import UBI curl-7.61.1-30.el8_8.3

2023-08-08 12:32:11 +00:00 · 2023-08-08 12:32:11 +00:00 · ad7840c8f2
commit ad7840c8f2
parent bf79456532
4 changed files with 3142 additions and 1 deletions
--- a/SOURCES/0051-curl-7.61.1-CVE-2023-27536.patch
+++ b/SOURCES/0051-curl-7.61.1-CVE-2023-27536.patch
@ -0,0 +1,51 @@
+From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index df6ef1213..cc2f427dc 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
+      /* GSS delegation differences do not actually affect every connection
+         and auth method, but this check takes precaution before efficiency */
+      if(needle->gssapi_delegation != check->gssapi_delegation)
+        continue;
+
+       if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+@@ -1950,5 +1950,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index bf5daaf50..da5de5ba9 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -1061,6 +1061,8 @@ struct connectdata {
+   char *unix_domain_socket;
+   bool abstract_unix_socket;
+ #endif
+
+  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+ 
+ /* The end of connectdata. */
+-- 
+2.40.1
+
--- a/SOURCES/0052-curl-7.61.1-rebuilt-certs.patch
+++ b/SOURCES/0052-curl-7.61.1-rebuilt-certs.patch
--- a/SOURCES/0053-curl-7.61.1-CVE-2023-28321.patch
+++ b/SOURCES/0053-curl-7.61.1-CVE-2023-28321.patch
@ -0,0 +1,305 @@
+From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 24 Apr 2023 21:07:02 +0200
+Subject: [PATCH] hostcheck: fix host name wildcard checking
+
+The leftmost "label" of the host name can now only match against single
+'*'. Like the browsers have worked for a long time.
+
+- extended unit test 1397 for this
+- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
+
+Reported-by: Hiroki Kurosawa
+Closes #11018
+---
+ lib/hostcheck.c         |  50 +++++++--------
+ tests/data/test1397     |  10 ++-
+ tests/unit/Makefile.am  |  94 ----------------------------
+ tests/unit/Makefile.inc |  94 ++++++++++++++++++++++++++++
+ tests/unit/unit1397.c   | 134 ++++++++++++++++++++++++----------------
+ 5 files changed, 202 insertions(+), 180 deletions(-)
+
+diff --git a/lib/hostcheck.c b/lib/hostcheck.c
+index e827dc58f378c..d061c6356f97f 100644
+--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
+@@ -43,6 +43,17 @@
+ /* The last #include file should be: */
+ #include "memdebug.h"
+ 
+/* check the two input strings with given length, but do not
+   assume they end in nul-bytes */
+static int pmatch(const char *hostname, size_t hostlen,
+                  const char *pattern, size_t patternlen)
+{
+  if(hostlen != patternlen)
+    return CURL_HOST_NOMATCH;
+  return strncasecompare(hostname, pattern, hostlen) ?
+    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+}
+
+ /*
+  * Match a hostname against a wildcard pattern.
+  * E.g.
+@@ -65,26 +76,27 @@
+ 
+ static int hostmatch(char *hostname, char *pattern)
+ {
+-  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
+-  int wildcard_enabled;
+-  size_t prefixlen, suffixlen;
+  size_t hostlen, patternlen;
+  const char *pattern_label_end;
+   struct in_addr ignored;
+ #ifdef ENABLE_IPV6
+   struct sockaddr_in6 si6;
+ #endif
+ 
+  DEBUGASSERT(pattern);
+  DEBUGASSERT(hostname);
+
+  hostlen = strlen(hostname);
+  patternlen = strlen(pattern);
+
+   /* normalize pattern and hostname by stripping off trailing dots */
+-  size_t len = strlen(hostname);
+-  if(hostname[len-1]=='.')
+-    hostname[len-1] = 0;
+-  len = strlen(pattern);
+-  if(pattern[len-1]=='.')
+-    pattern[len-1] = 0;
+-
+-  pattern_wildcard = strchr(pattern, '*');
+-  if(pattern_wildcard == NULL)
+-    return strcasecompare(pattern, hostname) ?
+-      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+  if(hostname[hostlen-1]=='.')
+    hostname[hostlen-1] = 0;
+  if(pattern[patternlen-1]=='.')
