| Message ID | 20220705110846.901820-1-mingli.yu@windriver.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kirkstone] curl: Upgrade to 7.84.0 | expand |
On Tue, Jul 5, 2022 at 1:09 AM Yu, Mingli <mingli.yu@windriver.com> wrote: > > From: Mingli Yu <mingli.yu@windriver.com> > > Upgrade to 7.84.0 to fix CVEs [1]. Sorry, but his patch does two major and one minor version updates (7.82.0 -> 7.83.0 -> 7.83.1 -> 7.84.0) Since these major version updates include new features I can't take this patch for an LTS release. We'd have to backport the individual CVE fix commits to 7.82.0 if possible. I do appreciate the help with fixing CVEs though, so please don't be discouraged by this! Steve > > Backport a patch fixing a compile issue where sched.h was not included > on certain platforms. > > [1] https://curl.se/changes.html#7_84_0 > > Signed-off-by: Mingli Yu <mingli.yu@windriver.com> > --- > ...ude-sched.h-if-available-to-fix-buil.patch | 33 ++ > .../curl/curl/CVE-2022-22576.patch | 145 ------ > .../curl/curl/CVE-2022-27774-1.patch | 45 -- > .../curl/curl/CVE-2022-27774-2.patch | 80 --- > .../curl/curl/CVE-2022-27774-3.patch | 83 ---- > .../curl/curl/CVE-2022-27774-4.patch | 35 -- > .../curl/curl/CVE-2022-27775.patch | 37 -- > .../curl/curl/CVE-2022-27776.patch | 115 ----- > .../curl/curl/CVE-2022-27779.patch | 42 -- > .../curl/curl/CVE-2022-27780.patch | 33 -- > .../curl/curl/CVE-2022-27781.patch | 43 -- > .../curl/curl/CVE-2022-27782-1.patch | 458 ------------------ > .../curl/curl/CVE-2022-27782-2.patch | 71 --- > .../curl/curl/CVE-2022-30115.patch | 82 ---- > .../curl/{curl_7.82.0.bb => curl_7.84.0.bb} | 16 +- > 15 files changed, 35 insertions(+), 1283 deletions(-) > create mode 100644 meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch > delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch > rename meta/recipes-support/curl/{curl_7.82.0.bb => curl_7.84.0.bb} (87%) > > diff --git a/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch b/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch > new file mode 100644 > index 0000000000..771bdb2b96 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch > @@ -0,0 +1,33 @@ > +From e2e7f54b7bea521fa8373095d0f43261a720cda0 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Mon, 27 Jun 2022 08:46:21 +0200 > +Subject: [PATCH] easy_lock.h: include sched.h if available to fix build > + > +Patched-by: Harry Sintonen > + > +Closes #9054 > + > +Upstream-Status: Backport [e2e7f54b7bea521fa8373095d0f43261a720cda0] > + > +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > +--- > + lib/easy_lock.h | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/lib/easy_lock.h b/lib/easy_lock.h > +index 819f50ce8..1f54289ce 100644 > +--- a/lib/easy_lock.h > ++++ b/lib/easy_lock.h > +@@ -36,6 +36,9 @@ > + > + #elif defined (HAVE_ATOMIC) > + #include <stdatomic.h> > ++#if defined(HAVE_SCHED_YIELD) > ++#include <sched.h> > ++#endif > + > + #define curl_simple_lock atomic_bool > + #define CURL_SIMPLE_LOCK_INIT false > +-- > +2.35.1 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch > deleted file mode 100644 > index 469cf220ba..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-22576.patch > +++ /dev/null > @@ -1,145 +0,0 @@ > -From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001 > -From: Patrick Monnerat <patrick@monnerat.net> > -Date: Mon, 25 Apr 2022 11:44:05 +0200 > -Subject: [PATCH] url: check sasl additional parameters for connection reuse. > - > -Also move static function safecmp() as non-static Curl_safecmp() since > -its purpose is needed at several places. > - > -Bug: https://curl.se/docs/CVE-2022-22576.html > - > -CVE-2022-22576 > - > -Closes #8746 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/strcase.c | 10 ++++++++++ > - lib/strcase.h | 2 ++ > - lib/url.c | 13 ++++++++++++- > - lib/urldata.h | 1 + > - lib/vtls/vtls.c | 21 ++++++--------------- > - 5 files changed, 31 insertions(+), 16 deletions(-) > - > -diff --git a/lib/strcase.c b/lib/strcase.c > -index dd46ca1..692a3f1 100644 > ---- a/lib/strcase.c > -+++ b/lib/strcase.c > -@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) > - } while(*src++ && --n); > - } > - > -+/* Compare case-sensitive NUL-terminated strings, taking care of possible > -+ * null pointers. Return true if arguments match. > -+ */ > -+bool Curl_safecmp(char *a, char *b) > -+{ > -+ if(a && b) > -+ return !strcmp(a, b); > -+ return !a && !b; > -+} > -+ > - /* --- public functions --- */ > - > - int curl_strequal(const char *first, const char *second) > -diff --git a/lib/strcase.h b/lib/strcase.h > -index b628656..382b80a 100644 > ---- a/lib/strcase.h > -+++ b/lib/strcase.h > -@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); > - void Curl_strntoupper(char *dest, const char *src, size_t n); > - void Curl_strntolower(char *dest, const char *src, size_t n); > - > -+bool Curl_safecmp(char *a, char *b); > -+ > - #endif /* HEADER_CURL_STRCASE_H */ > -diff --git a/lib/url.c b/lib/url.c > -index adef2cd..94e3406 100644 > ---- a/lib/url.c > -+++ b/lib/url.c > -@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) > - Curl_safefree(conn->passwd); > - Curl_safefree(conn->sasl_authzid); > - Curl_safefree(conn->options); > -+ Curl_safefree(conn->oauth_bearer); > - Curl_dyn_free(&conn->trailer); > - Curl_safefree(conn->host.rawalloc); /* host name buffer */ > - Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ > -@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, > - /* This protocol requires credentials per connection, > - so verify that we're using the same name and password as well */ > - if(strcmp(needle->user, check->user) || > -- strcmp(needle->passwd, check->passwd)) { > -+ strcmp(needle->passwd, check->passwd) || > -+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || > -+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { > - /* one of them was different */ > - continue; > - } > -@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, > - } > - } > - > -+ if(data->set.str[STRING_BEARER]) { > -+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); > -+ if(!conn->oauth_bearer) { > -+ result = CURLE_OUT_OF_MEMORY; > -+ goto out; > -+ } > -+ } > -+ > - #ifdef USE_UNIX_SOCKETS > - if(data->set.str[STRING_UNIX_SOCKET_PATH]) { > - conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); > -diff --git a/lib/urldata.h b/lib/urldata.h > -index cc8a600..03da59a 100644 > ---- a/lib/urldata.h > -+++ b/lib/urldata.h > -@@ -984,6 +984,7 @@ struct connectdata { > - char *passwd; /* password string, allocated */ > - char *options; /* options string, allocated */ > - char *sasl_authzid; /* authorisation identity string, allocated */ > -+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ > - unsigned char httpversion; /* the HTTP version*10 reported by the server */ > - struct curltime now; /* "current" time */ > - struct curltime created; /* creation time */ > -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > -index 03b85ba..a40ac06 100644 > ---- a/lib/vtls/vtls.c > -+++ b/lib/vtls/vtls.c > -@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) > - return !memcmp(first->data, second->data, first->len); /* same data */ > - } > - > --static bool safecmp(char *a, char *b) > --{ > -- if(a && b) > -- return !strcmp(a, b); > -- else if(!a && !b) > -- return TRUE; /* match */ > -- return FALSE; /* no match */ > --} > -- > - > - bool > - Curl_ssl_config_matches(struct ssl_primary_config *data, > -@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, > - blobcmp(data->cert_blob, needle->cert_blob) && > - blobcmp(data->ca_info_blob, needle->ca_info_blob) && > - blobcmp(data->issuercert_blob, needle->issuercert_blob) && > -- safecmp(data->CApath, needle->CApath) && > -- safecmp(data->CAfile, needle->CAfile) && > -- safecmp(data->issuercert, needle->issuercert) && > -- safecmp(data->clientcert, needle->clientcert) && > -- safecmp(data->random_file, needle->random_file) && > -- safecmp(data->egdsocket, needle->egdsocket) && > -+ Curl_safecmp(data->CApath, needle->CApath) && > -+ Curl_safecmp(data->CAfile, needle->CAfile) && > -+ Curl_safecmp(data->issuercert, needle->issuercert) && > -+ Curl_safecmp(data->clientcert, needle->clientcert) && > -+ Curl_safecmp(data->random_file, needle->random_file) && > -+ Curl_safecmp(data->egdsocket, needle->egdsocket) && > - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && > - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && > - Curl_safe_strcasecompare(data->curves, needle->curves) && > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch > deleted file mode 100644 > index f24003fd79..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch > +++ /dev/null > @@ -1,45 +0,0 @@ > -From f489d50ca5fd8b6a3a622e2521e2ca52787a6608 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 25 Apr 2022 16:24:33 +0200 > -Subject: [PATCH] connect: store "conn_remote_port" in the info struct > - > -To make it available after the connection ended. > - > -Prerequisite for the patches that address CVE-2022-27774. > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/connect.c | 1 + > - lib/urldata.h | 6 +++++- > - 2 files changed, 6 insertions(+), 1 deletion(-) > - > -diff --git a/lib/connect.c b/lib/connect.c > -index 64f9511..7518807 100644 > ---- a/lib/connect.c > -+++ b/lib/connect.c > -@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, > - data->info.conn_scheme = conn->handler->scheme; > - data->info.conn_protocol = conn->handler->protocol; > - data->info.conn_primary_port = conn->port; > -+ data->info.conn_remote_port = conn->remote_port; > - data->info.conn_local_port = local_port; > - } > - > -diff --git a/lib/urldata.h b/lib/urldata.h > -index f92052a..5218f76 100644 > ---- a/lib/urldata.h > -+++ b/lib/urldata.h > -@@ -1160,7 +1160,11 @@ struct PureInfo { > - reused, in the connection cache. */ > - > - char conn_primary_ip[MAX_IPADR_LEN]; > -- int conn_primary_port; > -+ int conn_primary_port; /* this is the destination port to the connection, > -+ which might have been a proxy */ > -+ int conn_remote_port; /* this is the "remote port", which is the port > -+ number of the used URL, independent of proxy or > -+ not */ > - char conn_local_ip[MAX_IPADR_LEN]; > - int conn_local_port; > - const char *conn_scheme; > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch > deleted file mode 100644 > index 9739634dfe..