aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpsykose <alice@ayaya.dev>2022-04-27 17:04:53 +0000
committerpsykose <alice@ayaya.dev>2022-04-27 19:04:53 +0200
commit730508d613dbbcc6e002193570b60a41e0a43f74 (patch)
tree6dbb5906e7ab7344cdad8217f0f7f5f1b6386fa0
parente5a8c3fe7051ee091719ddc4d39feb0c3bb53abb (diff)
main/curl: security fixes for CVEs
-rw-r--r--main/curl/APKBUILD20
-rw-r--r--main/curl/CVE-2022-22576.patch143
-rw-r--r--main/curl/CVE-2022-27774-pre.patch41
-rw-r--r--main/curl/CVE-2022-27774.patch78
-rw-r--r--main/curl/CVE-2022-27775.patch35
-rw-r--r--main/curl/CVE-2022-27776.patch113
6 files changed, 428 insertions, 2 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index fb207bd6816..8a0ab3bc74a 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.79.1
-pkgrel=0
+pkgrel=1
pkgdesc="URL retrival utility and library"
url="https://curl.se/"
arch="all"
@@ -14,10 +14,21 @@ depends_dev="openssl-dev nghttp2-dev zlib-dev"
checkdepends="python3"
makedepends="$depends_dev autoconf automake groff libtool perl"
subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl"
-source="https://curl.se/download/curl-$pkgver.tar.xz"
+source="https://curl.se/download/curl-$pkgver.tar.xz
+ CVE-2022-22576.patch
+ CVE-2022-27774-pre.patch
+ CVE-2022-27774.patch
+ CVE-2022-27775.patch
+ CVE-2022-27776.patch
+ "
options="net" # Required for running tests
# secfixes:
+# 7.79.1-r1:
+# - CVE-2022-22576
+# - CVE-2022-27774
+# - CVE-2022-27775
+# - CVE-2022-27776
# 7.79.0-r0:
# - CVE-2021-22945
# - CVE-2021-22946
@@ -159,4 +170,9 @@ static() {
sha512sums="
1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d curl-7.79.1.tar.xz
+9456de77de52e7980fb8e42bdc524b56dc7029c8205209de2de39d6354c8f5457e3fc8068d36d55cbf96ae82aabd390afc94721995dfc4b8e4a69bed9d0b00c8 CVE-2022-22576.patch
+63af4876fa94ff11ec3c1d4a36cfd2919083cf57cedc5086703966e627b27d8fac520155214b6f81e80a38a392cbd542f135f218944ae5117cf8b1ba388c7046 CVE-2022-27774-pre.patch
+4161539ebf5b9d4b1c5f4f83a8af313a96f5d9a4871a3da5f1ea564903b9079ac02003816f613e05aec9f3819bd2e152bb7885d0df138997abcaeb4adab897d6 CVE-2022-27774.patch
+c68b3eff3ef6120277c8acbd1d3ce4e16a26219a6b543af03a7bb9c5c3bc5d3480c237f11470995d088c9cbd06531352b86b151038cfcd551477038da0a96b33 CVE-2022-27775.patch
+116d30037af107cd028bd6404b6488106ebe1f3482b65159fe6764c355edf57b5fc460ce034a4eb07053f97128d68e89ef50ae080b33ee82b0fc5460f09866c4 CVE-2022-27776.patch
"
diff --git a/main/curl/CVE-2022-22576.patch b/main/curl/CVE-2022-22576.patch
new file mode 100644
index 00000000000..5238d9998b4
--- /dev/null
+++ b/main/curl/CVE-2022-22576.patch
@@ -0,0 +1,143 @@
+Patch-Source: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
+From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+---
+ lib/strcase.c | 10 ++++++++++
+ lib/strcase.h | 2 ++
+ lib/url.c | 13 ++++++++++++-
+ lib/urldata.h | 1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1ba0e5..692a3f14aee7 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+ } while(*src++ && --n);
+ }
+
++/* Compare case-sensitive NUL-terminated strings, taking care of possible
++ * null pointers. Return true if arguments match.
