Resolves: CVE-2022-32206 - fix HTTP compression denial of service

2022-06-29 11:04:02 +02:00 · 2022-06-29 11:04:02 +02:00 · 2e18ec1da4
commit 2e18ec1da4
parent 0d71fe9a40
2 changed files with 148 additions and 0 deletions
--- a/0017-curl-7.76.1-CVE-2022-32206.patch
+++ b/0017-curl-7.76.1-CVE-2022-32206.patch
@ -0,0 +1,143 @@
 From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 16 May 2022 16:28:13 +0200
 Subject: [PATCH 1/2] content_encoding: return error on too many compression
 steps
 The max allowed steps is arbitrarily set to 5.
 Bug: https://curl.se/docs/CVE-2022-32206.html
 CVE-2022-32206
 Reported-by: Harry Sintonen
 Closes #9049
 Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/content_encoding.c | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/lib/content_encoding.c b/lib/content_encoding.c
 index c03637a..6f994b3 100644
 --- a/lib/content_encoding.c
 +++ b/lib/content_encoding.c
@@ -1024,12 +1024,16 @@ static const struct content_encoding *find_encoding(const char *name,
   return NULL;
 }
 +/* allow no more than 5 "chained" compression steps */
 +#define MAX_ENCODE_STACK 5
 +
 /* Set-up the unencoding stack from the Content-Encoding header value.
  * See RFC 7231 section 3.1.2.2. */
 CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
                                      const char *enclist, int maybechunked)
 {
   struct SingleRequest *k = &data->req;
 +  int counter = 0;
   do {
     const char *name;
@@ -1064,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
       if(!encoding)
         encoding = &error_encoding;  /* Defer error at stack use. */
 +      if(++counter >= MAX_ENCODE_STACK) {
 +        failf(data, "Reject response due to %u content encodings",
 +              counter);
 +        return CURLE_BAD_CONTENT_ENCODING;
 +      }
       /* Stack the unencoding stage. */
       writer = new_unencoding_writer(data, encoding, k->writer_stack);
       if(!writer)
 -- 
 2.35.3
 From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 16 May 2022 16:29:07 +0200
 Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
 Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 tests/data/Makefile.inc |  1 +
 tests/data/test387      | 53 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 tests/data/test387
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 98d5516..9b5f4fb 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -62,6 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \
 test352 test353 test354 test355 test356 test357 test358 test359 test360 \
 test361 test362 \
 \
 +test387 \
 test393 test394 test395 test396 test397 \
 \
 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
 diff --git a/tests/data/test387 b/tests/data/test387
 new file mode 100644
 index 0000000..015ec25
 --- /dev/null
 +++ b/tests/data/test387
@@ -0,0 +1,53 @@
 +<testcase>
 +<info>
 +<keywords>
 +HTTP
 +gzip
 +</keywords>
 +</info>
 +
 +#
 +# Server-side
 +<reply>
 +<data nocheck="yes">
 +HTTP/1.1 200 OK
 +Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
 +
 +-foo-
 +</data>
 +</reply>
 +
 +#
 +# Client-side
 +<client>
 +<server>
 +http
 +</server>
 + <name>
 +Response with overly long compression chain
 + </name>
 + <command>
 +http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
 +</command>
 +</client>
 +
 +#
 +# Verify data after the test has been "shot"
 +<verify>
 +<protocol>
 +GET /%TESTNUMBER HTTP/1.1
 +Host: %HOSTIP:%HTTPPORT
 +User-Agent: curl/%VERSION
 +Accept: */*
 +
 +</protocol>
 +
 +# CURLE_BAD_CONTENT_ENCODING is 61
 +<errorcode>
 +61
 +</errorcode>
 +<stderr mode="text">
 +curl: (61) Reject response due to 5 content encodings
 +</stderr>
 +</verify>
 +</testcase>
 -- 
 2.35.3
--- a/curl.spec
+++ b/curl.spec
@ -53,6 +53,9 @@ Patch15:  0015-curl-7.76.1-tests-openssh.patch
 # fix FTP-KRB bad message verification (CVE-2022-32208)
 Patch16:  0016-curl-7.76.1-CVE-2022-32208.patch
 # fix HTTP compression denial of service (CVE-2022-32206)
 Patch17:  0017-curl-7.76.1-CVE-2022-32206.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -244,6 +247,7 @@ be installed.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
 # Fedora patches
 %patch101 -p1
@ -465,6 +469,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %changelog
 * Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-19
 - fix HTTP compression denial of service (CVE-2022-32206)
 - fix FTP-KRB bad message verification (CVE-2022-32208)
 * Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-18