From 0d71fe9a408b001e84b69513ea7712206e2da488 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 10:56:13 +0200 Subject: [PATCH] Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification --- 0016-curl-7.76.1-CVE-2022-32208.patch | 70 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 0016-curl-7.76.1-CVE-2022-32208.patch diff --git a/0016-curl-7.76.1-CVE-2022-32208.patch b/0016-curl-7.76.1-CVE-2022-32208.patch new file mode 100644 index 0000000..9c2c836 --- /dev/null +++ b/0016-curl-7.76.1-CVE-2022-32208.patch @@ -0,0 +1,70 @@ +From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09 +Signed-off-by: Kamil Dudka +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index 787137c..6f9e1f7 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 22ac531..5cf5dea 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 18%{?dist} +Release: 19%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -50,6 +50,9 @@ Patch14: 0014-curl-7.76.1-CVE-2022-27782.patch # make upstream tests work with openssh-8.7p1 Patch15: 0015-curl-7.76.1-tests-openssh.patch +# fix FTP-KRB bad message verification (CVE-2022-32208) +Patch16: 0016-curl-7.76.1-CVE-2022-32208.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -240,6 +243,7 @@ be installed. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # Fedora patches %patch101 -p1 @@ -460,6 +464,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 29 2022 Kamil Dudka - 7.76.1-19 +- fix FTP-KRB bad message verification (CVE-2022-32208) + * Wed May 11 2022 Kamil Dudka - 7.76.1-18 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782)