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch > +++ /dev/null > @@ -1,80 +0,0 @@ > -From 50aebd6ea20956513e9b7d7c776830b54d9c8ff6 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 25 Apr 2022 16:24:33 +0200 > -Subject: [PATCH] transfer: redirects to other protocols or ports clear auth > - > -... unless explicitly permitted. > - > -Bug: https://curl.se/docs/CVE-2022-27774.html > -Reported-by: Harry Sintonen > -Closes #8748 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- > - 1 file changed, 48 insertions(+), 1 deletion(-) > - > -diff --git a/lib/transfer.c b/lib/transfer.c > -index 1f8019b..752fe14 100644 > ---- a/lib/transfer.c > -+++ b/lib/transfer.c > -@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, > - return CURLE_OUT_OF_MEMORY; > - } > - else { > -- > - uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); > - if(uc) > - return Curl_uc_to_curlcode(uc); > -+ > -+ /* Clear auth if this redirects to a different port number or protocol, > -+ unless permitted */ > -+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { > -+ char *portnum; > -+ int port; > -+ bool clear = FALSE; > -+ > -+ if(data->set.use_port && data->state.allow_port) > -+ /* a custom port is used */ > -+ port = (int)data->set.use_port; > -+ else { > -+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, > -+ CURLU_DEFAULT_PORT); > -+ if(uc) { > -+ free(newurl); > -+ return Curl_uc_to_curlcode(uc); > -+ } > -+ port = atoi(portnum); > -+ free(portnum); > -+ } > -+ if(port != data->info.conn_remote_port) { > -+ infof(data, "Clear auth, redirects to port from %u to %u", > -+ data->info.conn_remote_port, port); > -+ clear = TRUE; > -+ } > -+ else { > -+ char *scheme; > -+ const struct Curl_handler *p; > -+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); > -+ if(uc) { > -+ free(newurl); > -+ return Curl_uc_to_curlcode(uc); > -+ } > -+ > -+ p = Curl_builtin_scheme(scheme); > -+ if(p && (p->protocol != data->info.conn_protocol)) { > -+ infof(data, "Clear auth, redirects scheme from %s to %s", > -+ data->info.conn_scheme, scheme); > -+ clear = TRUE; > -+ } > -+ free(scheme); > -+ } > -+ if(clear) { > -+ Curl_safefree(data->state.aptr.user); > -+ Curl_safefree(data->state.aptr.passwd); > -+ } > -+ } > - } > - > - if(type == FOLLOW_FAKE) { > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch > deleted file mode 100644 > index e4e8c294a6..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch > +++ /dev/null > @@ -1,83 +0,0 @@ > -From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 25 Apr 2022 17:59:15 +0200 > -Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either > - > -Follow-up to 620ea21410030 > - > -Reported-by: Harry Sintonen > -Closes #8751 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/http.c | 10 +++++----- > - lib/http.h | 6 ++++++ > - lib/vtls/openssl.c | 3 ++- > - 3 files changed, 13 insertions(+), 6 deletions(-) > - > -diff --git a/lib/http.c b/lib/http.c > -index 0791dcf..4433824 100644 > ---- a/lib/http.c > -+++ b/lib/http.c > -@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, > - } > - > - /* > -- * allow_auth_to_host() tells if autentication, cookies or other "sensitive > -- * data" can (still) be sent to this host. > -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other > -+ * "sensitive data" can (still) be sent to this host. > - */ > --static bool allow_auth_to_host(struct Curl_easy *data) > -+bool Curl_allow_auth_to_host(struct Curl_easy *data) > - { > - struct connectdata *conn = data->conn; > - return (!data->state.this_is_a_follow || > -@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, > - > - /* To prevent the user+password to get sent to other than the original host > - due to a location-follow */ > -- if(allow_auth_to_host(data) > -+ if(Curl_allow_auth_to_host(data) > - #ifndef CURL_DISABLE_NETRC > - || conn->bits.netrc > - #endif > -@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, > - checkprefix("Cookie:", compare)) && > - /* be careful of sending this potentially sensitive header to > - other hosts */ > -- !allow_auth_to_host(data)) > -+ !Curl_allow_auth_to_host(data)) > - ; > - else { > - #ifdef USE_HYPER > -diff --git a/lib/http.h b/lib/http.h > -index 07e963d..9000bae 100644 > ---- a/lib/http.h > -+++ b/lib/http.h > -@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, > - bool proxytunnel); /* TRUE if this is the request setting > - up the proxy tunnel */ > - > -+/* > -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other > -+ * "sensitive data" can (still) be sent to this host. > -+ */ > -+bool Curl_allow_auth_to_host(struct Curl_easy *data); > -+ > - #endif /* HEADER_CURL_HTTP_H */ > -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > -index 616a510..e8633f4 100644 > ---- a/lib/vtls/openssl.c > -+++ b/lib/vtls/openssl.c > -@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, > - #endif > - > - #ifdef USE_OPENSSL_SRP > -- if(ssl_authtype == CURL_TLSAUTH_SRP) { > -+ if((ssl_authtype == CURL_TLSAUTH_SRP) && > -+ Curl_allow_auth_to_host(data)) { > - char * const ssl_username = SSL_SET_OPTION(username); > - > - infof(data, "Using TLS-SRP username: %s", ssl_username); > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch > deleted file mode 100644 > index a642336797..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch > +++ /dev/null > @@ -1,35 +0,0 @@ > -From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Tue, 26 Apr 2022 07:46:19 +0200 > -Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects > - > -Follow-up to 620ea21410030 and 139a54ed0a172a > - > -Reported-by: Harry Sintonen > -Closes #8752 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/vtls/gtls.c | 6 +++--- > - 1 file changed, 3 insertions(+), 3 deletions(-) > - > -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c > -index 5749376..fe45b3a 100644 > ---- a/lib/vtls/gtls.c > -+++ b/lib/vtls/gtls.c > -@@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data, > - } > - > - #ifdef HAVE_GNUTLS_SRP > -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { > -+ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && > -+ Curl_allow_auth_to_host(data)) { > - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); > - > -- rc = gnutls_srp_allocate_client_credentials( > -- &backend->srp_client_cred); > -+ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); > - if(rc != GNUTLS_E_SUCCESS) { > - failf(data, "gnutls_srp_allocate_client_cred() failed: %s", > - gnutls_strerror(rc)); > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch > deleted file mode 100644 > index 666a906352..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27775.patch > +++ /dev/null > @@ -1,37 +0,0 @@ > -From eef2b165c39245857b1663e9153e7c4b4b519a4c Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 25 Apr 2022 11:48:00 +0200 > -Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey > - > -Make connections to two separate IPv6 zone ids create separate > -connections. > - > -Reported-by: Harry Sintonen > -Bug: https://curl.se/docs/CVE-2022-27775.html > -Closes #8747 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/conncache.c | 8 ++++++-- > - 1 file changed, 6 insertions(+), 2 deletions(-) > - > -diff --git a/lib/conncache.c b/lib/conncache.c > -index cd5756a..9b9f683 100644 > ---- a/lib/conncache.c > -+++ b/lib/conncache.c > -@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, > - /* report back which name we used */ > - *hostp = hostname; > - > -- /* put the number first so that the hostname gets cut off if too long */ > -- msnprintf(buf, len, "%ld%s", port, hostname); > -+ /* put the numbers first so that the hostname gets cut off if too long */ > -+#ifdef ENABLE_IPV6 > -+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); > -+#else > -+ msnprintf(buf, len, "%ld/%s", port, hostname); > -+#endif > - Curl_strntolower(buf, buf, len); > - } > - > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch > deleted file mode 100644 > index 2feee45200..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27776.patch > +++ /dev/null > @@ -1,115 +0,0 @@ > -From f6eba3638f9b25adfe85f3570f9a0fb2ceb09c2b Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 25 Apr 2022 13:05:40 +0200 > -Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port > - > -CVE-2022-27776 > - > -Reported-by: Harry Sintonen > -Bug: https://curl.se/docs/CVE-2022-27776.html > -Closes #8749 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/http.c | 34 ++++++++++++++++++++++------------ > - lib/urldata.h | 16 +++++++++------- > - 2 files changed, 31 insertions(+), 19 deletions(-) > - > -diff --git a/lib/http.c b/lib/http.c > -index 799d4fb..0791dcf 100644 > ---- a/lib/http.c > -+++ b/lib/http.c > -@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, > - return CURLE_OK; > - } > - > -+/* > -+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive > -+ * data" can (still) be sent to this host. > -+ */ > -+static bool allow_auth_to_host(struct Curl_easy *data) > -+{ > -+ struct connectdata *conn = data->conn; > -+ return (!data->state.this_is_a_follow || > -+ data->set.allow_auth_to_other_hosts || > -+ (data->state.first_host && > -+ strcasecompare(data->state.first_host, conn->host.name) && > -+ (data->state.first_remote_port == conn->remote_port) && > -+ (data->state.first_remote_protocol == conn->handler->protocol))); > -+} > -+ > - /** > - * Curl_http_output_auth() setups the authentication headers for the > - * host/proxy and the correct authentication > -@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, > - with it */ > - authproxy->done = TRUE; > - > -- /* To prevent the user+password to get sent to other than the original > -- host due to a location-follow, we do some weirdo checks here */ > -- if(!data->state.this_is_a_follow || > -+ /* To prevent the user+password to get sent to other than the original host > -+ due to a location-follow */ > -+ if(allow_auth_to_host(data) > - #ifndef CURL_DISABLE_NETRC > -- conn->bits.netrc || > -+ || conn->bits.netrc > - #endif > -- !data->state.first_host || > -- data->set.allow_auth_to_other_hosts || > -- strcasecompare(data->state.first_host, conn->host.name)) { > -+ ) > - result = output_auth_headers(data, conn, authhost, request, path, FALSE); > -- } > - else > - authhost->done = TRUE; > - > -@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, > - checkprefix("Cookie:", compare)) && > - /* be careful of sending this potentially sensitive header to > - other hosts */ > -- (data->state.this_is_a_follow && > -- data->state.first_host && > -- !data->set.allow_auth_to_other_hosts && > -- !strcasecompare(data->state.first_host, conn->host.name))) > -+ !allow_auth_to_host(data)) > - ; > - else { > - #ifdef USE_HYPER > -@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) > - return CURLE_OUT_OF_MEMORY; > - > - data->state.first_remote_port = conn->remote_port; > -+ data->state.first_remote_protocol = conn->handler->protocol; > - } > - Curl_safefree(data->state.aptr.host); > - > -diff --git a/lib/urldata.h b/lib/urldata.h > -index 03da59a..f92052a 100644 > ---- a/lib/urldata.h > -+++ b/lib/urldata.h > -@@ -1329,14 +1329,16 @@ struct UrlState { > - char *ulbuf; /* allocated upload buffer or NULL */ > - curl_off_t current_speed; /* the ProgressShow() function sets this, > - bytes / second */ > -- char *first_host; /* host name of the first (not followed) request. > -- if set, this should be the host name that we will > -- sent authorization to, no else. Used to make Location: > -- following not keep sending user+password... This is > -- strdup() data. > -- */ > -+ > -+ /* host name, port number and protocol of the first (not followed) request. > -+ if set, this should be the host name that we will sent authorization to, > -+ no else. Used to make Location: following not keep sending user+password. > -+ This is strdup()ed data. */ > -+ char *first_host; > -+ int first_remote_port; > -+ unsigned int first_remote_protocol; > -+ > - int retrycount; /* number of retries on a new connection */ > -- int first_remote_port; /* remote port of the first (not followed) request */ > - struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ > - long sessionage; /* number of the most recent session */ > - struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27779.patch b/meta/recipes-support/curl/curl/CVE-2022-27779.patch > deleted file mode 100644 > index 235be900a3..