Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification

2022-06-29 10:56:13 +02:00 · 2022-06-29 10:56:13 +02:00 · 0d71fe9a40
commit 0d71fe9a40
parent d613827bea
2 changed files with 78 additions and 1 deletions
--- a/0016-curl-7.76.1-CVE-2022-32208.patch
+++ b/0016-curl-7.76.1-CVE-2022-32208.patch
@ -0,0 +1,70 @@
+From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
+++ b/lib/krb5.c
+@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
+  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
+  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
+    if(len > CURL_MAX_INPUT_LENGTH)
+      len = 0;
+    else
+      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
+  nread = conn->mech->decode(conn->app_data, buf->data, len,
+                             conn->data_prot, conn);
+  if(nread < 0)
+    return CURLE_RECV_ERROR;
+  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
+-- 
+2.35.3
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz

@ -50,6 +50,9 @@ Patch14:  0014-curl-7.76.1-CVE-2022-27782.patch
 # make upstream tests work with openssh-8.7p1
 Patch15:  0015-curl-7.76.1-tests-openssh.patch

+# fix FTP-KRB bad message verification (CVE-2022-32208)
+Patch16:  0016-curl-7.76.1-CVE-2022-32208.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -240,6 +243,7 @@ be installed.
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1

 # Fedora patches
 %patch101 -p1
@ -460,6 +464,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-19
+- fix FTP-KRB bad message verification (CVE-2022-32208)
+
 * Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-18
 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782)