From eab48830b35c0195cd9d01597abe0830fd4a79ca Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 15:31:04 +0100 Subject: [PATCH] Resolves: CVE-2022-43552 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel --- 0023-curl-7.76.1-CVE-2022-43552.patch | 81 +++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 0023-curl-7.76.1-CVE-2022-43552.patch diff --git a/0023-curl-7.76.1-CVE-2022-43552.patch b/0023-curl-7.76.1-CVE-2022-43552.patch new file mode 100644 index 0000000..bbc1b1b --- /dev/null +++ b/0023-curl-7.76.1-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/curl.spec b/curl.spec index 711261a..3afcd91 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 21%{?dist} +Release: 22%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -68,6 +68,9 @@ Patch21: 0021-curl-7.76.1-CVE-2022-35252.patch # fix POST following PUT confusion (CVE-2022-32221) Patch22: 0022-curl-7.76.1-CVE-2022-32221.patch +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -264,6 +267,7 @@ be installed. %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 # Fedora patches %patch101 -p1 @@ -489,6 +493,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 21 2022 Kamil Dudka - 7.76.1-22 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) + * Wed Oct 26 2022 Kamil Dudka - 7.76.1-21 - fix POST following PUT confusion (CVE-2022-32221)