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27779.patch > +++ /dev/null > @@ -1,42 +0,0 @@ > -From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 9 May 2022 16:47:06 +0200 > -Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine > - > -The check for a dot in the domain must not consider a single trailing > -dot to be fine, as then TLD + trailing dot is fine and curl will accept > -setting cookies for it. > - > -CVE-2022-27779 > - > -Reported-by: Axel Chong > -Bug: https://curl.se/docs/CVE-2022-27779.html > -Closes #8820 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/cookie.c | 10 +++++++++- > - 1 file changed, 9 insertions(+), 1 deletion(-) > - > -diff --git a/lib/cookie.c b/lib/cookie.c > -index d418efa..1b8c8f9 100644 > ---- a/lib/cookie.c > -+++ b/lib/cookie.c > -@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) > - /* Make sure domain contains a dot or is localhost. */ > - static bool bad_domain(const char *domain) > - { > -- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); > -+ if(strcasecompare(domain, "localhost")) > -+ return FALSE; > -+ else { > -+ /* there must be a dot present, but that dot must not be a trailing dot */ > -+ char *dot = strchr(domain, '.'); > -+ if(dot) > -+ return dot[1] ? FALSE : TRUE; > -+ } > -+ return TRUE; > - } > - > - /* > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27780.patch b/meta/recipes-support/curl/curl/CVE-2022-27780.patch > deleted file mode 100644 > index 8820af3f74..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27780.patch > +++ /dev/null > @@ -1,33 +0,0 @@ > -From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 9 May 2022 08:19:38 +0200 > -Subject: [PATCH] urlapi: reject percent-decoding host name into separator > - bytes > - > -CVE-2022-27780 > - > -Reported-by: Axel Chong > -Bug: https://curl.se/docs/CVE-2022-27780.html > -Closes #8826 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/urlapi.c | 4 ++-- > - 1 file changed, 2 insertions(+), 2 deletions(-) > - > -diff --git a/lib/urlapi.c b/lib/urlapi.c > -index ff00ee4..00222fc 100644 > ---- a/lib/urlapi.c > -+++ b/lib/urlapi.c > -@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) > - #endif > - } > - else { > -- /* letters from the second string is not ok */ > -- len = strcspn(hostname, " \r\n"); > -+ /* letters from the second string are not ok */ > -+ len = strcspn(hostname, " \r\n\t/:#?!@"); > - if(hlen != len) > - /* hostname with bad content */ > - return CURLUE_BAD_HOSTNAME; > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch > deleted file mode 100644 > index 52f39a0cc5..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27781.patch > +++ /dev/null > @@ -1,43 +0,0 @@ > -From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 9 May 2022 10:07:15 +0200 > -Subject: [PATCH] nss: return error if seemingly stuck in a cert loop > - > -CVE-2022-27781 > - > -Reported-by: Florian Kohnhäuser > -Bug: https://curl.se/docs/CVE-2022-27781.html > -Closes #8822 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/vtls/nss.c | 8 ++++++++ > - 1 file changed, 8 insertions(+) > - > -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c > -index 558e3be..52f2060 100644 > ---- a/lib/vtls/nss.c > -+++ b/lib/vtls/nss.c > -@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, > - PR_Free(common_name); > - } > - > -+/* A number of certs that will never occur in a real server handshake */ > -+#define TOO_MANY_CERTS 300 > -+ > - static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) > - { > - CURLcode result = CURLE_OK; > -@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) > - cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); > - while(cert2) { > - i++; > -+ if(i >= TOO_MANY_CERTS) { > -+ CERT_DestroyCertificate(cert2); > -+ failf(data, "certificate loop"); > -+ return CURLE_SSL_CERTPROBLEM; > -+ } > - if(cert2->isRoot) { > - CERT_DestroyCertificate(cert2); > - break; > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch > deleted file mode 100644 > index ce2599be81..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch > +++ /dev/null > @@ -1,458 +0,0 @@ > -From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 9 May 2022 23:13:53 +0200 > -Subject: [PATCH] tls: check more TLS details for connection reuse > - > -CVE-2022-27782 > - > -Reported-by: Harry Sintonen > -Bug: https://curl.se/docs/CVE-2022-27782.html > -Closes #8825 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/setopt.c | 29 +++++++++++++++++------------ > - lib/url.c | 23 ++++++++++++++++------- > - lib/urldata.h | 13 +++++++------ > - lib/vtls/gtls.c | 32 +++++++++++++++++--------------- > - lib/vtls/mbedtls.c | 2 +- > - lib/vtls/nss.c | 6 +++--- > - lib/vtls/openssl.c | 10 +++++----- > - lib/vtls/vtls.c | 21 +++++++++++++++++++++ > - 8 files changed, 87 insertions(+), 49 deletions(-) > - > -diff --git a/lib/setopt.c b/lib/setopt.c > -index 8e1bf12..7aa6fdb 100644 > ---- a/lib/setopt.c > -+++ b/lib/setopt.c > -@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) > - > - case CURLOPT_SSL_OPTIONS: > - arg = va_arg(param, long); > -+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); > - data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); > - data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); > - data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); > -@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) > - #ifndef CURL_DISABLE_PROXY > - case CURLOPT_PROXY_SSL_OPTIONS: > - arg = va_arg(param, long); > -+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); > - data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); > - data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); > - data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); > -@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) > - case CURLOPT_TLSAUTH_USERNAME: > - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], > - va_arg(param, char *)); > -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) > -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ > -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && > -+ !data->set.ssl.primary.authtype) > -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ > - break; > - #ifndef CURL_DISABLE_PROXY > - case CURLOPT_PROXY_TLSAUTH_USERNAME: > - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], > - va_arg(param, char *)); > - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && > -- !data->set.proxy_ssl.authtype) > -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ > -+ !data->set.proxy_ssl.primary.authtype) > -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to > -+ SRP */ > - break; > - #endif > - case CURLOPT_TLSAUTH_PASSWORD: > - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], > - va_arg(param, char *)); > -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) > -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ > -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && > -+ !data->set.ssl.primary.authtype) > -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ > - break; > - #ifndef CURL_DISABLE_PROXY > - case CURLOPT_PROXY_TLSAUTH_PASSWORD: > - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], > - va_arg(param, char *)); > - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && > -- !data->set.proxy_ssl.authtype) > -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ > -+ !data->set.proxy_ssl.primary.authtype) > -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ > - break; > - #endif > - case CURLOPT_TLSAUTH_TYPE: > - argptr = va_arg(param, char *); > - if(!argptr || > - strncasecompare(argptr, "SRP", strlen("SRP"))) > -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; > -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; > - else > -- data->set.ssl.authtype = CURL_TLSAUTH_NONE; > -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; > - break; > - #ifndef CURL_DISABLE_PROXY > - case CURLOPT_PROXY_TLSAUTH_TYPE: > - argptr = va_arg(param, char *); > - if(!argptr || > - strncasecompare(argptr, "SRP", strlen("SRP"))) > -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; > -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; > - else > -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; > -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; > - break; > - #endif > - #endif > -diff --git a/lib/url.c b/lib/url.c > -index 94e3406..5ebf5e2 100644 > ---- a/lib/url.c > -+++ b/lib/url.c > -@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) > - set->ssl.primary.verifypeer = TRUE; > - set->ssl.primary.verifyhost = TRUE; > - #ifdef USE_TLS_SRP > -- set->ssl.authtype = CURL_TLSAUTH_NONE; > -+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; > - #endif > - set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth > - type */ > -@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) > - conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; > - conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; > - conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; > -+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; > -+#ifdef USE_TLS_SRP > -+#endif > - #ifndef CURL_DISABLE_PROXY > - conn->proxy_ssl_config.verifystatus = > - data->set.proxy_ssl.primary.verifystatus; > - conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; > - conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; > -+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; > -+#ifdef USE_TLS_SRP > -+#endif > - #endif > - conn->ip_version = data->set.ipver; > - conn->bits.connect_only = data->set.connect_only; > -@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, > - data->set.str[STRING_SSL_ISSUERCERT_PROXY]; > - data->set.proxy_ssl.primary.issuercert_blob = > - data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; > -- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; > -+ data->set.proxy_ssl.primary.CRLfile = > -+ data->set.str[STRING_SSL_CRLFILE_PROXY]; > - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; > - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; > - data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; > -@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, > - data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; > - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; > - #endif > -- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; > -+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; > - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; > - data->set.ssl.key = data->set.str[STRING_KEY]; > - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; > - data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; > - data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; > - #ifdef USE_TLS_SRP > -- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; > -- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; > -+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; > -+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; > - #ifndef CURL_DISABLE_PROXY > -- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; > -- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; > -+ data->set.proxy_ssl.primary.username = > -+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; > -+ data->set.proxy_ssl.primary.password = > -+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; > - #endif > - #endif > - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; > -diff --git a/lib/urldata.h b/lib/urldata.h > -index 5218f76..e006495 100644 > ---- a/lib/urldata.h > -+++ b/lib/urldata.h > -@@ -253,10 +253,17 @@ struct ssl_primary_config { > - char *cipher_list; /* list of ciphers to use */ > - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ > - char *pinned_key; > -+ char *CRLfile; /* CRL to check certificate revocation */ > - struct curl_blob *cert_blob; > - struct curl_blob *ca_info_blob; > - struct curl_blob *issuercert_blob; > -+#ifdef USE_TLS_SRP > -+ char *username; /* TLS username (for, e.g., SRP) */ > -+ char *password; /* TLS password (for, e.g., SRP) */ > -+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ > -+#endif > - char *curves; /* list of curves to use */ > -+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ > - BIT(verifypeer); /* set TRUE if this is desired */ > - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ > - BIT(verifystatus); /* set TRUE if certificate status must be checked */ > -@@ -266,7 +273,6 @@ struct ssl_primary_config { > - struct ssl_config_data { > - struct ssl_primary_config primary; > - long certverifyresult; /* result from the certificate verification */ > -- char *CRLfile; /* CRL to check certificate revocation */ > - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ > - void *fsslctxp; /* parameter for call back */ > - char *cert_type; /* format for certificate (default: PEM)*/ > -@@ -274,11 +280,6 @@ struct ssl_config_data { > - struct curl_blob *key_blob; > - char *key_type; /* format for private key (default: PEM) */ > - char *key_passwd; /* plain text private key password */ > --#ifdef USE_TLS_SRP > -- char *username; /* TLS username (for, e.g., SRP) */ > -- char *password; /* TLS password (for, e.g., SRP) */ > -- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ > --#endif > - BIT(certinfo); /* gather lots of certificate info */ > - BIT(falsestart); > - BIT(enable_beast); /* allow this flaw for interoperability's sake*/ > -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c > -index fe45b3a..3c31782 100644 > ---- a/lib/vtls/gtls.c > -+++ b/lib/vtls/gtls.c > -@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, > - } > - > - #ifdef HAVE_GNUTLS_SRP > -- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && > -+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && > - Curl_allow_auth_to_host(data)) { > -- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); > -+ infof(data, "Using TLS-SRP username: %s", > -+ SSL_SET_OPTION(primary.username)); > - > - rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); > - if(rc != GNUTLS_E_SUCCESS) { > -@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, > - } > - > - rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, > -- SSL_SET_OPTION(username), > -- SSL_SET_OPTION(password)); > -+ SSL_SET_OPTION(primary.username), > -+ SSL_SET_OPTION(primary.password)); > - if(rc != GNUTLS_E_SUCCESS) { > - failf(data, "gnutls_srp_set_client_cred() failed: %s", > - gnutls_strerror(rc)); > -@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, > - } > - #endif > - > -- if(SSL_SET_OPTION(CRLfile)) { > -+ if(SSL_SET_OPTION(primary.CRLfile)) { > - /* set the CRL list file */ > - rc = gnutls_certificate_set_x509_crl_file(backend->cred, > -- SSL_SET_OPTION(CRLfile), > -+ SSL_SET_OPTION(primary.CRLfile), > - GNUTLS_X509_FMT_PEM); > - if(rc < 0) { > - failf(data, "error reading crl file %s (%s)", > -- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); > -+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); > - return CURLE_SSL_CRL_BADFILE; > - } > - else > - infof(data, "found %d CRL in %s", > -- rc, SSL_SET_OPTION(CRLfile)); > -+ rc, SSL_SET_OPTION(primary.CRLfile)); > - } > - > - /* Initialize TLS session as a client */ > -@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, > - #ifdef HAVE_GNUTLS_SRP > - /* Only add SRP to the cipher list if SRP is requested. Otherwise > - * GnuTLS will disable TLS 1.3 support. */ > -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { > -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { > - size_t len = strlen(prioritylist); > - > - char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); > -@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, > - > - #ifdef HAVE_GNUTLS_SRP > - /* put the credentials to the current session */ > -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { > -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { > - rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, > - backend->srp_client_cred); > - if(rc != GNUTLS_E_SUCCESS) { > -@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, > - SSL_CONN_CONFIG(verifyhost) || > - SSL_CONN_CONFIG(issuercert)) { > - #ifdef HAVE_GNUTLS_SRP > -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP > -- && SSL_SET_OPTION(username) != NULL > -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP > -+ && SSL_SET_OPTION(primary.username) > - && !SSL_CONN_CONFIG(verifypeer) > - && gnutls_cipher_get(session)) { > - /* no peer cert, but auth is ok if we have SRP user and cipher and no > -@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, > - failf(data, "server certificate verification failed. CAfile: %s " > - "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): > - "none", > -- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); > -+ SSL_SET_OPTION(primary.CRLfile) ? > -+ SSL_SET_OPTION(primary.CRLfile) : "none"); > - return CURLE_PEER_FAILED_VERIFICATION; > - } > - else > -@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, > - gnutls_certificate_free_credentials(backend->cred); > - > - #ifdef HAVE_GNUTLS_SRP > -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP > -- && SSL_SET_OPTION(username) != NULL) > -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP > -+ && SSL_SET_OPTION(primary.username) != NULL) > - gnutls_srp_free_client_credentials(backend->srp_client_cred); > - #endif > - > -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c > -index b9fd26a..bd4ad8f 100644 > ---- a/lib/vtls/mbedtls.c > -+++ b/lib/vtls/mbedtls.c > -@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, > - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); > - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); > - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); > -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); > -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); > - const char * const hostname = SSL_HOST_NAME(); > - #ifndef CURL_DISABLE_VERBOSE_STRINGS > - const long int port = SSL_HOST_PORT(); > -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c > -index 52f2060..959e23e 100644 > ---- a/lib/vtls/nss.c > -+++ b/lib/vtls/nss.c > -@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, > - } > - } > - > -- if(SSL_SET_OPTION(CRLfile)) { > -- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); > -+ if(SSL_SET_OPTION(primary.CRLfile)) { > -+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); > - if(rv) { > - result = rv; > - goto error; > - } > -- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); > -+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); > - } > - > - if(SSL_SET_OPTION(primary.clientcert)) { > -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > -index e8633f4..d98bbcb 100644 > ---- a/lib/vtls/openssl.c > -+++ b/lib/vtls/openssl.c > -@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, > - #endif > - const long int ssl_version = SSL_CONN_CONFIG(version); > - #ifdef USE_OPENSSL_SRP > -- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); > -+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); > - #endif > - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); > - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); > -@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, > - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); > - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); > - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); > -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); > -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); > - char error_buffer[256]; > - struct ssl_backend_data *backend = connssl->backend; > - bool imported_native_ca = false; > -@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, > - #ifdef USE_OPENSSL_SRP > - if((ssl_authtype == CURL_TLSAUTH_SRP) && > - Curl_allow_auth_to_host(data)) { > -- char * const ssl_username = SSL_SET_OPTION(username); > -- > -+ char * const ssl_username = SSL_SET_OPTION(primary.username); > -+ char * const ssl_password = SSL_SET_OPTION(primary.password); > - infof(data, "Using TLS-SRP username: %s", ssl_username); > - > - if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { > - failf(data, "Unable to set SRP user name"); > - return CURLE_BAD_FUNCTION_ARGUMENT; > - } > -- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { > -+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { > - failf(data, "failed setting SRP password"); > - return CURLE_BAD_FUNCTION_ARGUMENT; > - } > -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > -index a40ac06..e2d3438 100644 > ---- a/lib/vtls/vtls.c > -+++ b/lib/vtls/vtls.c > -@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, > - { > - if((data->version == needle->version) && > - (data->version_max == needle->version_max) && > -+ (data->ssl_options == needle->ssl_options) && > - (data->verifypeer == needle->verifypeer) && > - (data->verifyhost == needle->verifyhost) && > - (data->verifystatus == needle->verifystatus) && > -@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, > - Curl_safecmp(data->clientcert, needle->clientcert) && > - Curl_safecmp(data->random_file, needle->random_file) && > - Curl_safecmp(data->egdsocket, needle->egdsocket) && > -+#ifdef USE_TLS_SRP > -+ Curl_safecmp(data->username, needle->username) && > -+ Curl_safecmp(data->password, needle->password) && > -+ (data->authtype == needle->authtype) && > -+#endif > - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && > - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && > - Curl_safe_strcasecompare(data->curves, needle->curves) && > -+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && > - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) > - return TRUE; > - > -@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, > - dest->verifyhost = source->verifyhost; > - dest->verifystatus = source->verifystatus; > - dest->sessionid = source->sessionid; > -+ dest->ssl_options = source->ssl_options; > -+#ifdef USE_TLS_SRP > -+ dest->authtype = source->authtype; > -+#endif > - > - CLONE_BLOB(cert_blob); > - CLONE_BLOB(ca_info_blob); > -@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, > - CLONE_STRING(cipher_list13); > - CLONE_STRING(pinned_key); > - CLONE_STRING(curves); > -+ CLONE_STRING(CRLfile); > -+#ifdef USE_TLS_SRP > -+ CLONE_STRING(username); > -+ CLONE_STRING(password); > -+#endif > - > - return TRUE; > - } > -@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) > - Curl_safefree(sslc->ca_info_blob); > - Curl_safefree(sslc->issuercert_blob); > - Curl_safefree(sslc->curves); > -+ Curl_safefree(sslc->CRLfile); > -+#ifdef USE_TLS_SRP > -+ Curl_safefree(sslc->username); > -+ Curl_safefree(sslc->password); > -+#endif > - } > - > - #ifdef USE_SSL > diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch > deleted file mode 100644 > index 74fa7f85a9..