Resolves: CVE-2022-22576 - fix OAUTH2 bearer bypass in connection re-use
This commit is contained in:
Kamil Dudka
parent
a3da9b9ac3
commit
7c695ff325
148
0010-curl-7.76.1-CVE-2022-22576.patch
Normal file
148
0010-curl-7.76.1-CVE-2022-22576.patch
Normal file
@ -0,0 +1,148 @@
|
||||
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Monnerat <patrick@monnerat.net>
|
||||
Date: Mon, 25 Apr 2022 11:44:05 +0200
|
||||
Subject: [PATCH] url: check sasl additional parameters for connection reuse.
|
||||
|
||||
Also move static function safecmp() as non-static Curl_safecmp() since
|
||||
its purpose is needed at several places.
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2022-22576.html
|
||||
|
||||
CVE-2022-22576
|
||||
|
||||
Closes #8746
|
||||
|
||||
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/strcase.c | 10 ++++++++++
|
||||
lib/strcase.h | 2 ++
|
||||
lib/url.c | 13 ++++++++++++-
|
||||
lib/urldata.h | 1 +
|
||||
lib/vtls/vtls.c | 21 ++++++---------------
|
||||
5 files changed, 31 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||
index dd46ca1..692a3f1 100644
|
||||
--- a/lib/strcase.c
|
||||
+++ b/lib/strcase.c
|
||||
@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
|
||||
} while(*src++ && --n);
|
||||
}
|
||||
|
||||
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
||||
+ * null pointers. Return true if arguments match.
|
||||
+ */
|
||||
+bool Curl_safecmp(char *a, char *b)
|
||||
+{
|
||||
+ if(a && b)
|
||||
+ return !strcmp(a, b);
|
||||
+ return !a && !b;
|
||||
+}
|
||||
+
|
||||
/* --- public functions --- */
|
||||
|
||||
int curl_strequal(const char *first, const char *second)
|
||||
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||
index b628656..382b80a 100644
|
||||
--- a/lib/strcase.h
|
||||
+++ b/lib/strcase.h
|
||||
@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
|
||||
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||
void Curl_strntolower(char *dest, const char *src, size_t n);
|
||||
|
||||
+bool Curl_safecmp(char *a, char *b);
|
||||
+
|
||||
#endif /* HEADER_CURL_STRCASE_H */
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index adef2cd..94e3406 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)
|
||||
Curl_safefree(conn->passwd);
|
||||
Curl_safefree(conn->sasl_authzid);
|
||||
Curl_safefree(conn->options);
|
||||
+ Curl_safefree(conn->oauth_bearer);
|
||||
Curl_dyn_free(&conn->trailer);
|
||||
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
||||
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
||||
@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,
|
||||
/* This protocol requires credentials per connection,
|
||||
so verify that we're using the same name and password as well */
|
||||
if(strcmp(needle->user, check->user) ||
|
||||
- strcmp(needle->passwd, check->passwd)) {
|
||||
+ strcmp(needle->passwd, check->passwd) ||
|
||||
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
|
||||
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
||||
/* one of them was different */
|
||||
continue;
|
||||
}
|
||||
@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||
}
|
||||
}
|
||||
|
||||
+ if(data->set.str[STRING_BEARER]) {
|
||||
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
||||
+ if(!conn->oauth_bearer) {
|
||||
+ result = CURLE_OUT_OF_MEMORY;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
#ifdef USE_UNIX_SOCKETS
|
||||
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
||||
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index cc8a600..03da59a 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -991,6 +991,7 @@ struct connectdata {
|
||||
char *passwd; /* password string, allocated */
|
||||
char *options; /* options string, allocated */
|
||||
char *sasl_authzid; /* authorisation identity string, allocated */
|
||||
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
||||
unsigned char httpversion; /* the HTTP version*10 reported by the server */
|
||||
struct curltime now; /* "current" time */
|
||||
struct curltime created; /* creation time */
|
||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||
index 03b85ba..a40ac06 100644
|
||||
--- a/lib/vtls/vtls.c
|
||||
+++ b/lib/vtls/vtls.c
|
||||
@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
||||
return !memcmp(first->data, second->data, first->len); /* same data */
|
||||
}
|
||||
|
||||
-static bool safecmp(char *a, char *b)
|
||||
-{
|
||||
- if(a && b)
|
||||
- return !strcmp(a, b);
|
||||
- else if(!a && !b)
|
||||
- return TRUE; /* match */
|
||||
- return FALSE; /* no match */
|
||||
-}
|
||||
-
|
||||
|
||||
bool
|
||||
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||
@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||
(data->verifystatus == needle->verifystatus) &&
|
||||
blobcmp(data->cert_blob, needle->cert_blob) &&
|
||||
blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
||||
- safecmp(data->CApath, needle->CApath) &&
|
||||
- safecmp(data->CAfile, needle->CAfile) &&
|
||||
- safecmp(data->issuercert, needle->issuercert) &&
|
||||
- safecmp(data->clientcert, needle->clientcert) &&
|
||||
- safecmp(data->random_file, needle->random_file) &&
|
||||
- safecmp(data->egdsocket, needle->egdsocket) &&
|
||||
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
||||
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
||||
+ Curl_safecmp(data->issuercert, needle->issuercert) &&
|
||||
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
||||
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.76.1
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -32,6 +32,9 @@ Patch8: 0008-curl-7.76.1-CVE-2021-22946.patch
|
||||
# fix STARTTLS protocol injection via MITM (CVE-2021-22947)
|
||||
Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch
|
||||
|
||||
# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
|
||||
Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -216,6 +219,7 @@ be installed.
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -436,6 +440,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-15
|
||||
- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
|
||||
|
||||
* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14
|
||||
- re-disable HSTS in libcurl as an experimental feature (#2005874)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user