From 06c4d34bb190984a0e9e59ea51aa5a0c357a7dbb Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Fri, 24 Nov 2023 10:28:40 +0100 Subject: [PATCH] Fix cookie injection with none file Resolves: RHEL-12692 --- 0034-curl-7.76.1-CVE-2023-38546.patch | 123 ++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 128 insertions(+) create mode 100644 0034-curl-7.76.1-CVE-2023-38546.patch diff --git a/0034-curl-7.76.1-CVE-2023-38546.patch b/0034-curl-7.76.1-CVE-2023-38546.patch new file mode 100644 index 0000000..36b9afc --- /dev/null +++ b/0034-curl-7.76.1-CVE-2023-38546.patch @@ -0,0 +1,123 @@ +From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 13 ++++--------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 24 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 4345a84c6fd9d..e39c89a94a960 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* Defined in RFC2109: +@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + } + else { + /* we got an already existing one, use that */ +@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index b3c0063b2cfb2..41e9e7a6914e0 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,11 +36,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -56,14 +52,13 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; + +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ int numcookies; /* number of cookies in the "jar" */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ + int lastct; /* last creation-time used in the jar */ +diff --git a/lib/easy.c b/lib/easy.c +index 16bbd35251d40..03195481f9780 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; diff --git a/curl.spec b/curl.spec index 7f4a68d..b12d56d 100644 --- a/curl.spec +++ b/curl.spec @@ -101,6 +101,9 @@ Patch32: 0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch # return error if hostname too long for remote resolve Patch33: 0033-curl-7.76.1-CVE-2023-38545.patch +# fix cookie injection with none file (CVE-2023-38546) +Patch34: 0034-curl-7.76.1-CVE-2023-38546.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -308,6 +311,7 @@ be installed. %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 # Fedora patches %patch101 -p1 @@ -535,6 +539,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Tue Oct 10 2023 Jacek Migacz - 7.76.1-28 - return error if hostname too long for remote resolve (CVE-2023-38545) +- fix cookie injection with none file (CVE-2023-38546) * Tue Sep 12 2023 Jacek Migacz - 7.76.1-27 - when keyboard-interactive auth fails, try password (#2229800)