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch > +++ /dev/null > @@ -1,71 +0,0 @@ > -From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 9 May 2022 23:13:53 +0200 > -Subject: [PATCH] url: check SSH config match on connection reuse > - > -CVE-2022-27782 > - > -Reported-by: Harry Sintonen > -Bug: https://curl.se/docs/CVE-2022-27782.html > -Closes #8825 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/url.c | 11 +++++++++++ > - lib/vssh/ssh.h | 6 +++--- > - 2 files changed, 14 insertions(+), 3 deletions(-) > - > -diff --git a/lib/url.c b/lib/url.c > -index 5ebf5e2..c713e54 100644 > ---- a/lib/url.c > -+++ b/lib/url.c > -@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) > - } > - } > - > -+static bool ssh_config_matches(struct connectdata *one, > -+ struct connectdata *two) > -+{ > -+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && > -+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); > -+} > - /* > - * Given one filled in connection struct (named needle), this function should > - * detect if there already is one that has all the significant details > -@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, > - (data->state.httpwant < CURL_HTTP_VERSION_2_0)) > - continue; > - > -+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { > -+ if(!ssh_config_matches(needle, check)) > -+ continue; > -+ } > -+ > - if((needle->handler->flags&PROTOPT_SSL) > - #ifndef CURL_DISABLE_PROXY > - || !needle->bits.httpproxy || needle->bits.tunnel_proxy > -diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h > -index 7972081..30d82e5 100644 > ---- a/lib/vssh/ssh.h > -+++ b/lib/vssh/ssh.h > -@@ -7,7 +7,7 @@ > - * | (__| |_| | _ <| |___ > - * \___|\___/|_| \_\_____| > - * > -- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. > -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. > - * > - * This software is licensed as described in the file COPYING, which > - * you should have received as part of this distribution. The terms > -@@ -131,8 +131,8 @@ struct ssh_conn { > - > - /* common */ > - const char *passphrase; /* pass-phrase to use */ > -- char *rsa_pub; /* path name */ > -- char *rsa; /* path name */ > -+ char *rsa_pub; /* strdup'ed public key file */ > -+ char *rsa; /* strdup'ed private key file */ > - bool authed; /* the connection has been authenticated fine */ > - bool acceptfail; /* used by the SFTP_QUOTE (continue if > - quote command fails) */ > diff --git a/meta/recipes-support/curl/curl/CVE-2022-30115.patch b/meta/recipes-support/curl/curl/CVE-2022-30115.patch > deleted file mode 100644 > index 96839cf204..0000000000 > --- a/meta/recipes-support/curl/curl/CVE-2022-30115.patch > +++ /dev/null > @@ -1,82 +0,0 @@ > -From 8313ef3f507b5bdc54e985cae71aa9df00609d55 Mon Sep 17 00:00:00 2001 > -From: Daniel Stenberg <daniel@haxx.se> > -Date: Mon, 9 May 2022 08:13:55 +0200 > -Subject: [PATCH] hsts: ignore trailing dots when comparing hosts names > - > -CVE-2022-30115 > - > -Reported-by: Axel Chong > -Bug: https://curl.se/docs/CVE-2022-30115.html > -Closes #8821 > - > -Upstream-Status: Backport [https://github.com/curl/curl/commit/fae6fea209a2d4db1582f608bd8cc8000721733a] > -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> > ---- > - lib/hsts.c | 30 +++++++++++++++++++++++++----- > - 1 file changed, 25 insertions(+), 5 deletions(-) > - > -diff --git a/lib/hsts.c b/lib/hsts.c > -index 03fcc9e..b9fa6f7 100644 > ---- a/lib/hsts.c > -+++ b/lib/hsts.c > -@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, > - curl_off_t expires) > - { > - struct stsentry *sts = hsts_entry(); > -+ char *duphost; > -+ size_t hlen; > - if(!sts) > - return CURLE_OUT_OF_MEMORY; > - > -- sts->expires = expires; > -- sts->includeSubDomains = subdomains; > -- sts->host = strdup(hostname); > -- if(!sts->host) { > -+ duphost = strdup(hostname); > -+ if(!duphost) { > - free(sts); > - return CURLE_OUT_OF_MEMORY; > - } > -+ > -+ hlen = strlen(duphost); > -+ if(duphost[hlen - 1] == '.') > -+ /* strip off trailing any dot */ > -+ duphost[--hlen] = 0; > -+ > -+ sts->host = duphost; > -+ sts->expires = expires; > -+ sts->includeSubDomains = subdomains; > - Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); > - return CURLE_OK; > - } > -@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, > - bool subdomain) > - { > - if(h) { > -+ char buffer[MAX_HSTS_HOSTLEN + 1]; > - time_t now = time(NULL); > - size_t hlen = strlen(hostname); > - struct Curl_llist_element *e; > - struct Curl_llist_element *n; > -+ > -+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen) > -+ return NULL; > -+ memcpy(buffer, hostname, hlen); > -+ if(hostname[hlen-1] == '.') > -+ /* remove the trailing dot */ > -+ --hlen; > -+ buffer[hlen] = 0; > -+ hostname = buffer; > -+ > - for(e = h->list.head; e; e = n) { > - struct stsentry *sts = e->ptr; > - n = e->next; > -@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) > - CURLSTScode sc; > - DEBUGASSERT(h); > - do { > -- char buffer[257]; > -+ char buffer[MAX_HSTS_HOSTLEN + 1]; > - struct curl_hstsentry e; > - e.name = buffer; > - e.namelen = sizeof(buffer)-1; > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.84.0.bb > similarity index 87% > rename from meta/recipes-support/curl/curl_7.82.0.bb > rename to meta/recipes-support/curl/curl_7.84.0.bb > index ba3fd11820..addbaf14b1 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.84.0.bb > @@ -10,21 +10,9 @@ LICENSE = "MIT-open-group" > LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" > > SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > - file://CVE-2022-22576.patch \ > - file://CVE-2022-27775.patch \ > - file://CVE-2022-27776.patch \ > - file://CVE-2022-27774-1.patch \ > - file://CVE-2022-27774-2.patch \ > - file://CVE-2022-27774-3.patch \ > - file://CVE-2022-27774-4.patch \ > - file://CVE-2022-30115.patch \ > - file://CVE-2022-27780.patch \ > - file://CVE-2022-27781.patch \ > - file://CVE-2022-27779.patch \ > - file://CVE-2022-27782-1.patch \ > - file://CVE-2022-27782-2.patch \ > + file://0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch \ > " > -SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > +SRC_URI[sha256sum] = "2d118b43f547bfe5bae806d8d47b4e596ea5b25a6c1f080aef49fbcd817c5db8" > > # Curl has used many names over the years... > CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#167650): https://lists.openembedded.org/g/openembedded-core/message/167650 > Mute This Topic: https://lists.openembedded.org/mt/92182410/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch b/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch new file mode 100644 index 0000000000..771bdb2b96 --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch @@ -0,0 +1,33 @@ +From e2e7f54b7bea521fa8373095d0f43261a720cda0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 27 Jun 2022 08:46:21 +0200 +Subject: [PATCH] easy_lock.h: include sched.h if available to fix build + +Patched-by: Harry Sintonen + +Closes #9054 + +Upstream-Status: Backport [e2e7f54b7bea521fa8373095d0f43261a720cda0] + +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/easy_lock.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/easy_lock.h b/lib/easy_lock.h +index 819f50ce8..1f54289ce 100644 +--- a/lib/easy_lock.h ++++ b/lib/easy_lock.h +@@ -36,6 +36,9 @@ + + #elif defined (HAVE_ATOMIC) + #include <stdatomic.h> ++#if defined(HAVE_SCHED_YIELD) ++#include <sched.h> ++#endif + + #define curl_simple_lock atomic_bool + #define CURL_SIMPLE_LOCK_INIT false +-- +2.35.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch deleted file mode 100644 index 469cf220ba..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-22576.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat <patrick@monnerat.net> -Date: Mon, 25 Apr 2022 11:44:05 +0200 -Subject: [PATCH] url: check sasl additional parameters for connection reuse. - -Also move static function safecmp() as non-static Curl_safecmp() since -its purpose is needed at several places. - -Bug: https://curl.se/docs/CVE-2022-22576.html - -CVE-2022-22576 - -Closes #8746 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/strcase.c | 10 ++++++++++ - lib/strcase.h | 2 ++ - lib/url.c | 13 ++++++++++++- - lib/urldata.h | 1 + - lib/vtls/vtls.c | 21 ++++++--------------- - 5 files changed, 31 insertions(+), 16 deletions(-) - -diff --git a/lib/strcase.c b/lib/strcase.c -index dd46ca1..692a3f1 100644 ---- a/lib/strcase.c -+++ b/lib/strcase.c -@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) - } while(*src++ && --n); - } - -+/* Compare case-sensitive NUL-terminated strings, taking care of possible -+ * null pointers. Return true if arguments match. -+ */ -+bool Curl_safecmp(char *a, char *b) -+{ -+ if(a && b) -+ return !strcmp(a, b); -+ return !a && !b; -+} -+ - /* --- public functions --- */ - - int curl_strequal(const char *first, const char *second) -diff --git a/lib/strcase.h b/lib/strcase.h -index b628656..382b80a 100644 ---- a/lib/strcase.h -+++ b/lib/strcase.h -@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); - void Curl_strntoupper(char *dest, const char *src, size_t n); - void Curl_strntolower(char *dest, const char *src, size_t n); - -+bool Curl_safecmp(char *a, char *b); -+ - #endif /* HEADER_CURL_STRCASE_H */ -diff --git a/lib/url.c b/lib/url.c -index adef2cd..94e3406 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) - Curl_safefree(conn->passwd); - Curl_safefree(conn->sasl_authzid); - Curl_safefree(conn->options); -+ Curl_safefree(conn->oauth_bearer); - Curl_dyn_free(&conn->trailer); - Curl_safefree(conn->host.rawalloc); /* host name buffer */ - Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ -@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, - /* This protocol requires credentials per connection, - so verify that we're using the same name and password as well */ - if(strcmp(needle->user, check->user) || -- strcmp(needle->passwd, check->passwd)) { -+ strcmp(needle->passwd, check->passwd) || -+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || -+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { - /* one of them was different */ - continue; - } -@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, - } - } - -+ if(data->set.str[STRING_BEARER]) { -+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); -+ if(!conn->oauth_bearer) { -+ result = CURLE_OUT_OF_MEMORY; -+ goto out; -+ } -+ } -+ - #ifdef USE_UNIX_SOCKETS - if(data->set.str[STRING_UNIX_SOCKET_PATH]) { - conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); -diff --git a/lib/urldata.h b/lib/urldata.h -index cc8a600..03da59a 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -984,6 +984,7 @@ struct connectdata { - char *passwd; /* password string, allocated */ - char *options; /* options string, allocated */ - char *sasl_authzid; /* authorisation identity string, allocated */ -+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ - unsigned char httpversion; /* the HTTP version*10 reported by the server */ - struct curltime now; /* "current" time */ - struct curltime created; /* creation time */ -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 03b85ba..a40ac06 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) - return !memcmp(first->data, second->data, first->len); /* same data */ - } - --static bool safecmp(char *a, char *b) --{ -- if(a && b) -- return !strcmp(a, b); -- else if(!a && !b) -- return TRUE; /* match */ -- return FALSE; /* no match */ --} -- - - bool - Curl_ssl_config_matches(struct ssl_primary_config *data, -@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - blobcmp(data->cert_blob, needle->cert_blob) && - blobcmp(data->ca_info_blob, needle->ca_info_blob) && - blobcmp(data->issuercert_blob, needle->issuercert_blob) && -- safecmp(data->CApath, needle->CApath) && -- safecmp(data->CAfile, needle->CAfile) && -- safecmp(data->issuercert, needle->issuercert) && -- safecmp(data->clientcert, needle->clientcert) && -- safecmp(data->random_file, needle->random_file) && -- safecmp(data->egdsocket, needle->egdsocket) && -+ Curl_safecmp(data->CApath, needle->CApath) && -+ Curl_safecmp(data->CAfile, needle->CAfile) && -+ Curl_safecmp(data->issuercert, needle->issuercert) && -+ Curl_safecmp(data->clientcert, needle->clientcert) && -+ Curl_safecmp(data->random_file, needle->random_file) && -+ Curl_safecmp(data->egdsocket, needle->egdsocket) && - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch deleted file mode 100644 index f24003fd79..