Resolves: CVE-2023-27533 - fix TELNET option IAC injection

2023-03-24 13:14:43 +01:00 · 2023-03-24 13:14:43 +01:00 · 798eff6a99
commit 798eff6a99
parent 27cd064020
2 changed files with 67 additions and 1 deletions
--- a/0025-curl-7.76.1-CVE-2023-27533.patch
+++ b/0025-curl-7.76.1-CVE-2023-27533.patch
@ -0,0 +1,59 @@
+From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: only accept option arguments in ascii
+
+To avoid embedded telnet negotiation commands etc.
+
+Reported-by: Harry Sintonen
+Closes #10728
+
+Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 22bc81e..baea885 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
+static bool str_is_nonascii(const char *str)
+{
+  size_t len = strlen(str);
+  while(len--) {
+    if(*str & 0x80)
+      return TRUE;
+    str++;
+  }
+  return FALSE;
+}
+
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(conn->bits.user_passwd) {
+    if(str_is_nonascii(data->conn->user))
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   for(head = data->set.telnet_options; head; head = head->next) {
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
+      if(str_is_nonascii(option_arg))
+        continue;
+ 
+       /* Terminal type */
+       if(strcasecompare(option_keyword, "TTYPE")) {
+-- 
+2.39.2
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz

@ -74,6 +74,9 @@ Patch23:  0023-curl-7.76.1-CVE-2022-43552.patch
 # fix HTTP multi-header compression denial of service (CVE-2023-23916)
 Patch24:  0024-curl-7.76.1-CVE-2023-23916.patch

+# fix TELNET option IAC injection (CVE-2023-27533)
+Patch25:  0025-curl-7.76.1-CVE-2023-27533.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -272,6 +275,7 @@ be installed.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1

 # Fedora patches
 %patch101 -p1
@ -497,6 +501,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
+- fix TELNET option IAC injection (CVE-2023-27533)
+
 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
 - fix HTTP multi-header compression denial of service (CVE-2023-23916)