Message ID | 20230426081745.182677-1-vanusuri@mvista.com |
---|---|
State | New, archived |
Headers | show |
Series | [dunfell] curl: Security fix CVE-2023-27533, CVE-2023-27535, CVE-2023-27536 and CVE-2023-27538 | expand |
Hi Vijay, We already have a patch for CVE-2023-27538: https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=b2740d1ff74b2c55011b5d4230c7b06b5109376d Could you submit a v2 taking this into consideration? Thanks for helping with CVEs! Steve On Tue, Apr 25, 2023 at 10:18 PM Vijay Anusuri <vanusuri@mvista.com> wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/focal-security & https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 & https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c & https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 & https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 & https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../curl/curl/CVE-2023-27533.patch | 59 +++++ > .../curl/curl/CVE-2023-27535-pre1.patch | 236 ++++++++++++++++++ > .../curl/curl/CVE-2023-27535.patch | 170 +++++++++++++ > .../curl/curl/CVE-2023-27536.patch | 55 ++++ > .../curl/curl/CVE-2023-27538.patch | 29 +++ > meta/recipes-support/curl/curl_7.69.1.bb | 5 + > 6 files changed, 554 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27533.patch > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535.patch > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch > new file mode 100644 > index 0000000000..64ba135056 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch > @@ -0,0 +1,59 @@ > +Backport of: > + > +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Mon, 6 Mar 2023 12:07:33 +0100 > +Subject: [PATCH] telnet: only accept option arguments in ascii > + > +To avoid embedded telnet negotiation commands etc. > + > +Reported-by: Harry Sintonen > +Closes #10728 > + > +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security > +Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] > +CVE: CVE-2023-27533 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + lib/telnet.c | 15 +++++++++++++++ > + 1 file changed, 15 insertions(+) > + > +--- a/lib/telnet.c > ++++ b/lib/telnet.c > +@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d > + } > + } > + > ++static bool str_is_nonascii(const char *str) > ++{ > ++ size_t len = strlen(str); > ++ while(len--) { > ++ if(*str & 0x80) > ++ return TRUE; > ++ str++; > ++ } > ++ return FALSE; > ++} > ++ > + static CURLcode check_telnet_options(struct connectdata *conn) > + { > + struct curl_slist *head; > +@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str > + /* Add the user name as an environment variable if it > + was given on the command line */ > + if(conn->bits.user_passwd) { > ++ if(str_is_nonascii(data->conn->user)) > ++ return CURLE_BAD_FUNCTION_ARGUMENT; > + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); > + beg = curl_slist_append(tn->telnet_vars, option_arg); > + if(!beg) { > +@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str > + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", > + option_keyword, option_arg) == 2) { > + > ++ if(str_is_nonascii(option_arg)) > ++ continue; > ++ > + /* Terminal type */ > + if(strcasecompare(option_keyword, "TTYPE")) { > + strncpy(tn->subopt_ttype, option_arg, 31); > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > new file mode 100644 > index 0000000000..034b72f7e6 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > @@ -0,0 +1,236 @@ > +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Thu, 6 Oct 2022 00:49:10 +0200 > +Subject: [PATCH] strcase: add and use Curl_timestrcmp > + > +This is a strcmp() alternative function for comparing "secrets", > +designed to take the same time no matter the content to not leak > +match/non-match info to observers based on how fast it is. > + > +The time this function takes is only a function of the shortest input > +string. > + > +Reported-by: Trail of Bits > + > +Closes #9658 > + > +Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] > +Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + lib/netrc.c | 6 +++--- > + lib/strcase.c | 22 ++++++++++++++++++++++ > + lib/strcase.h | 1 + > + lib/url.c | 33 +++++++++++++-------------------- > + lib/vauth/digest_sspi.c | 4 ++-- > + lib/vtls/vtls.c | 21 ++++++++++++++++++++- > + 6 files changed, 61 insertions(+), 26 deletions(-) > + > +diff --git a/lib/netrc.c b/lib/netrc.c > +index 9323913..fe3fd1e 100644 > +--- a/lib/netrc.c > ++++ b/lib/netrc.c > +@@ -124,9 +124,9 @@ static int parsenetrc(const char *host, > + /* we are now parsing sub-keywords concerning "our" host */ > + if(state_login) { > + if(specific_login) { > +- state_our_login = strcasecompare(login, tok); > ++ state_our_login = !Curl_timestrcmp(login, tok); > + } > +- else if(!login || strcmp(login, tok)) { > ++ else if(!login || Curl_timestrcmp(login, tok)) { > + if(login_alloc) { > + free(login); > + login_alloc = FALSE; > +@@ -142,7 +142,7 @@ static int parsenetrc(const char *host, > + } > + else if(state_password) { > + if((state_our_login || !specific_login) > +- && (!password || strcmp(password, tok))) { > ++ && (!password || Curl_timestrcmp(password, tok))) { > + if(password_alloc) { > + free(password); > + password_alloc = FALSE; > +diff --git a/lib/strcase.c b/lib/strcase.c > +index 70bf21c..ec776b3 100644 > +--- a/lib/strcase.c > ++++ b/lib/strcase.c > +@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) > + return !a && !b; > + } > + > ++/* > ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this > ++ * function spends is a function of the shortest string, not of the contents. > ++ */ > ++int Curl_timestrcmp(const char *a, const char *b) > ++{ > ++ int match = 0; > ++ int i = 0; > ++ > ++ if(a && b) { > ++ while(1) { > ++ match |= a[i]^b[i]; > ++ if(!a[i] || !b[i]) > ++ break; > ++ i++; > ++ } > ++ } > ++ else > ++ return a || b; > ++ return match; > ++} > ++ > + /* --- public functions --- */ > + > + int curl_strequal(const char *first, const char *second) > +diff --git a/lib/strcase.h b/lib/strcase.h > +index 8929a53..8077108 100644 > +--- a/lib/strcase.h > ++++ b/lib/strcase.h > +@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); > + void Curl_strntolower(char *dest, const char *src, size_t n); > + > + bool Curl_safecmp(char *a, char *b); > ++int Curl_timestrcmp(const char *first, const char *second); > + > + #endif /* HEADER_CURL_STRCASE_H */ > +diff --git a/lib/url.c b/lib/url.c > +index 9f14a7b..dfbde3b 100644 > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data, > + /* the user information is case-sensitive > + or at least it is not defined as case-insensitive > + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ > +- if((data->user == NULL) != (needle->user == NULL)) > +- return FALSE; > +- /* curl_strequal does a case insentive comparison, so do not use it here! */ > +- if(data->user && > +- needle->user && > +- strcmp(data->user, needle->user) != 0) > +- return FALSE; > +- if((data->passwd == NULL) != (needle->passwd == NULL)) > +- return FALSE; > ++ > + /* curl_strequal does a case insentive comparison, so do not use it here! */ > +- if(data->passwd && > +- needle->passwd && > +- strcmp(data->passwd, needle->passwd) != 0) > ++ if(Curl_timestrcmp(data->user, needle->user) || > ++ Curl_timestrcmp(data->passwd, needle->passwd)) > + return FALSE; > + return TRUE; > + } > +@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data, > + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { > + /* This protocol requires credentials per connection, > + so verify that we're using the same name and password as well */ > +- if(strcmp(needle->user, check->user) || > +- strcmp(needle->passwd, check->passwd) || > +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || > +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { > ++ if(Curl_timestrcmp(needle->user, check->user) || > ++ Curl_timestrcmp(needle->passwd, check->passwd) || > ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || > ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { > + /* one of them was different */ > + continue; > + } > +@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data, > + possible. (Especially we must not reuse the same connection if > + partway through a handshake!) */ > + if(wantNTLMhttp) { > +- if(strcmp(needle->user, check->user) || > +- strcmp(needle->passwd, check->passwd)) { > ++ if(Curl_timestrcmp(needle->user, check->user) || > ++ Curl_timestrcmp(needle->passwd, check->passwd)) { > + > + /* we prefer a credential match, but this is at least a connection > + that can be reused and "upgraded" to NTLM */ > +@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data, > + if(!check->http_proxy.user || !check->http_proxy.passwd) > + continue; > + > +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || > +- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) > ++ if(Curl_timestrcmp(needle->http_proxy.user, > ++ check->http_proxy.user) || > ++ Curl_timestrcmp(needle->http_proxy.passwd, > ++ check->http_proxy.passwd)) > + continue; > + } > + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { > +diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c > +index a109056..3986386 100644 > +--- a/lib/vauth/digest_sspi.c > ++++ b/lib/vauth/digest_sspi.c > +@@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, > + has changed then delete that context. */ > + if((userp && !digest->user) || (!userp && digest->user) || > + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || > +- (userp && digest->user && strcmp(userp, digest->user)) || > +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { > ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || > ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { > + if(digest->http_context) { > + s_pSecFn->DeleteSecurityContext(digest->http_context); > + Curl_safefree(digest->http_context); > +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > +index e8cb70f..70a9391 100644 > +--- a/lib/vtls/vtls.c > ++++ b/lib/vtls/vtls.c > +@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, > + Curl_safecmp(data->issuercert, needle->issuercert) && > + Curl_safecmp(data->clientcert, needle->clientcert) && > + Curl_safecmp(data->random_file, needle->random_file) && > +- Curl_safecmp(data->egdsocket, needle->egdsocket) && > ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && > ++#ifdef USE_TLS_SRP > ++ !Curl_timestrcmp(data->username, needle->username) && > ++ !Curl_timestrcmp(data->password, needle->password) && > ++ (data->authtype == needle->authtype) && > ++#endif > + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && > + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && > ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && > + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) > + return TRUE; > + > +@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, > + dest->verifyhost = source->verifyhost; > + dest->verifystatus = source->verifystatus; > + dest->sessionid = source->sessionid; > ++#ifdef USE_TLS_SRP > ++ dest->authtype = source->authtype; > ++#endif > + > + CLONE_STRING(CApath); > + CLONE_STRING(CAfile); > +@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, > + CLONE_STRING(cipher_list); > + CLONE_STRING(cipher_list13); > + CLONE_STRING(pinned_key); > ++ CLONE_STRING(CRLfile); > ++#ifdef USE_TLS_SRP > ++ CLONE_STRING(username); > ++ CLONE_STRING(password); > ++#endif > + > + return TRUE; > + } > +@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) > + Curl_safefree(sslc->cipher_list); > + Curl_safefree(sslc->cipher_list13); > + Curl_safefree(sslc->pinned_key); > ++ Curl_safefree(sslc->CRLfile); > ++#ifdef USE_TLS_SRP > ++ Curl_safefree(sslc->username); > ++ Curl_safefree(sslc->password); > ++#endif > + } > + > + #ifdef USE_SSL > +-- > +2.25.1 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch > new file mode 100644 > index 0000000000..e38390a57c > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch > @@ -0,0 +1,170 @@ > +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Thu, 9 Mar 2023 17:47:06 +0100 > +Subject: [PATCH] ftp: add more conditions for connection reuse > + > +Reported-by: Harry Sintonen > +Closes #10730 > + > +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security > +Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1] > +CVE: CVE-2023-27535 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + lib/ftp.c | 30 ++++++++++++++++++++++++++++-- > + lib/ftp.h | 5 +++++ > + lib/setopt.c | 2 +- > + lib/url.c | 16 +++++++++++++++- > + lib/urldata.h | 4 ++-- > + 5 files changed, 51 insertions(+), 6 deletions(-) > + > +diff --git a/lib/ftp.c b/lib/ftp.c > +index 31a34e8..7a82a74 100644 > +--- a/lib/ftp.c > ++++ b/lib/ftp.c > +@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) > + } > + > + freedirs(ftpc); > ++ free(ftpc->account); > ++ ftpc->account = NULL; > ++ free(ftpc->alternative_to_user); > ++ ftpc->alternative_to_user = NULL; > + free(ftpc->prevpath); > + ftpc->prevpath = NULL; > + free(ftpc->server_os); > +@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) > + struct Curl_easy *data = conn->data; > + char *type; > + struct FTP *ftp; > ++ struct ftp_conn *ftpc = &conn->proto.ftpc; > + > +- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); > ++ ftp = calloc(sizeof(struct FTP), 1); > + if(NULL == ftp) > + return CURLE_OUT_OF_MEMORY; > + > ++ /* clone connection related data that is FTP specific */ > ++ if(data->set.str[STRING_FTP_ACCOUNT]) { > ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); > ++ if(!ftpc->account) { > ++ free(ftp); > ++ return CURLE_OUT_OF_MEMORY; > ++ } > ++ } > ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { > ++ ftpc->alternative_to_user = > ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); > ++ if(!ftpc->alternative_to_user) { > ++ Curl_safefree(ftpc->account); > ++ free(ftp); > ++ return CURLE_OUT_OF_MEMORY; > ++ } > ++ } > ++ conn->data->req.protop = ftp; > ++ > + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ > + > + /* FTP URLs support an extension like ";type=<typecode>" that > +@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) > + /* get some initial data into the ftp struct */ > + ftp->transfer = FTPTRANSFER_BODY; > + ftp->downloadsize = 0; > +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ > ++ ftpc->known_filesize = -1; /* unknown size for now */ > ++ ftpc->use_ssl = data->set.use_ssl; > ++ ftpc->ccc = data->set.ftp_ccc; > + > + return CURLE_OK; > + } > +diff --git a/lib/ftp.h b/lib/ftp.h > +index 984347f..163dcb3 100644 > +--- a/lib/ftp.h > ++++ b/lib/ftp.h > +@@ -116,6 +116,8 @@ struct FTP { > + struct */ > + struct ftp_conn { > + struct pingpong pp; > ++ char *account; > ++ char *alternative_to_user; > + char *entrypath; /* the PWD reply when we logged on */ > + char **dirs; /* realloc()ed array for path components */ > + int dirdepth; /* number of entries used in the 'dirs' array */ > +@@ -141,6 +143,9 @@ struct ftp_conn { > + ftpstate state; /* always use ftp.c:state() to change state! */ > + ftpstate state_saved; /* transfer type saved to be reloaded after > + data connection is established */ > ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or > ++ IMAP or POP3 or others! (type: curl_usessl)*/ > ++ unsigned char ccc; /* ccc level for this connection */ > + curl_off_t retr_size_saved; /* Size of retrieved file saved */ > + char *server_os; /* The target server operating system. */ > + curl_off_t known_filesize; /* file size is different from -1, if wildcard > +diff --git a/lib/setopt.c b/lib/setopt.c > +index 4d96f6b..a91bb70 100644 > +--- a/lib/setopt.c > ++++ b/lib/setopt.c > +@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) > + arg = va_arg(param, long); > + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) > + return CURLE_BAD_FUNCTION_ARGUMENT; > +- data->set.use_ssl = (curl_usessl)arg; > ++ data->set.use_ssl = (unsigned char)arg; > + break; > + > + case CURLOPT_SSL_OPTIONS: > +diff --git a/lib/url.c b/lib/url.c > +index dfbde3b..f84375c 100644 > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data, > + } > + } > + > +- if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { > ++#ifdef USE_SSH > ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { > + if(!ssh_config_matches(needle, check)) > + continue; > + } > ++#endif > ++#ifndef CURL_DISABLE_FTP > ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) { > ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ > ++ if(Curl_timestrcmp(needle->proto.ftpc.account, > ++ check->proto.ftpc.account) || > ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, > ++ check->proto.ftpc.alternative_to_user) || > ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || > ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) > ++ continue; > ++ } > ++#endif > + > + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || > + needle->bits.tunnel_proxy) { > +diff --git a/lib/urldata.h b/lib/urldata.h > +index 168f874..51b793b 100644 > +--- a/lib/urldata.h > ++++ b/lib/urldata.h > +@@ -1730,8 +1730,6 @@ struct UserDefined { > + void *ssh_keyfunc_userp; /* custom pointer to callback */ > + enum CURL_NETRC_OPTION > + use_netrc; /* defined in include/curl.h */ > +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or > +- IMAP or POP3 or others! */ > + long new_file_perms; /* Permissions to use when creating remote files */ > + long new_directory_perms; /* Permissions to use when creating remote dirs */ > + long ssh_auth_types; /* allowed SSH auth types */ > +@@ -1851,6 +1849,8 @@ struct UserDefined { > + BIT(http09_allowed); /* allow HTTP/0.9 responses */ > + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some > + recipients */ > ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or > ++ IMAP or POP3 or others! (type: curl_usessl)*/ > + }; > + > + struct Names { > +-- > +2.25.1 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch > new file mode 100644 > index 0000000000..b04a77de25 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch > @@ -0,0 +1,55 @@ > +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Fri, 10 Mar 2023 09:22:43 +0100 > +Subject: [PATCH] url: only reuse connections with same GSS delegation > + > +Reported-by: Harry Sintonen > +Closes #10731 > + > +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] > +CVE: CVE-2023-27536 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + lib/url.c | 6 ++++++ > + lib/urldata.h | 1 + > + 2 files changed, 7 insertions(+) > + > +diff --git a/lib/url.c b/lib/url.c > +index f84375c..87f4eb0 100644 > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data, > + } > + } > + > ++ /* GSS delegation differences do not actually affect every connection > ++ and auth method, but this check takes precaution before efficiency */ > ++ if(needle->gssapi_delegation != check->gssapi_delegation) > ++ continue; > ++ > + #ifdef USE_SSH > + else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { > + if(!ssh_config_matches(needle, check)) > +@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) > + conn->fclosesocket = data->set.fclosesocket; > + conn->closesocket_client = data->set.closesocket_client; > + conn->lastused = Curl_now(); /* used now */ > ++ conn->gssapi_delegation = data->set.gssapi_delegation; > + > + return conn; > + error: > +diff --git a/lib/urldata.h b/lib/urldata.h > +index 51b793b..b8a611b 100644 > +--- a/lib/urldata.h > ++++ b/lib/urldata.h > +@@ -1118,6 +1118,7 @@ struct connectdata { > + handle */ > + BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with > + accept() */ > ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ > + }; > + > + /* The end of connectdata. */ > +-- > +2.25.1 > + > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch > new file mode 100644 > index 0000000000..5cd11ef88b > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch > @@ -0,0 +1,29 @@ > +Backport of: > + > +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Fri, 10 Mar 2023 08:22:51 +0100 > +Subject: [PATCH] url: fix the SSH connection reuse check > + > +Reported-by: Harry Sintonen > +Closes #10735 > + > +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27538.patch?h=ubuntu/focal-security > +Upstream commit https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] > +CVE: CVE-2023-27538 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + lib/url.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +--- a/lib/url.c > ++++ b/lib/url.c > +@@ -1233,7 +1233,7 @@ ConnectionExists(struct Curl_easy *data, > + } > + } > + > +- if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { > ++ if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { > + if(!ssh_config_matches(needle, check)) > + continue; > + } > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb > index a7f4f5748f..2e3bcb2c6e 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -44,6 +44,11 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2022-43552.patch \ > file://CVE-2023-23916.patch \ > file://CVE-2023-27534.patch \ > + file://CVE-2023-27533.patch \ > + file://CVE-2023-27538.patch \ > + file://CVE-2023-27535-pre1.patch \ > + file://CVE-2023-27535.patch \ > + file://CVE-2023-27536.patch \ > " > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#180412): https://lists.openembedded.org/g/openembedded-core/message/180412 > Mute This Topic: https://lists.openembedded.org/mt/98510578/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Thanks Steve for letting me know I will submit the v2 patch. Thanks & Regards, Vijay On Wed, Apr 26, 2023 at 9:29 PM Steve Sakoman <steve@sakoman.com> wrote: > Hi Vijay, > > We already have a patch for CVE-2023-27538: > > > https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=b2740d1ff74b2c55011b5d4230c7b06b5109376d > > Could you submit a v2 taking this into consideration? > > Thanks for helping with CVEs! > > Steve > > On Tue, Apr 25, 2023 at 10:18 PM Vijay Anusuri <vanusuri@mvista.com> > wrote: > > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport [ > https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/focal-security > & > https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 > & > https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 > & > https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c > & > https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 > & > https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 > & > https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb > ] > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../curl/curl/CVE-2023-27533.patch | 59 +++++ > > .../curl/curl/CVE-2023-27535-pre1.patch | 236 ++++++++++++++++++ > > .../curl/curl/CVE-2023-27535.patch | 170 +++++++++++++ > > .../curl/curl/CVE-2023-27536.patch | 55 ++++ > > .../curl/curl/CVE-2023-27538.patch | 29 +++ > > meta/recipes-support/curl/curl_7.69.1.bb | 5 + > > 6 files changed, 554 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27533.patch > > create mode 100644 > meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535.patch > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch > > create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch > b/meta/recipes-support/curl/curl/CVE-2023-27533.patch > > new file mode 100644 > > index 0000000000..64ba135056 > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch > > @@ -0,0 +1,59 @@ > > +Backport of: > > + > > +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg <daniel@haxx.se> > > +Date: Mon, 6 Mar 2023 12:07:33 +0100 > > +Subject: [PATCH] telnet: only accept option arguments in ascii > > + > > +To avoid embedded telnet negotiation commands etc. > > + > > +Reported-by: Harry Sintonen > > +Closes #10728 > > + > > +Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security > > +Upstream commit > https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 > ] > > +CVE: CVE-2023-27533 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + lib/telnet.c | 15 +++++++++++++++ > > + 1 file changed, 15 insertions(+) > > + > > +--- a/lib/telnet.c > > ++++ b/lib/telnet.c > > +@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d > > + } > > + } > > + > > ++static bool str_is_nonascii(const char *str) > > ++{ > > ++ size_t len = strlen(str); > > ++ while(len--) { > > ++ if(*str & 0x80) > > ++ return TRUE; > > ++ str++; > > ++ } > > ++ return FALSE; > > ++} > > ++ > > + static CURLcode check_telnet_options(struct connectdata *conn) > > + { > > + struct curl_slist *head; > > +@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str > > + /* Add the user name as an environment variable if it > > + was given on the command line */ > > + if(conn->bits.user_passwd) { > > ++ if(str_is_nonascii(data->conn->user)) > > ++ return CURLE_BAD_FUNCTION_ARGUMENT; > > + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); > > + beg = curl_slist_append(tn->telnet_vars, option_arg); > > + if(!beg) { > > +@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str > > + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", > > + option_keyword, option_arg) == 2) { > > + > > ++ if(str_is_nonascii(option_arg)) > > ++ continue; > > ++ > > + /* Terminal type */ > > + if(strcasecompare(option_keyword, "TTYPE")) { > > + strncpy(tn->subopt_ttype, option_arg, 31); > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > > new file mode 100644 > > index 0000000000..034b72f7e6 > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch > > @@ -0,0 +1,236 @@ > > +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg <daniel@haxx.se> > > +Date: Thu, 6 Oct 2022 00:49:10 +0200 > > +Subject: [PATCH] strcase: add and use Curl_timestrcmp > > + > > +This is a strcmp() alternative function for comparing "secrets", > > +designed to take the same time no matter the content to not leak > > +match/non-match info to observers based on how fast it is. > > + > > +The time this function takes is only a function of the shortest input > > +string. > > + > > +Reported-by: Trail of Bits > > + > > +Closes #9658 > > + > > +Upstream-Status: Backport from [ > https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 > & > https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c > ] > > +Comment: to backport fix for CVE-2023-27535, add function > Curl_timestrcmp. > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + lib/netrc.c | 6 +++--- > > + lib/strcase.c | 22 ++++++++++++++++++++++ > > + lib/strcase.h | 1 + > > + lib/url.c | 33 +++++++++++++-------------------- > > + lib/vauth/digest_sspi.c | 4 ++-- > > + lib/vtls/vtls.c | 21 ++++++++++++++++++++- > > + 6 files changed, 61 insertions(+), 26 deletions(-) > > + > > +diff --git a/lib/netrc.c b/lib/netrc.c > > +index 9323913..fe3fd1e 100644 > > +--- a/lib/netrc.c > > ++++ b/lib/netrc.c > > +@@ -124,9 +124,9 @@ static int parsenetrc(const char *host, > > + /* we are now parsing sub-keywords concerning "our" host */ > > + if(state_login) { > > + if(specific_login) { > > +- state_our_login = strcasecompare(login, tok); > > ++ state_our_login = !Curl_timestrcmp(login, tok); > > + } > > +- else if(!login || strcmp(login, tok)) { > > ++ else if(!login || Curl_timestrcmp(login, tok)) { > > + if(login_alloc) { > > + free(login); > > + login_alloc = FALSE; > > +@@ -142,7 +142,7 @@ static int parsenetrc(const char *host, > > + } > > + else if(state_password) { > > + if((state_our_login || !specific_login) > > +- && (!password || strcmp(password, tok))) { > > ++ && (!password || Curl_timestrcmp(password, tok))) { > > + if(password_alloc) { > > + free(password); > > + password_alloc = FALSE; > > +diff --git a/lib/strcase.c b/lib/strcase.c > > +index 70bf21c..ec776b3 100644 > > +--- a/lib/strcase.c > > ++++ b/lib/strcase.c > > +@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) > > + return !a && !b; > > + } > > + > > ++/* > > ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The > time this > > ++ * function spends is a function of the shortest string, not of the > contents. > > ++ */ > > ++int Curl_timestrcmp(const char *a, const char *b) > > ++{ > > ++ int match = 0; > > ++ int i = 0; > > ++ > > ++ if(a && b) { > > ++ while(1) { > > ++ match |= a[i]^b[i]; > > ++ if(!a[i] || !b[i]) > > ++ break; > > ++ i++; > > ++ } > > ++ } > > ++ else > > ++ return a || b; > > ++ return match; > > ++} > > ++ > > + /* --- public functions --- */ > > + > > + int curl_strequal(const char *first, const char *second) > > +diff --git a/lib/strcase.h b/lib/strcase.h > > +index 8929a53..8077108 100644 > > +--- a/lib/strcase.h > > ++++ b/lib/strcase.h > > +@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, > size_t n); > > + void Curl_strntolower(char *dest, const char *src, size_t n); > > + > > + bool Curl_safecmp(char *a, char *b); > > ++int Curl_timestrcmp(const char *first, const char *second); > > + > > + #endif /* HEADER_CURL_STRCASE_H */ > > +diff --git a/lib/url.c b/lib/url.c > > +index 9f14a7b..dfbde3b 100644 > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* > data, > > + /* the user information is case-sensitive > > + or at least it is not defined as case-insensitive > > + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ > > +- if((data->user == NULL) != (needle->user == NULL)) > > +- return FALSE; > > +- /* curl_strequal does a case insentive comparison, so do not use it > here! */ > > +- if(data->user && > > +- needle->user && > > +- strcmp(data->user, needle->user) != 0) > > +- return FALSE; > > +- if((data->passwd == NULL) != (needle->passwd == NULL)) > > +- return FALSE; > > ++ > > + /* curl_strequal does a case insentive comparison, so do not use it > here! */ > > +- if(data->passwd && > > +- needle->passwd && > > +- strcmp(data->passwd, needle->passwd) != 0) > > ++ if(Curl_timestrcmp(data->user, needle->user) || > > ++ Curl_timestrcmp(data->passwd, needle->passwd)) > > + return FALSE; > > + return TRUE; > > + } > > +@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data, > > + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { > > + /* This protocol requires credentials per connection, > > + so verify that we're using the same name and password as > well */ > > +- if(strcmp(needle->user, check->user) || > > +- strcmp(needle->passwd, check->passwd) || > > +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || > > +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { > > ++ if(Curl_timestrcmp(needle->user, check->user) || > > ++ Curl_timestrcmp(needle->passwd, check->passwd) || > > ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) > || > > ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) > { > > + /* one of them was different */ > > + continue; > > + } > > +@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data, > > + possible. (Especially we must not reuse the same connection > if > > + partway through a handshake!) */ > > + if(wantNTLMhttp) { > > +- if(strcmp(needle->user, check->user) || > > +- strcmp(needle->passwd, check->passwd)) { > > ++ if(Curl_timestrcmp(needle->user, check->user) || > > ++ Curl_timestrcmp(needle->passwd, check->passwd)) { > > + > > + /* we prefer a credential match, but this is at least a > connection > > + that can be reused and "upgraded" to NTLM */ > > +@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data, > > + if(!check->http_proxy.user || !check->http_proxy.passwd) > > + continue; > > + > > +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || > > +- strcmp(needle->http_proxy.passwd, > check->http_proxy.passwd)) > > ++ if(Curl_timestrcmp(needle->http_proxy.user, > > ++ check->http_proxy.user) || > > ++ Curl_timestrcmp(needle->http_proxy.passwd, > > ++ check->http_proxy.passwd)) > > + continue; > > + } > > + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { > > +diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c > > +index a109056..3986386 100644 > > +--- a/lib/vauth/digest_sspi.c > > ++++ b/lib/vauth/digest_sspi.c > > +@@ -450,8 +450,8 @@ CURLcode > Curl_auth_create_digest_http_message(struct Curl_easy *data, > > + has changed then delete that context. */ > > + if((userp && !digest->user) || (!userp && digest->user) || > > + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || > > +- (userp && digest->user && strcmp(userp, digest->user)) || > > +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { > > ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || > > ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, > digest->passwd))) { > > + if(digest->http_context) { > > + s_pSecFn->DeleteSecurityContext(digest->http_context); > > + Curl_safefree(digest->http_context); > > +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > > +index e8cb70f..70a9391 100644 > > +--- a/lib/vtls/vtls.c > > ++++ b/lib/vtls/vtls.c > > +@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* > data, > > + Curl_safecmp(data->issuercert, needle->issuercert) && > > + Curl_safecmp(data->clientcert, needle->clientcert) && > > + Curl_safecmp(data->random_file, needle->random_file) && > > +- Curl_safecmp(data->egdsocket, needle->egdsocket) && > > ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && > > ++#ifdef USE_TLS_SRP > > ++ !Curl_timestrcmp(data->username, needle->username) && > > ++ !Curl_timestrcmp(data->password, needle->password) && > > ++ (data->authtype == needle->authtype) && > > ++#endif > > + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) > && > > + Curl_safe_strcasecompare(data->cipher_list13, > needle->cipher_list13) && > > ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && > > + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) > > + return TRUE; > > + > > +@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct > ssl_primary_config *source, > > + dest->verifyhost = source->verifyhost; > > + dest->verifystatus = source->verifystatus; > > + dest->sessionid = source->sessionid; > > ++#ifdef USE_TLS_SRP > > ++ dest->authtype = source->authtype; > > ++#endif > > + > > + CLONE_STRING(CApath); > > + CLONE_STRING(CAfile); > > +@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct > ssl_primary_config *source, > > + CLONE_STRING(cipher_list); > > + CLONE_STRING(cipher_list13); > > + CLONE_STRING(pinned_key); > > ++ CLONE_STRING(CRLfile); > > ++#ifdef USE_TLS_SRP > > ++ CLONE_STRING(username); > > ++ CLONE_STRING(password); > > ++#endif > > + > > + return TRUE; > > + } > > +@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct > ssl_primary_config* sslc) > > + Curl_safefree(sslc->cipher_list); > > + Curl_safefree(sslc->cipher_list13); > > + Curl_safefree(sslc->pinned_key); > > ++ Curl_safefree(sslc->CRLfile); > > ++#ifdef USE_TLS_SRP > > ++ Curl_safefree(sslc->username); > > ++ Curl_safefree(sslc->password); > > ++#endif > > + } > > + > > + #ifdef USE_SSL > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch > b/meta/recipes-support/curl/curl/CVE-2023-27535.patch > > new file mode 100644 > > index 0000000000..e38390a57c > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch > > @@ -0,0 +1,170 @@ > > +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg <daniel@haxx.se> > > +Date: Thu, 9 Mar 2023 17:47:06 +0100 > > +Subject: [PATCH] ftp: add more conditions for connection reuse > > + > > +Reported-by: Harry Sintonen > > +Closes #10730 > > + > > +Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security > > +Upstream commit > https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 > ] > > +CVE: CVE-2023-27535 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + lib/ftp.c | 30 ++++++++++++++++++++++++++++-- > > + lib/ftp.h | 5 +++++ > > + lib/setopt.c | 2 +- > > + lib/url.c | 16 +++++++++++++++- > > + lib/urldata.h | 4 ++-- > > + 5 files changed, 51 insertions(+), 6 deletions(-) > > + > > +diff --git a/lib/ftp.c b/lib/ftp.c > > +index 31a34e8..7a82a74 100644 > > +--- a/lib/ftp.c > > ++++ b/lib/ftp.c > > +@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct > connectdata *conn, bool dead_connection) > > + } > > + > > + freedirs(ftpc); > > ++ free(ftpc->account); > > ++ ftpc->account = NULL; > > ++ free(ftpc->alternative_to_user); > > ++ ftpc->alternative_to_user = NULL; > > + free(ftpc->prevpath); > > + ftpc->prevpath = NULL; > > + free(ftpc->server_os); > > +@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct > connectdata *conn) > > + struct Curl_easy *data = conn->data; > > + char *type; > > + struct FTP *ftp; > > ++ struct ftp_conn *ftpc = &conn->proto.ftpc; > > + > > +- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); > > ++ ftp = calloc(sizeof(struct FTP), 1); > > + if(NULL == ftp) > > + return CURLE_OUT_OF_MEMORY; > > + > > ++ /* clone connection related data that is FTP specific */ > > ++ if(data->set.str[STRING_FTP_ACCOUNT]) { > > ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); > > ++ if(!ftpc->account) { > > ++ free(ftp); > > ++ return CURLE_OUT_OF_MEMORY; > > ++ } > > ++ } > > ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { > > ++ ftpc->alternative_to_user = > > ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); > > ++ if(!ftpc->alternative_to_user) { > > ++ Curl_safefree(ftpc->account); > > ++ free(ftp); > > ++ return CURLE_OUT_OF_MEMORY; > > ++ } > > ++ } > > ++ conn->data->req.protop = ftp; > > ++ > > + ftp->path = &data->state.up.path[1]; /* don't include the initial > slash */ > > + > > + /* FTP URLs support an extension like ";type=<typecode>" that > > +@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct > connectdata *conn) > > + /* get some initial data into the ftp struct */ > > + ftp->transfer = FTPTRANSFER_BODY; > > + ftp->downloadsize = 0; > > +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ > > ++ ftpc->known_filesize = -1; /* unknown size for now */ > > ++ ftpc->use_ssl = data->set.use_ssl; > > ++ ftpc->ccc = data->set.ftp_ccc; > > + > > + return CURLE_OK; > > + } > > +diff --git a/lib/ftp.h b/lib/ftp.h > > +index 984347f..163dcb3 100644 > > +--- a/lib/ftp.h > > ++++ b/lib/ftp.h > > +@@ -116,6 +116,8 @@ struct FTP { > > + struct */ > > + struct ftp_conn { > > + struct pingpong pp; > > ++ char *account; > > ++ char *alternative_to_user; > > + char *entrypath; /* the PWD reply when we logged on */ > > + char **dirs; /* realloc()ed array for path components */ > > + int dirdepth; /* number of entries used in the 'dirs' array */ > > +@@ -141,6 +143,9 @@ struct ftp_conn { > > + ftpstate state; /* always use ftp.c:state() to change state! */ > > + ftpstate state_saved; /* transfer type saved to be reloaded after > > + data connection is established */ > > ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for > FTP or > > ++ IMAP or POP3 or others! (type: > curl_usessl)*/ > > ++ unsigned char ccc; /* ccc level for this connection */ > > + curl_off_t retr_size_saved; /* Size of retrieved file saved */ > > + char *server_os; /* The target server operating system. */ > > + curl_off_t known_filesize; /* file size is different from -1, if > wildcard > > +diff --git a/lib/setopt.c b/lib/setopt.c > > +index 4d96f6b..a91bb70 100644 > > +--- a/lib/setopt.c > > ++++ b/lib/setopt.c > > +@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, > CURLoption option, va_list param) > > + arg = va_arg(param, long); > > + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) > > + return CURLE_BAD_FUNCTION_ARGUMENT; > > +- data->set.use_ssl = (curl_usessl)arg; > > ++ data->set.use_ssl = (unsigned char)arg; > > + break; > > + > > + case CURLOPT_SSL_OPTIONS: > > +diff --git a/lib/url.c b/lib/url.c > > +index dfbde3b..f84375c 100644 > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data, > > + } > > + } > > + > > +- if(get_protocol_family(needle->handler->protocol) & > PROTO_FAMILY_SSH) { > > ++#ifdef USE_SSH > > ++ else if(get_protocol_family(needle->handler->protocol) & > PROTO_FAMILY_SSH) { > > + if(!ssh_config_matches(needle, check)) > > + continue; > > + } > > ++#endif > > ++#ifndef CURL_DISABLE_FTP > > ++ else if(get_protocol_family(needle->handler->protocol) & > PROTO_FAMILY_FTP) { > > ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC > options */ > > ++ if(Curl_timestrcmp(needle->proto.ftpc.account, > > ++ check->proto.ftpc.account) || > > ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, > > ++ check->proto.ftpc.alternative_to_user) || > > ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || > > ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) > > ++ continue; > > ++ } > > ++#endif > > + > > + if(!needle->bits.httpproxy || > (needle->handler->flags&PROTOPT_SSL) || > > + needle->bits.tunnel_proxy) { > > +diff --git a/lib/urldata.h b/lib/urldata.h > > +index 168f874..51b793b 100644 > > +--- a/lib/urldata.h > > ++++ b/lib/urldata.h > > +@@ -1730,8 +1730,6 @@ struct UserDefined { > > + void *ssh_keyfunc_userp; /* custom pointer to callback */ > > + enum CURL_NETRC_OPTION > > + use_netrc; /* defined in include/curl.h */ > > +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for > FTP or > > +- IMAP or POP3 or others! */ > > + long new_file_perms; /* Permissions to use when creating remote > files */ > > + long new_directory_perms; /* Permissions to use when creating remote > dirs */ > > + long ssh_auth_types; /* allowed SSH auth types */ > > +@@ -1851,6 +1849,8 @@ struct UserDefined { > > + BIT(http09_allowed); /* allow HTTP/0.9 responses */ > > + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some > > + recipients */ > > ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for > FTP or > > ++ IMAP or POP3 or others! (type: > curl_usessl)*/ > > + }; > > + > > + struct Names { > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch > b/meta/recipes-support/curl/curl/CVE-2023-27536.patch > > new file mode 100644 > > index 0000000000..b04a77de25 > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch > > @@ -0,0 +1,55 @@ > > +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg <daniel@haxx.se> > > +Date: Fri, 10 Mar 2023 09:22:43 +0100 > > +Subject: [PATCH] url: only reuse connections with same GSS delegation > > + > > +Reported-by: Harry Sintonen > > +Closes #10731 > > + > > +Upstream-Status: Backport [ > https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 > ] > > +CVE: CVE-2023-27536 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + lib/url.c | 6 ++++++ > > + lib/urldata.h | 1 + > > + 2 files changed, 7 insertions(+) > > + > > +diff --git a/lib/url.c b/lib/url.c > > +index f84375c..87f4eb0 100644 > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data, > > + } > > + } > > + > > ++ /* GSS delegation differences do not actually affect every > connection > > ++ and auth method, but this check takes precaution before > efficiency */ > > ++ if(needle->gssapi_delegation != check->gssapi_delegation) > > ++ continue; > > ++ > > + #ifdef USE_SSH > > + else if(get_protocol_family(needle->handler->protocol) & > PROTO_FAMILY_SSH) { > > + if(!ssh_config_matches(needle, check)) > > +@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct > Curl_easy *data) > > + conn->fclosesocket = data->set.fclosesocket; > > + conn->closesocket_client = data->set.closesocket_client; > > + conn->lastused = Curl_now(); /* used now */ > > ++ conn->gssapi_delegation = data->set.gssapi_delegation; > > + > > + return conn; > > + error: > > +diff --git a/lib/urldata.h b/lib/urldata.h > > +index 51b793b..b8a611b 100644 > > +--- a/lib/urldata.h > > ++++ b/lib/urldata.h > > +@@ -1118,6 +1118,7 @@ struct connectdata { > > + handle */ > > + BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with > > + accept() */ > > ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ > > + }; > > + > > + /* The end of connectdata. */ > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch > b/meta/recipes-support/curl/curl/CVE-2023-27538.patch > > new file mode 100644 > > index 0000000000..5cd11ef88b > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch > > @@ -0,0 +1,29 @@ > > +Backport of: > > + > > +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 > > +From: Daniel Stenberg <daniel@haxx.se> > > +Date: Fri, 10 Mar 2023 08:22:51 +0100 > > +Subject: [PATCH] url: fix the SSH connection reuse check > > + > > +Reported-by: Harry Sintonen > > +Closes #10735 > > + > > +Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27538.patch?h=ubuntu/focal-security > > +Upstream commit > https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb > ] > > +CVE: CVE-2023-27538 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + lib/url.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -1233,7 +1233,7 @@ ConnectionExists(struct Curl_easy *data, > > + } > > + } > > + > > +- if(get_protocol_family(needle->handler->protocol) == > PROTO_FAMILY_SSH) { > > ++ if(get_protocol_family(needle->handler->protocol) & > PROTO_FAMILY_SSH) { > > + if(!ssh_config_matches(needle, check)) > > + continue; > > + } > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > b/meta/recipes-support/curl/curl_7.69.1.bb > > index a7f4f5748f..2e3bcb2c6e 100644 > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > @@ -44,6 +44,11 @@ SRC_URI = " > https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > > file://CVE-2022-43552.patch \ > > file://CVE-2023-23916.patch \ > > file://CVE-2023-27534.patch \ > > + file://CVE-2023-27533.patch \ > > + file://CVE-2023-27538.patch \ > > + file://CVE-2023-27535-pre1.patch \ > > + file://CVE-2023-27535.patch \ > > + file://CVE-2023-27536.patch \ > > " > > > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > > -- > > 2.25.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#180412): > https://lists.openembedded.org/g/openembedded-core/message/180412 > > Mute This Topic: https://lists.openembedded.org/mt/98510578/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..64ba135056 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch @@ -0,0 +1,59 @@ +Backport of: + +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] +CVE: CVE-2023-27533 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct connectdata *conn) + { + struct curl_slist *head; +@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { + ++ if(str_is_nonascii(option_arg)) ++ continue; ++ + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { + strncpy(tn->subopt_ttype, option_arg, 31); diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000..034b72f7e6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch @@ -0,0 +1,236 @@ +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH] strcase: add and use Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/netrc.c | 6 +++--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + lib/url.c | 33 +++++++++++++-------------------- + lib/vauth/digest_sspi.c | 4 ++-- + lib/vtls/vtls.c | 21 ++++++++++++++++++++- + 6 files changed, 61 insertions(+), 26 deletions(-) + +diff --git a/lib/netrc.c b/lib/netrc.c +index 9323913..fe3fd1e 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -124,9 +124,9 @@ static int parsenetrc(const char *host, + /* we are now parsing sub-keywords concerning "our" host */ + if(state_login) { + if(specific_login) { +- state_our_login = strcasecompare(login, tok); ++ state_our_login = !Curl_timestrcmp(login, tok); + } +- else if(!login || strcmp(login, tok)) { ++ else if(!login || Curl_timestrcmp(login, tok)) { + if(login_alloc) { + free(login); + login_alloc = FALSE; +@@ -142,7 +142,7 @@ static int parsenetrc(const char *host, + } + else if(state_password) { + if((state_our_login || !specific_login) +- && (!password || strcmp(password, tok))) { ++ && (!password || Curl_timestrcmp(password, tok))) { + if(password_alloc) { + free(password); + password_alloc = FALSE; +diff --git a/lib/strcase.c b/lib/strcase.c +index 70bf21c..ec776b3 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index 8929a53..8077108 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9f14a7b..dfbde3b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data, + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ +- if((data->user == NULL) != (needle->user == NULL)) +- return FALSE; +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->user && +- needle->user && +- strcmp(data->user, needle->user) != 0) +- return FALSE; +- if((data->passwd == NULL) != (needle->passwd == NULL)) +- return FALSE; ++ + /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->passwd && +- needle->passwd && +- strcmp(data->passwd, needle->passwd) != 0) ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; + return TRUE; + } +@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data, + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd) || +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd) || ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data, + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection + that can be reused and "upgraded" to NTLM */ +@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data, + if(!check->http_proxy.user || !check->http_proxy.passwd) + continue; + +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || +- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) + continue; + } + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { +diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c +index a109056..3986386 100644 +--- a/lib/vauth/digest_sspi.c ++++ b/lib/vauth/digest_sspi.c +@@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + has changed then delete that context. */ + if((userp && !digest->user) || (!userp && digest->user) || + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || +- (userp && digest->user && strcmp(userp, digest->user)) || +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { + if(digest->http_context) { + s_pSecFn->DeleteSecurityContext(digest->http_context); + Curl_safefree(digest->http_context); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e8cb70f..70a9391 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + Curl_safecmp(data->issuercert, needle->issuercert) && + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && +- Curl_safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ !Curl_timestrcmp(data->username, needle->username) && ++ !Curl_timestrcmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); +@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list); + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch new file mode 100644 index 0000000000..e38390a57c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch @@ -0,0 +1,170 @@ +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1] +CVE: CVE-2023-27535 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 16 +++++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 51 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 31a34e8..7a82a74 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) + } + + freedirs(ftpc); ++ free(ftpc->account); ++ ftpc->account = NULL; ++ free(ftpc->alternative_to_user); ++ ftpc->alternative_to_user = NULL; + free(ftpc->prevpath); + ftpc->prevpath = NULL; + free(ftpc->server_os); +@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + struct Curl_easy *data = conn->data; + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ conn->data->req.protop = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=<typecode>" that +@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + /* get some initial data into the ftp struct */ + ftp->transfer = FTPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 984347f..163dcb3 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -116,6 +116,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char **dirs; /* realloc()ed array for path components */ + int dirdepth; /* number of entries used in the 'dirs' array */ +@@ -141,6 +143,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 4d96f6b..a91bb70 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index dfbde3b..f84375c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data, + } + } + +- if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || + needle->bits.tunnel_proxy) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 168f874..51b793b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1730,8 +1730,6 @@ struct UserDefined { + void *ssh_keyfunc_userp; /* custom pointer to callback */ + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1851,6 +1849,8 @@ struct UserDefined { + BIT(http09_allowed); /* allow HTTP/0.9 responses */ + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + }; + + struct Names { +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch new file mode 100644 index 0000000000..b04a77de25 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch @@ -0,0 +1,55 @@ +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] +CVE: CVE-2023-27536 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index f84375c..87f4eb0 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + #ifdef USE_SSH + else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) +@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index 51b793b..b8a611b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1118,6 +1118,7 @@ struct connectdata { + handle */ + BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with + accept() */ ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch new file mode 100644 index 0000000000..5cd11ef88b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch @@ -0,0 +1,29 @@ +Backport of: + +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27538.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] +CVE: CVE-2023-27538 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1233,7 +1233,7 @@ ConnectionExists(struct Curl_easy *data, + } + } + +- if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { ++ if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index a7f4f5748f..2e3bcb2c6e 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -44,6 +44,11 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-43552.patch \ file://CVE-2023-23916.patch \ file://CVE-2023-27534.patch \ + file://CVE-2023-27533.patch \ + file://CVE-2023-27538.patch \ + file://CVE-2023-27535-pre1.patch \ + file://CVE-2023-27535.patch \ + file://CVE-2023-27536.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"