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch +++ /dev/null @@ -1,45 +0,0 @@ -From f489d50ca5fd8b6a3a622e2521e2ca52787a6608 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH] connect: store "conn_remote_port" in the info struct - -To make it available after the connection ended. - -Prerequisite for the patches that address CVE-2022-27774. - -Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/connect.c | 1 + - lib/urldata.h | 6 +++++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/connect.c b/lib/connect.c -index 64f9511..7518807 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, - data->info.conn_scheme = conn->handler->scheme; - data->info.conn_protocol = conn->handler->protocol; - data->info.conn_primary_port = conn->port; -+ data->info.conn_remote_port = conn->remote_port; - data->info.conn_local_port = local_port; - } - -diff --git a/lib/urldata.h b/lib/urldata.h -index f92052a..5218f76 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1160,7 +1160,11 @@ struct PureInfo { - reused, in the connection cache. */ - - char conn_primary_ip[MAX_IPADR_LEN]; -- int conn_primary_port; -+ int conn_primary_port; /* this is the destination port to the connection, -+ which might have been a proxy */ -+ int conn_remote_port; /* this is the "remote port", which is the port -+ number of the used URL, independent of proxy or -+ not */ - char conn_local_ip[MAX_IPADR_LEN]; - int conn_local_port; - const char *conn_scheme; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch deleted file mode 100644 index 9739634dfe..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 50aebd6ea20956513e9b7d7c776830b54d9c8ff6 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH] transfer: redirects to other protocols or ports clear auth - -... unless explicitly permitted. - -Bug: https://curl.se/docs/CVE-2022-27774.html -Reported-by: Harry Sintonen -Closes #8748 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 48 insertions(+), 1 deletion(-) - -diff --git a/lib/transfer.c b/lib/transfer.c -index 1f8019b..752fe14 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, - return CURLE_OUT_OF_MEMORY; - } - else { -- - uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); - if(uc) - return Curl_uc_to_curlcode(uc); -+ -+ /* Clear auth if this redirects to a different port number or protocol, -+ unless permitted */ -+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { -+ char *portnum; -+ int port; -+ bool clear = FALSE; -+ -+ if(data->set.use_port && data->state.allow_port) -+ /* a custom port is used */ -+ port = (int)data->set.use_port; -+ else { -+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, -+ CURLU_DEFAULT_PORT); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ port = atoi(portnum); -+ free(portnum); -+ } -+ if(port != data->info.conn_remote_port) { -+ infof(data, "Clear auth, redirects to port from %u to %u", -+ data->info.conn_remote_port, port); -+ clear = TRUE; -+ } -+ else { -+ char *scheme; -+ const struct Curl_handler *p; -+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ -+ p = Curl_builtin_scheme(scheme); -+ if(p && (p->protocol != data->info.conn_protocol)) { -+ infof(data, "Clear auth, redirects scheme from %s to %s", -+ data->info.conn_scheme, scheme); -+ clear = TRUE; -+ } -+ free(scheme); -+ } -+ if(clear) { -+ Curl_safefree(data->state.aptr.user); -+ Curl_safefree(data->state.aptr.passwd); -+ } -+ } - } - - if(type == FOLLOW_FAKE) { diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch deleted file mode 100644 index e4e8c294a6..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 25 Apr 2022 17:59:15 +0200 -Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either - -Follow-up to 620ea21410030 - -Reported-by: Harry Sintonen -Closes #8751 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/http.c | 10 +++++----- - lib/http.h | 6 ++++++ - lib/vtls/openssl.c | 3 ++- - 3 files changed, 13 insertions(+), 6 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 0791dcf..4433824 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, - } - - /* -- * allow_auth_to_host() tells if autentication, cookies or other "sensitive -- * data" can (still) be sent to this host. -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. - */ --static bool allow_auth_to_host(struct Curl_easy *data) -+bool Curl_allow_auth_to_host(struct Curl_easy *data) - { - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || -@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, - - /* To prevent the user+password to get sent to other than the original host - due to a location-follow */ -- if(allow_auth_to_host(data) -+ if(Curl_allow_auth_to_host(data) - #ifndef CURL_DISABLE_NETRC - || conn->bits.netrc - #endif -@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- !allow_auth_to_host(data)) -+ !Curl_allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -diff --git a/lib/http.h b/lib/http.h -index 07e963d..9000bae 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, - bool proxytunnel); /* TRUE if this is the request setting - up the proxy tunnel */ - -+/* -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. -+ */ -+bool Curl_allow_auth_to_host(struct Curl_easy *data); -+ - #endif /* HEADER_CURL_HTTP_H */ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 616a510..e8633f4 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - - #ifdef USE_OPENSSL_SRP -- if(ssl_authtype == CURL_TLSAUTH_SRP) { -+ if((ssl_authtype == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(username); - - infof(data, "Using TLS-SRP username: %s", ssl_username); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch deleted file mode 100644 index a642336797..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Tue, 26 Apr 2022 07:46:19 +0200 -Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects - -Follow-up to 620ea21410030 and 139a54ed0a172a - -Reported-by: Harry Sintonen -Closes #8752 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/vtls/gtls.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 5749376..fe45b3a 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data, - } - - #ifdef HAVE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); - -- rc = gnutls_srp_allocate_client_credentials( -- &backend->srp_client_cred); -+ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_srp_allocate_client_cred() failed: %s", - gnutls_strerror(rc)); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch deleted file mode 100644 index 666a906352..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27775.patch +++ /dev/null @@ -1,37 +0,0 @@ -From eef2b165c39245857b1663e9153e7c4b4b519a4c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 25 Apr 2022 11:48:00 +0200 -Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey - -Make connections to two separate IPv6 zone ids create separate -connections. - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27775.html -Closes #8747 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/conncache.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/conncache.c b/lib/conncache.c -index cd5756a..9b9f683 100644 ---- a/lib/conncache.c -+++ b/lib/conncache.c -@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, - /* report back which name we used */ - *hostp = hostname; - -- /* put the number first so that the hostname gets cut off if too long */ -- msnprintf(buf, len, "%ld%s", port, hostname); -+ /* put the numbers first so that the hostname gets cut off if too long */ -+#ifdef ENABLE_IPV6 -+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); -+#else -+ msnprintf(buf, len, "%ld/%s", port, hostname); -+#endif - Curl_strntolower(buf, buf, len); - } - diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch deleted file mode 100644 index 2feee45200..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27776.patch +++ /dev/null @@ -1,115 +0,0 @@ -From f6eba3638f9b25adfe85f3570f9a0fb2ceb09c2b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 25 Apr 2022 13:05:40 +0200 -Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port - -CVE-2022-27776 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27776.html -Closes #8749 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/http.c | 34 ++++++++++++++++++++++------------ - lib/urldata.h | 16 +++++++++------- - 2 files changed, 31 insertions(+), 19 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 799d4fb..0791dcf 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, - return CURLE_OK; - } - -+/* -+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive -+ * data" can (still) be sent to this host. -+ */ -+static bool allow_auth_to_host(struct Curl_easy *data) -+{ -+ struct connectdata *conn = data->conn; -+ return (!data->state.this_is_a_follow || -+ data->set.allow_auth_to_other_hosts || -+ (data->state.first_host && -+ strcasecompare(data->state.first_host, conn->host.name) && -+ (data->state.first_remote_port == conn->remote_port) && -+ (data->state.first_remote_protocol == conn->handler->protocol))); -+} -+ - /** - * Curl_http_output_auth() setups the authentication headers for the - * host/proxy and the correct authentication -@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, - with it */ - authproxy->done = TRUE; - -- /* To prevent the user+password to get sent to other than the original -- host due to a location-follow, we do some weirdo checks here */ -- if(!data->state.this_is_a_follow || -+ /* To prevent the user+password to get sent to other than the original host -+ due to a location-follow */ -+ if(allow_auth_to_host(data) - #ifndef CURL_DISABLE_NETRC -- conn->bits.netrc || -+ || conn->bits.netrc - #endif -- !data->state.first_host || -- data->set.allow_auth_to_other_hosts || -- strcasecompare(data->state.first_host, conn->host.name)) { -+ ) - result = output_auth_headers(data, conn, authhost, request, path, FALSE); -- } - else - authhost->done = TRUE; - -@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- (data->state.this_is_a_follow && -- data->state.first_host && -- !data->set.allow_auth_to_other_hosts && -- !strcasecompare(data->state.first_host, conn->host.name))) -+ !allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) - return CURLE_OUT_OF_MEMORY; - - data->state.first_remote_port = conn->remote_port; -+ data->state.first_remote_protocol = conn->handler->protocol; - } - Curl_safefree(data->state.aptr.host); - -diff --git a/lib/urldata.h b/lib/urldata.h -index 03da59a..f92052a 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1329,14 +1329,16 @@ struct UrlState { - char *ulbuf; /* allocated upload buffer or NULL */ - curl_off_t current_speed; /* the ProgressShow() function sets this, - bytes / second */ -- char *first_host; /* host name of the first (not followed) request. -- if set, this should be the host name that we will -- sent authorization to, no else. Used to make Location: -- following not keep sending user+password... This is -- strdup() data. -- */ -+ -+ /* host name, port number and protocol of the first (not followed) request. -+ if set, this should be the host name that we will sent authorization to, -+ no else. Used to make Location: following not keep sending user+password. -+ This is strdup()ed data. */ -+ char *first_host; -+ int first_remote_port; -+ unsigned int first_remote_protocol; -+ - int retrycount; /* number of retries on a new connection */ -- int first_remote_port; /* remote port of the first (not followed) request */ - struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ - long sessionage; /* number of the most recent session */ - struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ diff --git a/meta/recipes-support/curl/curl/CVE-2022-27779.patch b/meta/recipes-support/curl/curl/CVE-2022-27779.patch deleted file mode 100644 index 235be900a3..