+    pattern[patternlen-1] = 0;
+
+  if(strncmp(pattern, "*.", 2))
+    return pmatch(hostname, hostlen, pattern, patternlen);
+ 
+   /* detect IP address as hostname and fail the match if so */
+   if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+@@ -96,34 +108,20 @@ static int hostmatch(char *hostname, char *pattern)
+ 
+   /* We require at least 2 dots in pattern to avoid too wide wildcard
+      match. */
+-  wildcard_enabled = 1;
+   pattern_label_end = strchr(pattern, '.');
+-  if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
+-     pattern_wildcard > pattern_label_end ||
+-     strncasecompare(pattern, "xn--", 4)) {
+-    wildcard_enabled = 0;
+  if(pattern_label_end == NULL ||
+    (strrchr(pattern, '.') == pattern_label_end))
+      return pmatch(pattern, patternlen, hostname, hostlen);
+
+  const char *hostname_label_end = strchr(hostname, '.');
+  if(hostname_label_end != NULL) {
+    size_t skiphost = hostname_label_end - hostname;
+    size_t skiplen = pattern_label_end - pattern;
+    return pmatch(hostname_label_end, hostlen - skiphost,
+                  pattern_label_end, patternlen - skiplen);
+   }
+-  if(!wildcard_enabled)
+-    return strcasecompare(pattern, hostname) ?
+-      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+-
+-  hostname_label_end = strchr(hostname, '.');
+-  if(hostname_label_end == NULL ||
+-     !strcasecompare(pattern_label_end, hostname_label_end))
+-    return CURL_HOST_NOMATCH;
+ 
+-  /* The wildcard must match at least one character, so the left-most
+-     label of the hostname is at least as large as the left-most label
+-     of the pattern. */
+-  if(hostname_label_end - hostname < pattern_label_end - pattern)
+-    return CURL_HOST_NOMATCH;
+-
+-  prefixlen = pattern_wildcard - pattern;
+-  suffixlen = pattern_label_end - (pattern_wildcard + 1);
+-  return strncasecompare(pattern, hostname, prefixlen) &&
+-    strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
+-                    suffixlen) ?
+-    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+  return CURL_HOST_NOMATCH;
+ }
+ 
+ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
+diff --git a/tests/data/test1397 b/tests/data/test1397
+index 84f962abebee3..f31b2c2a3f330 100644
+--- a/tests/data/test1397
+++ b/tests/data/test1397
+@@ -2,8 +2,7 @@
+ <info>
+ <keywords>
+ unittest
+-ssl
+-wildcard
+Curl_cert_hostcheck
+ </keywords>
+ </info>
+ 
+@@ -15,10 +14,10 @@ none
+ <features>
+ unittest
+ </features>
+- <name>
+-Check wildcard certificate matching function Curl_cert_hostcheck
+- </name>
+<name>
+Curl_cert_hostcheck unit tests
+</name>
+ <tool>
+ unit1397
+ </tool>
+ </client>
+diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
+index 2f3d3aa4d09e1..3ae75618d5d10 100644
+--- a/tests/unit/unit1397.c
+++ b/tests/unit/unit1397.c
+@@ -21,8 +21,6 @@
+  ***************************************************************************/
+ #include "curlcheck.h"
+ 
+-#include "hostcheck.h" /* from the lib dir */
+-
+ static CURLcode unit_setup(void)
+ {
+   return CURLE_OK;
+@@ -30,50 +28,93 @@ static CURLcode unit_setup(void)
+ 
+ static void unit_stop(void)
+ {
+-  /* done before shutting down and exiting */
+ }
+ 
+-UNITTEST_START
+-
+ /* only these backends define the tested functions */
+-#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT)
+-
+-  /* here you start doing things and checking that the results are good */
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
+#include "hostcheck.h"
+struct testcase {
+  const char *host;
+  const char *pattern;
+  bool match;
+};
+ 
+-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
+-            "good 1");
+-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
+-            "good 2");
+-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
+-            "good 3");
+-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
+-            "good 4");
+-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
+-            "good 5");
+-
+-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
+-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
+-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
+-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
+-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
+-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
+-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
+-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
+-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
+-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
