10 +154,14 @@ static() {
 	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
 }
 
-sha512sums="1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29  curl-7.67.0.tar.xz
+sha512sums="
+1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29  curl-7.67.0.tar.xz
 4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba  CVE-2020-8169.patch
 d43f92378c11824e73204b55a8e0952294e5cb17c89503e6fcd4932f812dda244a66c81e20606b4ececed7198bda37e0ca511631bf2ba91e2e9f336290ba5d4b  CVE-2020-8177.patch
 d5f4421e5ac6f89220d00fb156c803edbb64679e9064ca8328269eea3582ee7780f77522b5069a1288cc09e968567175c94139249cc337906243c95d0bc3e684  CVE-2020-8231.patch
 2765302f147ad29b7187d334edfb66076ab81088583dd681ba37aed96eee6a5108ca8281fe185e60494d4aeda003216319d15e05a341f5796698452816fe0f97  CVE-2020-8285.patch
 6c42a589a8bc7b588dcd2c3e656a221000608841b6347c66e640ba818f6ff73fcfaf1ae1948dcbd446689559f54476b0ca5e340fb00f44da1defb7c2573d4a8c  CVE-2020-8286.patch
-c52275bc8ce1463b5a05c5387144b743462a2f551853134254317023ad39445eb53119d88bfb58d17aaa6e5f86985c2f2b540980337eaca1f385ac15818546e6  CVE-2021-22898.patch"
+c52275bc8ce1463b5a05c5387144b743462a2f551853134254317023ad39445eb53119d88bfb58d17aaa6e5f86985c2f2b540980337eaca1f385ac15818546e6  CVE-2021-22898.patch
+c033c26e79c773a9e76823d1e03efc9c52151bc5c55667aeea1e5a3625b860ac75fba5cdd60538d7fa49eebfc7fa31e503930d77179a07fd7c5721a6004f2fa9  CVE-2021-22925.patch
+64b3b81e3a67fdb5c7f28ebeda90170b5b50ed44101d70ec6fcf6c3977a63043d4cd5f9e9dd41a94060bcc32483f1c1dd16ef938420ba6a2d8eef31c174450b0  CVE-2021-22926.patch
+"
diff --git a/main/curl/CVE-2021-22925.patch b/main/curl/CVE-2021-22925.patch
new file mode 100644
index 00000000000..f05caaa5a8c
--- /dev/null
+++ b/main/curl/CVE-2021-22925.patch
@@ -0,0 +1,41 @@
+From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+
+CVS-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 1d3024ec4d3e..a81bb81c3675 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
++          int rv;
++          char sep[2] = "";
++          varval[0] = 0;
++          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++          if(rv == 1)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s", CURL_NEW_ENV_VAR, varname);
++          else if(rv >= 2)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
diff --git a/main/curl/CVE-2021-22926.patch b/main/curl/CVE-2021-22926.patch
new file mode 100644
index 00000000000..fd8094e07ae
--- /dev/null
+++ b/main/curl/CVE-2021-22926.patch
@@ -0,0 +1,70 @@
+From fd9b40bf8dfd43edcbc0d254d613d95a11061c05 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 21 Jun 2021 10:35:09 +0200
+Subject: [PATCH] sectransp: check for client certs by name first, then file
+
+CVE-2021-22926
+
+Bug: https://curl.se/docs/CVE-2021-22926.html
+
+Assisted-by: Daniel Gustafsson
+Reported-by: Harry Sintonen
+---
+ lib/vtls/sectransp.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 21ca0824bdf6..26b833dd2ac7 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -32,6 +32,7 @@
+ #include "curl_base64.h"
+ #include "strtok.h"
+ #include "multiif.h"
++#include "strcase.h"
+ 
+ #ifdef USE_SECTRANSP
+ 
+@@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+     SecIdentityRef cert_and_key = NULL;
+     bool is_cert_file = is_file(ssl_cert);
+ 
+-    /* User wants to authenticate with a client cert. Look for it:
+-       If we detect that this is a file on disk, then let's load it.
+-       Otherwise, assume that the user wants to use an identity loaded
+-       from the Keychain. */
+-    if(is_cert_file) {
++    /* User wants to authenticate with a client cert. Look for it. Assume that
++       the user wants to use an identity loaded from the Keychain. If not, try
++       it as a file on disk */
++
++    if(!is_cert_data)
++      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
++    else
++      err = !noErr;
++    if((err != noErr) && (is_cert_file || is_cert_data)) {
+       if(!SSL_SET_OPTION(cert_type))
+-        infof(data, "WARNING: SSL: Certificate type not set, assuming "
+-                    "PKCS#12 format.\n");
+-      else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
+-        strlen(SSL_SET_OPTION(cert_type))) != 0)
+-        infof(data, "WARNING: SSL: The Security framework only supports "
+-                    "loading identities that are in PKCS#12 format.\n");
++        infof(data, "SSL: Certificate type not set, assuming "
++              "PKCS#12 format.\n");
++      else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
++        failf(data, "SSL: The Security framework only supports "
++              "loading identities that are in PKCS#12 format.\n");
++        return CURLE_SSL_CERTPROBLEM;
++      }
+ 
+       err = CopyIdentityFromPKCS12File(ssl_cert,
+-        SSL_SET_OPTION(key_passwd), &cert_and_key);
++                                       SSL_SET_OPTION(key_passwd),
++                                       &cert_and_key);
+     }
+-    else
+-      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
+ 
+     if(err == noErr && cert_and_key) {
+       SecCertificateRef cert = NULL;