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27779.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 9 May 2022 16:47:06 +0200 -Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine - -The check for a dot in the domain must not consider a single trailing -dot to be fine, as then TLD + trailing dot is fine and curl will accept -setting cookies for it. - -CVE-2022-27779 - -Reported-by: Axel Chong -Bug: https://curl.se/docs/CVE-2022-27779.html -Closes #8820 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/cookie.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index d418efa..1b8c8f9 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) - /* Make sure domain contains a dot or is localhost. */ - static bool bad_domain(const char *domain) - { -- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); -+ if(strcasecompare(domain, "localhost")) -+ return FALSE; -+ else { -+ /* there must be a dot present, but that dot must not be a trailing dot */ -+ char *dot = strchr(domain, '.'); -+ if(dot) -+ return dot[1] ? FALSE : TRUE; -+ } -+ return TRUE; - } - - /* diff --git a/meta/recipes-support/curl/curl/CVE-2022-27780.patch b/meta/recipes-support/curl/curl/CVE-2022-27780.patch deleted file mode 100644 index 8820af3f74..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27780.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 9 May 2022 08:19:38 +0200 -Subject: [PATCH] urlapi: reject percent-decoding host name into separator - bytes - -CVE-2022-27780 - -Reported-by: Axel Chong -Bug: https://curl.se/docs/CVE-2022-27780.html -Closes #8826 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/urlapi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/urlapi.c b/lib/urlapi.c -index ff00ee4..00222fc 100644 ---- a/lib/urlapi.c -+++ b/lib/urlapi.c -@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) - #endif - } - else { -- /* letters from the second string is not ok */ -- len = strcspn(hostname, " \r\n"); -+ /* letters from the second string are not ok */ -+ len = strcspn(hostname, " \r\n\t/:#?!@"); - if(hlen != len) - /* hostname with bad content */ - return CURLUE_BAD_HOSTNAME; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch deleted file mode 100644 index 52f39a0cc5..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27781.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 9 May 2022 10:07:15 +0200 -Subject: [PATCH] nss: return error if seemingly stuck in a cert loop - -CVE-2022-27781 - -Reported-by: Florian Kohnhäuser -Bug: https://curl.se/docs/CVE-2022-27781.html -Closes #8822 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/vtls/nss.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 558e3be..52f2060 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, - PR_Free(common_name); - } - -+/* A number of certs that will never occur in a real server handshake */ -+#define TOO_MANY_CERTS 300 -+ - static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) - { - CURLcode result = CURLE_OK; -@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) - cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); - while(cert2) { - i++; -+ if(i >= TOO_MANY_CERTS) { -+ CERT_DestroyCertificate(cert2); -+ failf(data, "certificate loop"); -+ return CURLE_SSL_CERTPROBLEM; -+ } - if(cert2->isRoot) { - CERT_DestroyCertificate(cert2); - break; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch deleted file mode 100644 index ce2599be81..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch +++ /dev/null @@ -1,458 +0,0 @@ -From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH] tls: check more TLS details for connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html -Closes #8825 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/setopt.c | 29 +++++++++++++++++------------ - lib/url.c | 23 ++++++++++++++++------- - lib/urldata.h | 13 +++++++------ - lib/vtls/gtls.c | 32 +++++++++++++++++--------------- - lib/vtls/mbedtls.c | 2 +- - lib/vtls/nss.c | 6 +++--- - lib/vtls/openssl.c | 10 +++++----- - lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 8 files changed, 87 insertions(+), 49 deletions(-) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 8e1bf12..7aa6fdb 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - - case CURLOPT_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); - data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); - data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); -@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); - data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); - data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); -@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - case CURLOPT_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to -+ SRP */ - break; - #endif - case CURLOPT_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - #endif - case CURLOPT_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #endif - #endif -diff --git a/lib/url.c b/lib/url.c -index 94e3406..5ebf5e2 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) - set->ssl.primary.verifypeer = TRUE; - set->ssl.primary.verifyhost = TRUE; - #ifdef USE_TLS_SRP -- set->ssl.authtype = CURL_TLSAUTH_NONE; -+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; - #endif - set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth - type */ -@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) - conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; - conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; - conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; -+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #ifndef CURL_DISABLE_PROXY - conn->proxy_ssl_config.verifystatus = - data->set.proxy_ssl.primary.verifystatus; - conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; - conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; -+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #endif - conn->ip_version = data->set.ipver; - conn->bits.connect_only = data->set.connect_only; -@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.primary.issuercert_blob = - data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; -- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -+ data->set.proxy_ssl.primary.CRLfile = -+ data->set.str[STRING_SSL_CRLFILE_PROXY]; - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; - data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; -@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif -- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; - data->set.ssl.key = data->set.str[STRING_KEY]; - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; - data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; - data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; - #ifdef USE_TLS_SRP -- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; -- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; -+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; -+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; - #ifndef CURL_DISABLE_PROXY -- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; -+ data->set.proxy_ssl.primary.username = -+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -+ data->set.proxy_ssl.primary.password = -+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; - #endif - #endif - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; -diff --git a/lib/urldata.h b/lib/urldata.h -index 5218f76..e006495 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -253,10 +253,17 @@ struct ssl_primary_config { - char *cipher_list; /* list of ciphers to use */ - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ - char *pinned_key; -+ char *CRLfile; /* CRL to check certificate revocation */ - struct curl_blob *cert_blob; - struct curl_blob *ca_info_blob; - struct curl_blob *issuercert_blob; -+#ifdef USE_TLS_SRP -+ char *username; /* TLS username (for, e.g., SRP) */ -+ char *password; /* TLS password (for, e.g., SRP) */ -+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ -+#endif - char *curves; /* list of curves to use */ -+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ - BIT(verifypeer); /* set TRUE if this is desired */ - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ - BIT(verifystatus); /* set TRUE if certificate status must be checked */ -@@ -266,7 +273,6 @@ struct ssl_primary_config { - struct ssl_config_data { - struct ssl_primary_config primary; - long certverifyresult; /* result from the certificate verification */ -- char *CRLfile; /* CRL to check certificate revocation */ - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ - void *fsslctxp; /* parameter for call back */ - char *cert_type; /* format for certificate (default: PEM)*/ -@@ -274,11 +280,6 @@ struct ssl_config_data { - struct curl_blob *key_blob; - char *key_type; /* format for private key (default: PEM) */ - char *key_passwd; /* plain text private key password */ --#ifdef USE_TLS_SRP -- char *username; /* TLS username (for, e.g., SRP) */ -- char *password; /* TLS password (for, e.g., SRP) */ -- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ --#endif - BIT(certinfo); /* gather lots of certificate info */ - BIT(falsestart); - BIT(enable_beast); /* allow this flaw for interoperability's sake*/ -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index fe45b3a..3c31782 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, - } - - #ifdef HAVE_GNUTLS_SRP -- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && -+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { -- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); -+ infof(data, "Using TLS-SRP username: %s", -+ SSL_SET_OPTION(primary.username)); - - rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { -@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, - } - - rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, -- SSL_SET_OPTION(username), -- SSL_SET_OPTION(password)); -+ SSL_SET_OPTION(primary.username), -+ SSL_SET_OPTION(primary.password)); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_srp_set_client_cred() failed: %s", - gnutls_strerror(rc)); -@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, - } - #endif - -- if(SSL_SET_OPTION(CRLfile)) { -+ if(SSL_SET_OPTION(primary.CRLfile)) { - /* set the CRL list file */ - rc = gnutls_certificate_set_x509_crl_file(backend->cred, -- SSL_SET_OPTION(CRLfile), -+ SSL_SET_OPTION(primary.CRLfile), - GNUTLS_X509_FMT_PEM); - if(rc < 0) { - failf(data, "error reading crl file %s (%s)", -- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); -+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); - return CURLE_SSL_CRL_BADFILE; - } - else - infof(data, "found %d CRL in %s", -- rc, SSL_SET_OPTION(CRLfile)); -+ rc, SSL_SET_OPTION(primary.CRLfile)); - } - - /* Initialize TLS session as a client */ -@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP - /* Only add SRP to the cipher list if SRP is requested. Otherwise - * GnuTLS will disable TLS 1.3 support. */ -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - size_t len = strlen(prioritylist); - - char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); -@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, - - #ifdef HAVE_GNUTLS_SRP - /* put the credentials to the current session */ -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, - backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { -@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - SSL_CONN_CONFIG(verifyhost) || - SSL_CONN_CONFIG(issuercert)) { - #ifdef HAVE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP -- && SSL_SET_OPTION(username) != NULL -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP -+ && SSL_SET_OPTION(primary.username) - && !SSL_CONN_CONFIG(verifypeer) - && gnutls_cipher_get(session)) { - /* no peer cert, but auth is ok if we have SRP user and cipher and no -@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - failf(data, "server certificate verification failed. CAfile: %s " - "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): - "none", -- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); -+ SSL_SET_OPTION(primary.CRLfile) ? -+ SSL_SET_OPTION(primary.CRLfile) : "none"); - return CURLE_PEER_FAILED_VERIFICATION; - } - else -@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, - gnutls_certificate_free_credentials(backend->cred); - - #ifdef HAVE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP -- && SSL_SET_OPTION(username) != NULL) -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP -+ && SSL_SET_OPTION(primary.username) != NULL) - gnutls_srp_free_client_credentials(backend->srp_client_cred); - #endif - -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index b9fd26a..bd4ad8f 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - const char * const hostname = SSL_HOST_NAME(); - #ifndef CURL_DISABLE_VERBOSE_STRINGS - const long int port = SSL_HOST_PORT(); -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 52f2060..959e23e 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, - } - } - -- if(SSL_SET_OPTION(CRLfile)) { -- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); -+ if(SSL_SET_OPTION(primary.CRLfile)) { -+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); - if(rv) { - result = rv; - goto error; - } -- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); -+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); - } - - if(SSL_SET_OPTION(primary.clientcert)) { -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index e8633f4..d98bbcb 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - const long int ssl_version = SSL_CONN_CONFIG(version); - #ifdef USE_OPENSSL_SRP -- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); -+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); - #endif - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - char error_buffer[256]; - struct ssl_backend_data *backend = connssl->backend; - bool imported_native_ca = false; -@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #ifdef USE_OPENSSL_SRP - if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { -- char * const ssl_username = SSL_SET_OPTION(username); -- -+ char * const ssl_username = SSL_SET_OPTION(primary.username); -+ char * const ssl_password = SSL_SET_OPTION(primary.password); - infof(data, "Using TLS-SRP username: %s", ssl_username); - - if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { - failf(data, "Unable to set SRP user name"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { -+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { - failf(data, "failed setting SRP password"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index a40ac06..e2d3438 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - { - if((data->version == needle->version) && - (data->version_max == needle->version_max) && -+ (data->ssl_options == needle->ssl_options) && - (data->verifypeer == needle->verifypeer) && - (data->verifyhost == needle->verifyhost) && - (data->verifystatus == needle->verifystatus) && -@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - Curl_safecmp(data->clientcert, needle->clientcert) && - Curl_safecmp(data->random_file, needle->random_file) && - Curl_safecmp(data->egdsocket, needle->egdsocket) && -+#ifdef USE_TLS_SRP -+ Curl_safecmp(data->username, needle->username) && -+ Curl_safecmp(data->password, needle->password) && -+ (data->authtype == needle->authtype) && -+#endif - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && -+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) - return TRUE; - -@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - dest->verifyhost = source->verifyhost; - dest->verifystatus = source->verifystatus; - dest->sessionid = source->sessionid; -+ dest->ssl_options = source->ssl_options; -+#ifdef USE_TLS_SRP -+ dest->authtype = source->authtype; -+#endif - - CLONE_BLOB(cert_blob); - CLONE_BLOB(ca_info_blob); -@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - CLONE_STRING(cipher_list13); - CLONE_STRING(pinned_key); - CLONE_STRING(curves); -+ CLONE_STRING(CRLfile); -+#ifdef USE_TLS_SRP -+ CLONE_STRING(username); -+ CLONE_STRING(password); -+#endif - - return TRUE; - } -@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - Curl_safefree(sslc->ca_info_blob); - Curl_safefree(sslc->issuercert_blob); - Curl_safefree(sslc->curves); -+ Curl_safefree(sslc->CRLfile); -+#ifdef USE_TLS_SRP -+ Curl_safefree(sslc->username); -+ Curl_safefree(sslc->password); -+#endif - } - - #ifdef USE_SSL diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch deleted file mode 100644 index 74fa7f85a9..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH] url: check SSH config match on connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html -Closes #8825 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/url.c | 11 +++++++++++ - lib/vssh/ssh.h | 6 +++--- - 2 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 5ebf5e2..c713e54 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) - } - } - -+static bool ssh_config_matches(struct connectdata *one, -+ struct connectdata *two) -+{ -+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && -+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); -+} - /* - * Given one filled in connection struct (named needle), this function should - * detect if there already is one that has all the significant details -@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, - (data->state.httpwant < CURL_HTTP_VERSION_2_0)) - continue; - -+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+ if(!ssh_config_matches(needle, check)) -+ continue; -+ } -+ - if((needle->handler->flags&PROTOPT_SSL) - #ifndef CURL_DISABLE_PROXY - || !needle->bits.httpproxy || needle->bits.tunnel_proxy -diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h -index 7972081..30d82e5 100644 ---- a/lib/vssh/ssh.h -+++ b/lib/vssh/ssh.h -@@ -7,7 +7,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -131,8 +131,8 @@ struct ssh_conn { - - /* common */ - const char *passphrase; /* pass-phrase to use */ -- char *rsa_pub; /* path name */ -- char *rsa; /* path name */ -+ char *rsa_pub; /* strdup'ed public key file */ -+ char *rsa; /* strdup'ed private key file */ - bool authed; /* the connection has been authenticated fine */ - bool acceptfail; /* used by the SFTP_QUOTE (continue if - quote command fails) */ diff --git a/meta/recipes-support/curl/curl/CVE-2022-30115.patch b/meta/recipes-support/curl/curl/CVE-2022-30115.patch deleted file mode 100644 index 96839cf204..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2022-30115.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 8313ef3f507b5bdc54e985cae71aa9df00609d55 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 9 May 2022 08:13:55 +0200 -Subject: [PATCH] hsts: ignore trailing dots when comparing hosts names - -CVE-2022-30115 - -Reported-by: Axel Chong -Bug: https://curl.se/docs/CVE-2022-30115.html -Closes #8821 - -Upstream-Status: Backport [https://github.com/curl/curl/commit/fae6fea209a2d4db1582f608bd8cc8000721733a] -Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> ---- - lib/hsts.c | 30 +++++++++++++++++++++++++----- - 1 file changed, 25 insertions(+), 5 deletions(-) - -diff --git a/lib/hsts.c b/lib/hsts.c -index 03fcc9e..b9fa6f7 100644 ---- a/lib/hsts.c -+++ b/lib/hsts.c -@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, - curl_off_t expires) - { - struct stsentry *sts = hsts_entry(); -+ char *duphost; -+ size_t hlen; - if(!sts) - return CURLE_OUT_OF_MEMORY; - -- sts->expires = expires; -- sts->includeSubDomains = subdomains; -- sts->host = strdup(hostname); -- if(!sts->host) { -+ duphost = strdup(hostname); -+ if(!duphost) { - free(sts); - return CURLE_OUT_OF_MEMORY; - } -+ -+ hlen = strlen(duphost); -+ if(duphost[hlen - 1] == '.') -+ /* strip off trailing any dot */ -+ duphost[--hlen] = 0; -+ -+ sts->host = duphost; -+ sts->expires = expires; -+ sts->includeSubDomains = subdomains; - Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); - return CURLE_OK; - } -@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, - bool subdomain) - { - if(h) { -+ char buffer[MAX_HSTS_HOSTLEN + 1]; - time_t now = time(NULL); - size_t hlen = strlen(hostname); - struct Curl_llist_element *e; - struct Curl_llist_element *n; -+ -+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen) -+ return NULL; -+ memcpy(buffer, hostname, hlen); -+ if(hostname[hlen-1] == '.') -+ /* remove the trailing dot */ -+ --hlen; -+ buffer[hlen] = 0; -+ hostname = buffer; -+ - for(e = h->list.head; e; e = n) { - struct stsentry *sts = e->ptr; - n = e->next; -@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) - CURLSTScode sc; - DEBUGASSERT(h); - do { -- char buffer[257]; -+ char buffer[MAX_HSTS_HOSTLEN + 1]; - struct curl_hstsentry e; - e.name = buffer; - e.namelen = sizeof(buffer)-1; diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.84.0.bb similarity index 87% rename from meta/recipes-support/curl/curl_7.82.0.bb rename to meta/recipes-support/curl/curl_7.84.0.bb index ba3fd11820..addbaf14b1 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.84.0.bb @@ -10,21 +10,9 @@ LICENSE = "MIT-open-group" LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" SRC_URI = "https://curl.se/download/${BP}.tar.xz \ - file://CVE-2022-22576.patch \ - file://CVE-2022-27775.patch \ - file://CVE-2022-27776.patch \ - file://CVE-2022-27774-1.patch \ - file://CVE-2022-27774-2.patch \ - file://CVE-2022-27774-3.patch \ - file://CVE-2022-27774-4.patch \ - file://CVE-2022-30115.patch \ - file://CVE-2022-27780.patch \ - file://CVE-2022-27781.patch \ - file://CVE-2022-27779.patch \ - file://CVE-2022-27782-1.patch \ - file://CVE-2022-27782-2.patch \ + file://0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch \ " -SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" +SRC_URI[sha256sum] = "2d118b43f547bfe5bae806d8d47b4e596ea5b25a6c1f080aef49fbcd817c5db8" # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"