++ */
++bool Curl_safecmp(char *a, char *b)
++{
++ if(a && b)
++ return !strcmp(a, b);
++ return !a && !b;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b234d3815220..2635f5117e99 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -49,4 +49,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
++bool Curl_safecmp(char *a, char *b);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index 9a988b4d58d8..e1647b133854 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -781,6 +781,7 @@ static void conn_free(struct connectdata *conn)
+ Curl_safefree(conn->passwd);
+ Curl_safefree(conn->sasl_authzid);
+ Curl_safefree(conn->options);
++ Curl_safefree(conn->oauth_bearer);
+ Curl_dyn_free(&conn->trailer);
+ Curl_safefree(conn->host.rawalloc); /* host name buffer */
+ Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1342,7 +1343,9 @@ ConnectionExists(struct Curl_easy *data,
+ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+ if(strcmp(needle->user, check->user) ||
+- strcmp(needle->passwd, check->passwd)) {
++ strcmp(needle->passwd, check->passwd) ||
++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
+ /* one of them was different */
+ continue;
+ }
+@@ -3637,6 +3640,14 @@ static CURLcode create_conn(struct Curl_easy *data,
+ }
+ }
+
++ if(data->set.str[STRING_BEARER]) {
++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
++ if(!conn->oauth_bearer) {
++ result = CURLE_OUT_OF_MEMORY;
++ goto out;
++ }
++ }
++
+ #ifdef USE_UNIX_SOCKETS
+ if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
+ conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 07eb19b87034..1d89b8d7fa68 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -984,6 +984,7 @@ struct connectdata {
+ char *passwd; /* password string, allocated */
+ char *options; /* options string, allocated */
+ char *sasl_authzid; /* authorisation identity string, allocated */
++ char *oauth_bearer; /* OAUTH2 bearer, allocated */
+ unsigned char httpversion; /* the HTTP version*10 reported by the server */
+ struct curltime now; /* "current" time */
+ struct curltime created; /* creation time */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba065e5..a40ac06f684f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
+ return !memcmp(first->data, second->data, first->len); /* same data */
+ }
+
+-static bool safecmp(char *a, char *b)
+-{
+- if(a && b)
+- return !strcmp(a, b);
+- else if(!a && !b)
+- return TRUE; /* match */
+- return FALSE; /* no match */
+-}
+-
+
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config *data,
+@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ blobcmp(data->cert_blob, needle->cert_blob) &&
+ blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
+- safecmp(data->CApath, needle->CApath) &&
+- safecmp(data->CAfile, needle->CAfile) &&
+- safecmp(data->issuercert, needle->issuercert) &&
+- safecmp(data->clientcert, needle->clientcert) &&
+- safecmp(data->random_file, needle->random_file) &&
+- safecmp(data->egdsocket, needle->egdsocket) &&
++ Curl_safecmp(data->CApath, needle->CApath) &&
++ Curl_safecmp(data->CAfile, needle->CAfile) &&
++ Curl_safecmp(data->issuercert, needle->issuercert) &&
++ Curl_safecmp(data->clientcert, needle->clientcert) &&
++ Curl_safecmp(data->random_file, needle->random_file) &&
++ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+ Curl_safe_strcasecompare(data->curves, needle->curves) &&
diff --git a/main/curl/CVE-2022-27774-pre.patch b/main/curl/CVE-2022-27774-pre.patch
new file mode 100644
index 00000000000..b5cf4fccc30
--- /dev/null
+++ b/main/curl/CVE-2022-27774-pre.patch
@@ -0,0 +1,41 @@
+Patch-Source: https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839
+From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index e0b740147157..9bcf525ebb39 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
+ data->info.conn_scheme = conn->handler->scheme;
+ data->info.conn_protocol = conn->handler->protocol;
+ data->info.conn_primary_port = conn->port;
++ data->info.conn_remote_port = conn->remote_port;
+ data->info.conn_local_port = local_port;
+ }
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ef2174d9e727..9c34ec444c08 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1160,7 +1160,11 @@ struct PureInfo {
+ reused, in the connection cache. */
+
+ char conn_primary_ip[MAX_IPADR_LEN];
+- int conn_primary_port;
++ int conn_primary_port; /* this is the destination port to the connection,
++ which might have been a proxy */
++ int conn_remote_port; /* this is the "remote port", which is the port
++ number of the used URL, independent of proxy or
++ not */
+ char conn_local_ip[MAX_IPADR_LEN];
+ int conn_local_port;
+ const char *conn_scheme;
diff --git a/main/curl/CVE-2022-27774.patch b/main/curl/CVE-2022-27774.patch
new file mode 100644
index 00000000000..db358af55e6
--- /dev/null
+++ b/main/curl/CVE-2022-27774.patch
@@ -0,0 +1,78 @@
+Patch-Source: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79
+From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] transfer: redirects to other protocols or ports clear auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 53ef0b03b8e0..315da876c4a8 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1611,10 +1611,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ else {
+-
+ uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
++
++ /* Clear auth if this redirects to a different port number or protocol,
++ unless permitted */
++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
++ char *portnum;
++ int port;
++ bool clear = FALSE;
++
