hemu312/curl
1
0
Fork 0
forked from rpms/curl
Code Pull Requests Activity

Resolves: CVE-2023-27533 - fix TELNET option IAC injection

Browse Source
This commit is contained in:
Kamil Dudka 2023-03-24 13:14:43 +01:00
parent 27cd064020
commit 798eff6a99
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
0025-curl-7.76.1-CVE-2023-27533.patch Normal file
View File

@ -0,0 +1,59 @@
From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Mar 2023 12:07:33 +0100
Subject: [PATCH] telnet: only accept option arguments in ascii
To avoid embedded telnet negotiation commands etc.
Reported-by: Harry Sintonen
Closes #10728
Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/telnet.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/lib/telnet.c b/lib/telnet.c
index 22bc81e..baea885 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
}
}
+static bool str_is_nonascii(const char *str)
+{
+ size_t len = strlen(str);
+ while(len--) {
+ if(*str & 0x80)
+ return TRUE;
+ str++;
+ }
+ return FALSE;
+}
+
static CURLcode check_telnet_options(struct Curl_easy *data)
{
struct curl_slist *head;
@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
/* Add the user name as an environment variable if it
was given on the command line */
if(conn->bits.user_passwd) {
+ if(str_is_nonascii(data->conn->user))
+ return CURLE_BAD_FUNCTION_ARGUMENT;
msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
beg = curl_slist_append(tn->telnet_vars, option_arg);
if(!beg) {
@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
for(head = data->set.telnet_options; head; head = head->next) {
if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
option_keyword, option_arg) == 2) {
+ if(str_is_nonascii(option_arg))
+ continue;
/* Terminal type */
if(strcasecompare(option_keyword, "TTYPE")) {
--
2.39.2

9
curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.76.1 Version: 7.76.1
Release: 23%{?dist} Release: 24%{?dist}
License: MIT License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -74,6 +74,9 @@ Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch
# fix HTTP multi-header compression denial of service (CVE-2023-23916) # fix HTTP multi-header compression denial of service (CVE-2023-23916)
Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch
# fix TELNET option IAC injection (CVE-2023-27533)
Patch25: 0025-curl-7.76.1-CVE-2023-27533.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -272,6 +275,7 @@ be installed.
%patch22 -p1 %patch22 -p1
%patch23 -p1 %patch23 -p1
%patch24 -p1 %patch24 -p1
%patch25 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -497,6 +501,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
- fix TELNET option IAC injection (CVE-2023-27533)
* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
- fix HTTP multi-header compression denial of service (CVE-2023-23916) - fix HTTP multi-header compression denial of service (CVE-2023-23916)