+-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
+-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
+-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
+-
+-#ifdef ENABLE_IPV6
+-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
+-                            "fe80::3285:a9ff:fe46:b619"), "bad 14");
+-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
+-                                "fe80::3285:a9ff:fe46:b619"), "good 6");
+-#endif
+static struct testcase tests[] = {
+  {"", "", FALSE},
+  {"a", "", FALSE},
+  {"", "b", FALSE},
+  {"a", "b", FALSE},
+  {"aa", "bb", FALSE},
+  {"\xff", "\xff", TRUE},
+  {"aa.aa.aa", "aa.aa.bb", FALSE},
+  {"aa.aa.aa", "aa.aa.aa", TRUE},
+  {"aa.aa.aa", "*.aa.bb", FALSE},
+  {"aa.aa.aa", "*.aa.aa", TRUE},
+  {"192.168.0.1", "192.168.0.1", TRUE},
+  {"192.168.0.1", "*.168.0.1", FALSE},
+  {"192.168.0.1", "*.0.1", FALSE},
+  {"h.ello", "*.ello", FALSE},
+  {"h.ello.", "*.ello", FALSE},
+  {"h.ello", "*.ello.", FALSE},
+  {"h.e.llo", "*.e.llo", TRUE},
+  {"h.e.llo", " *.e.llo", FALSE},
+  {" h.e.llo", "*.e.llo", TRUE},
+  {"h.e.llo.", "*.e.llo", TRUE},
+  {"*.e.llo.", "*.e.llo", TRUE},
+  {"************.e.llo.", "*.e.llo", TRUE},
+  {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+   "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
+   "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
+   "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
+   "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+   ".e.llo.", "*.e.llo", TRUE},
+  {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
+  {"h.e.llo.", "*.e.llo.", TRUE},
+  {"h.e.llo", "*.e.llo.", TRUE},
+  {".h.e.llo", "*.e.llo.", FALSE},
+  {"h.e.llo", "*.*.llo.", FALSE},
+  {"h.e.llo", "h.*.llo", FALSE},
+  {"h.e.llo", "h.e.*", FALSE},
+  {"hello", "*.ello", FALSE},
+  {"hello", "**llo", FALSE},
+  {"bar.foo.example.com", "*.example.com", FALSE},
+  {"foo.example.com", "*.example.com", TRUE},
+  {"baz.example.net", "b*z.example.net", FALSE},
+  {"foobaz.example.net", "*baz.example.net", FALSE},
+  {"xn--l8j.example.local", "x*.example.local", FALSE},
+  {"xn--l8j.example.net", "*.example.net", TRUE},
+  {"xn--l8j.example.net", "*j.example.net", FALSE},
+  {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
+  {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
+  {"xl8j.example.net", "*.example.net", TRUE},
+  {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
+  {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
+  {NULL, NULL, FALSE}
+};
+ 
+-#endif
+UNITTEST_START
+{
+  int i;
+  for(i = 0; tests[i].host; i++) {
+    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
+                                             strlen(tests[i].pattern),
+                                             tests[i].host,
+                                             strlen(tests[i].host))) {
+      fprintf(stderr,
+              "HOST: %s\n"
+              "PTRN: %s\n"
+              "did %sMATCH\n",
+              tests[i].host,
+              tests[i].pattern,
+              tests[i].match ? "NOT ": "");
+      unitfail++;
+    }
+  }
+}
+UNITTEST_STOP
+#else
+ 
+-  /* you end the test code like this: */
+UNITTEST_START
+ 
+ UNITTEST_STOP
+#endif
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 30%{?dist}.2
+Release: 30%{?dist}.3
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -142,6 +142,15 @@ Patch48:  0048-curl-7.61.1-CVE-2023-27535.patch
 # sftp: do not specify O_APPEND when not in append mode (#2187717)
 Patch50:  0050-curl-7.61.1-sftp-upload-flags.patch

+# fix GSS delegation too eager connection re-use
+Patch51:  0051-curl-7.61.1-CVE-2023-27536.patch
+
+# rebuild certs with 2048-bit RSA keys
+Patch52:  0052-curl-7.61.1-rebuilt-certs.patch
+
+# fix host name wildcard checking
+Patch53:  0053-curl-7.61.1-CVE-2023-28321.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -364,6 +373,9 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 %patch47 -p1
 %patch48 -p1
 %patch50 -p1
+%patch51 -p1
+git apply %{PATCH52}
+%patch53 -p1

 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -526,6 +538,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Tue Jun 13 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-30.el8_8.3
+- fix GSS delegation too eager connection re-use (CVE-2023-27536)
+- rebuild certs with 2048-bit RSA keys
+- fix host name wildcard checking (CVE-2023-28321)
+
 * Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30.el8_8.2
 - sftp: do not specify O_APPEND when not in append mode (#2187717)