import curl-7.61.1-26.el8

2022-10-15 04:13:04 +00:00 · 2022-10-15 04:13:04 +00:00 · 22005eca62
parent 63bcbe3529
commit 22005eca62
2 changed files with 179 additions and 1 deletions
--- a/SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch
+++ b/SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch
@ -0,0 +1,171 @@
+From 005d3f387bc5c3b2ee94d0597b5e202644c825f5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 31 Oct 2018 11:08:49 +0100
+Subject: [PATCH 1/3] runtests: use the local curl for verifying
+
+... revert the mistaken change brought in commit 8440616f53.
+
+Reported-by: Alessandro Ghedini
+Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html
+
+Closes #3198
+
+Upstream-commit: 8effa8c2b09906a2f00a3f08322dc5da35245b0a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/runtests.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 8d8ed81..d62fa40 100755
+--- a/tests/runtests.pl
+++ b/tests/runtests.pl
+@@ -152,7 +152,7 @@ my $NEGTELNETPORT;       # TELNET server port with negotiation
+ 
+ my $srcdir = $ENV{'srcdir'} || '.';
+ my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
+-my $VCURL="curl";   # what curl binary to use to verify the servers with
+my $VCURL=$CURL;   # what curl binary to use to verify the servers with
+                    # VCURL is handy to set to the system one when the one you
+                    # just built hangs or crashes and thus prevent verification
+ my $DBGCURL=$CURL; #"../src/.libs/curl";  # alternative for debugging
+-- 
+2.37.3
+
+
+From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 2/3] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index cb0c03b..e0470a1 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -371,6 +371,30 @@ static void strstore(char **str, const char *newstr)
+   *str = strdup(newstr);
+ }
+ 
+/*
+  RFC 6265 section 4.1.1 says a server should accept this range:
+
+  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+
+  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
+  fine. The prime reason for filtering out control bytes is that some HTTP
+  servers return 400 for requests that contain such.
+*/
+static int invalid_octets(const char *p)
+{
+  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
+  static const char badoctets[] = {
+    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
+    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
+  };
+  size_t vlen, len;
+  /* scan for all the octets that are *not* in cookie-octet */
+  len = strcspn(p, badoctets);
+  vlen = strlen(p);
+  return (len != vlen);
+}
+
+ /*
+  * remove_expired() removes expired cookies.
+  */
+@@ -541,6 +565,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
+          if(invalid_octets(whatptr) || invalid_octets(name)) {
+            infof(data, "invalid octets in name/value, cookie dropped");
+            badcookie = TRUE;
+            break;
+          }
+         }
+         else if(!len) {
+           /* this was a "<name>=" with no content, and we must allow
+-- 
+2.37.1
+
+
+From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 3/3] test8: verify that "ctrl-byte cookies" are ignored
+
+Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6..8587611 100644
+--- a/tests/data/test8
+++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
+Set-Cookie: cookie1=-junk
+Set-Cookie: cookie2=-junk
+Set-Cookie: cookie3=-junk
+Set-Cookie: cookie4=-junk
+Set-Cookie: cookie5=-junk
+Set-Cookie: cookie6=-junk
+Set-Cookie: cookie7=-junk
+Set-Cookie: cookie8=-junk
+Set-Cookie: cookie9=junk-	-
+Set-Cookie: cookie11=-junk
+Set-Cookie: cookie12=-junk
+Set-Cookie: cookie14=-junk
+Set-Cookie: cookie15=-junk
+Set-Cookie: cookie16=-junk
+Set-Cookie: cookie17=-junk
+Set-Cookie: cookie18=-junk
+Set-Cookie: cookie19=-junk
+Set-Cookie: cookie20=-junk
+Set-Cookie: cookie21=-junk
+Set-Cookie: cookie22=-junk
+Set-Cookie: cookie23=-junk
+Set-Cookie: cookie24=-junk
+Set-Cookie: cookie25=-junk
+Set-Cookie: cookie26=-junk
+Set-Cookie: cookie27=-junk
+Set-Cookie: cookie28=-junk
+Set-Cookie: cookie29=-junk
+Set-Cookie: cookie30=-junk
+Set-Cookie: cookie31=-junk
+Set-Cookie: cookie31=-junk
+ 
+ </file>
+ <precheck>
+@@ -62,7 +92,7 @@ perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs endi
+ GET /we/want/8 HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.37.1
+
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -121,6 +121,9 @@ Patch41:  0041-curl-7.61.1-CVE-2022-32206.patch
 # setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
 Patch42:  0042-curl-7.61.1-ssh-known-hosts.patch

+# control code in cookie denial of service (CVE-2022-35252)
+Patch43:  0043-curl-7.61.1-CVE-2022-35252.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -336,6 +339,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 %patch40 -p1
 %patch41 -p1
 %patch42 -p1
+%patch43 -p1

 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -498,6 +502,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-26
+- control code in cookie denial of service (CVE-2022-35252)
+
 * Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-25
 - setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
 - fix HTTP compression denial of service (CVE-2022-32206)