++ if(data->set.use_port && data->state.allow_port)
++ /* a custom port is used */
++ port = (int)data->set.use_port;
++ else {
++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
++ CURLU_DEFAULT_PORT);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++ port = atoi(portnum);
++ free(portnum);
++ }
++ if(port != data->info.conn_remote_port) {
++ infof(data, "Clear auth, redirects to port from %u to %u",
++ data->info.conn_remote_port, port);
++ clear = TRUE;
++ }
++ else {
++ char *scheme;
++ const struct Curl_handler *p;
++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
++ if(uc) {
++ free(newurl);
++ return Curl_uc_to_curlcode(uc);
++ }
++
++ p = Curl_builtin_scheme(scheme);
++ if(p && (p->protocol != data->info.conn_protocol)) {
++ infof(data, "Clear auth, redirects scheme from %s to %s",
++ data->info.conn_scheme, scheme);
++ clear = TRUE;
++ }
++ free(scheme);
++ }
++ if(clear) {
++ Curl_safefree(data->state.aptr.user);
++ Curl_safefree(data->state.aptr.passwd);
++ }
++ }
+ }
+
+ if(type == FOLLOW_FAKE) {
diff --git a/main/curl/CVE-2022-27775.patch b/main/curl/CVE-2022-27775.patch
new file mode 100644
index 00000000000..e1c02b8969d
--- /dev/null
+++ b/main/curl/CVE-2022-27775.patch
@@ -0,0 +1,35 @@
+Patch-Source: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705
+From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index ec669b971dc3..8948b53fa500 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
+ /* report back which name we used */
+ *hostp = hostname;
+
+- /* put the number first so that the hostname gets cut off if too long */
+- msnprintf(buf, len, "%ld%s", port, hostname);
++ /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++ msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+ Curl_strntolower(buf, buf, len);
+ }
+
diff --git a/main/curl/CVE-2022-27776.patch b/main/curl/CVE-2022-27776.patch
new file mode 100644
index 00000000000..59ffa79a36a
--- /dev/null
+++ b/main/curl/CVE-2022-27776.patch
@@ -0,0 +1,113 @@
+Patch-Source: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258
+From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+---
+ lib/http.c | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index ce79fc4e31c8..f0476f3b9272 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
+ return CURLE_OK;
+ }
+
++/*
++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
++ * data" can (still) be sent to this host.
++ */
++static bool allow_auth_to_host(struct Curl_easy *data)
++{
++ struct connectdata *conn = data->conn;
++ return (!data->state.this_is_a_follow ||
++ data->set.allow_auth_to_other_hosts ||
++ (data->state.first_host &&
++ strcasecompare(data->state.first_host, conn->host.name) &&
++ (data->state.first_remote_port == conn->remote_port) &&
++ (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ /**
+ * Curl_http_output_auth() setups the authentication headers for the
+ * host/proxy and the correct authentication
+@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
+ with it */
+ authproxy->done = TRUE;
+
+- /* To prevent the user+password to get sent to other than the original
+- host due to a location-follow, we do some weirdo checks here */
+- if(!data->state.this_is_a_follow ||
++ /* To prevent the user+password to get sent to other than the original host
++ due to a location-follow */
++ if(allow_auth_to_host(data)
+ #ifndef CURL_DISABLE_NETRC
+- conn->bits.netrc ||
++ || conn->bits.netrc
+ #endif
+- !data->state.first_host ||
+- data->set.allow_auth_to_other_hosts ||
+- strcasecompare(data->state.first_host, conn->host.name)) {
++ )
+ result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+- }
+ else
+ authhost->done = TRUE;
+
+@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+ checkprefix("Cookie:", compare)) &&
+ /* be careful of sending this potentially sensitive header to
+ other hosts */
+- (data->state.this_is_a_follow &&
+- data->state.first_host &&
+- !data->set.allow_auth_to_other_hosts &&
+- !strcasecompare(data->state.first_host, conn->host.name)))
++ !allow_auth_to_host(data))
+ ;
+ else {
+ #ifdef USE_HYPER
+@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
+ return CURLE_OUT_OF_MEMORY;
+
+ data->state.first_remote_port = conn->remote_port;
++ data->state.first_remote_protocol = conn->handler->protocol;
+ }
+ Curl_safefree(data->state.aptr.host);
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 1d89b8d7fa68..ef2174d9e727 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1329,14 +1329,16 @@ struct UrlState {
+ char *ulbuf; /* allocated upload buffer or NULL */
+ curl_off_t current_speed; /* the ProgressShow() function sets this,
+ bytes / second */
+- char *first_host; /* host name of the first (not followed) request.
+- if set, this should be the host name that we will
+- sent authorization to, no else. Used to make Location:
+- following not keep sending user+password... This is
+- strdup() data.
+- */
++
++ /* host name, port number and protocol of the first (not followed) request.
++ if set, this should be the host name that we will sent authorization to,
++ no else. Used to make Location: following not keep sending user+password.
++ This is strdup()ed data. */
++ char *first_host;
++ int first_remote_port;
++ unsigned int first_remote_protocol;
++
+ int retrycount; /* number of retries on a new connection */
+- int first_remote_port; /* remote port of the first (not followed) request */
+ struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+ long sessionage; /* number of the most recent session */
+ struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */