From 514561e323a8f63d42af9baa226ac53955c40cff Mon Sep 17 00:00:00 2001 From: Robert Joslyn Date: Sun, 8 Jan 2023 09:55:21 -0800 Subject: [PATCH] curl: Fix CVE-2022-43551 and CVE-2022-43552 Backport patches to address these CVEs. * https://curl.se/docs/CVE-2022-43551.html * https://curl.se/docs/CVE-2022-43552.html Signed-off-by: Robert Joslyn Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2022-43551.patch | 32 ++++++++ .../curl/curl/CVE-2022-43552.patch | 78 +++++++++++++++++++ meta/recipes-support/curl/curl_7.85.0.bb | 2 + 3 files changed, 112 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2022-43551.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-43552.patch diff --git a/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/meta/recipes-support/curl/curl/CVE-2022-43551.patch new file mode 100644 index 00000000000..7c617ef1db9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43551.patch @@ -0,0 +1,32 @@ +From 08aa76b7b24454a89866aaef661ea90ae3d57900 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd] +Signed-off-by: Robert Joslyn +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index b0ad28e..8b18e8d 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3654,7 +3654,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch new file mode 100644 index 00000000000..059dad17d81 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch @@ -0,0 +1,78 @@ +From 6ae56c9c47b02106373c9482f09c510fd5c50a84 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe1] +Signed-off-by: Robert Joslyn +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -62,8 +62,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -78,7 +76,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -105,7 +103,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + diff --git a/meta/recipes-support/curl/curl_7.85.0.bb b/meta/recipes-support/curl/curl_7.85.0.bb index a4561494d17..1e47e9fac50 100644 --- a/meta/recipes-support/curl/curl_7.85.0.bb +++ b/meta/recipes-support/curl/curl_7.85.0.bb @@ -17,6 +17,8 @@ SRC_URI = " \ file://CVE-2022-35260.patch \ file://CVE-2022-42915.patch \ file://CVE-2022-42916.patch \ + file://CVE-2022-43551.patch \ + file://CVE-2022-43552.patch \ " SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6" -- 2.47.3