new upstream release - 7.62.0

Resolves: CVE-2018-16839 - SASL password overflow via integer overflow
Resolves: CVE-2018-16840 - use-after-free in handle close
Resolves: CVE-2018-16842 - warning message out-of-buffer read
This commit is contained in:
Kamil Dudka 2018-10-31 10:49:24 +01:00
parent 9be316eea1
commit 34a4d8f848
10 changed files with 27 additions and 253 deletions

View File

@ -1,63 +0,0 @@
From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 4 Oct 2018 15:34:13 +0200
Subject: [PATCH] test320: strip out more HTML when comparing
To make the test case work with different gnutls-serv versions better.
Reported-by: Kamil Dudka
Fixes #3093
Closes #3094
Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/test320 | 24 ++++--------------------
1 file changed, 4 insertions(+), 20 deletions(-)
diff --git a/tests/data/test320 b/tests/data/test320
index 457a11eb2..87311d4f2 100644
--- a/tests/data/test320
+++ b/tests/data/test320
@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response
HTTP/1.0 200 OK
Content-type: text/html
-
-<HTML><BODY>
-<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GnuTLS</a></H1></CENTER>
-
-
-
-<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>
-<p>Connected as user 'jsmith'.</p>
-<P>
-<TABLE border=1><TR><TD></TD></TR>
-<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR>
-<TR><TD>Compression</TD><TD>NULL</TD></TR>
-<TR><TD>Cipher</TD><TD>AES-NNN-CBC</TD></TR>
-<TR><TD>MAC</TD><TD>SHA1</TD></TR>
-<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_NNN_CBC_SHA1</TD></TR></p></TABLE>
-<hr><P>Your HTTP header was:<PRE>Host: %HOSTIP:%HTTPTLSPORT
+FINE
User-Agent: curl-test-suite
Accept: */*
-</PRE></P>
-</BODY></HTML>
-
</file>
<stripfile>
-s/^<p>Session ID:.*//
+s/^<p>Connected as user 'jsmith'.*/FINE/
s/Protocol version:.*[0-9]//
s/GNUTLS/GnuTLS/
s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/
+s/^<.*\n//
+s/^\n//
</stripfile>
</verify>
--
2.17.1

View File

@ -1,28 +0,0 @@
From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 7 Sep 2018 16:50:45 +0200
Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0
... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
Closes #2955
Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/cmdline-opts/tlsv1.0.d | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d
index 8789025e0..54e259682 100644
--- a/docs/cmdline-opts/tlsv1.0.d
+++ b/docs/cmdline-opts/tlsv1.0.d
@@ -3,4 +3,4 @@ Help: Use TLSv1.0
Protocols: TLS
Added: 7.34.0
---
-Forces curl to use TLS version 1.0 when connecting to a remote TLS server.
+Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.
--
2.17.1

View File

@ -1,46 +0,0 @@
From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 21 Sep 2018 10:37:43 +0200
Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.
Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>
Closes https://github.com/curl/curl/pull/3027
Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/openssl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a487f55..78970d1 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL))
#define HAVE_SSL_CTX_SET_CIPHERSUITES
+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
#endif
#if defined(LIBRESSL_VERSION_NUMBER)
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
}
#endif
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
+#endif
+
#ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username);
--
2.17.1

View File

@ -22,7 +22,7 @@ index 150004d..95d0759 100644
;;
--prefix)
@@ -143,32 +143,17 @@ while test $# -gt 0; do
@@ -155,32 +155,17 @@ while test $# -gt 0; do
;;
--libs)

View File

@ -12,7 +12,7 @@ diff --git a/configure b/configure
index 8f079a3..53b4774 100755
--- a/configure
+++ b/configure
@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; }
@@ -16421,18 +16421,11 @@ $as_echo "yes" >&6; }
gccvhi=`echo $gccver | cut -d . -f1`
gccvlo=`echo $gccver | cut -d . -f2`
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

View File

@ -1,88 +1,23 @@
From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 15 Mar 2018 13:21:40 +0100
Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3
---
tests/http_pipe.py | 4 ++--
tests/runtests.pl | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/http_pipe.py b/tests/http_pipe.py
index bc32173..75ac165 100755
--- a/tests/http_pipe.py
+++ b/tests/http_pipe.py
@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler):
self.request.setblocking(True)
if not new_data:
return
- new_requests = self._request_parser.ParseAdditionalData(new_data)
+ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8'))
self._response_builder.QueueRequests(
new_requests, self._request_parser.were_all_requests_http_1_1)
self._num_queued += len(new_requests)
self._last_queued_time = time.time()
elif fileno in wlist:
- num_bytes_sent = self.request.send(self._send_buffer[0:4096])
+ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8'))
self._send_buffer = self._send_buffer[num_bytes_sent:]
time.sleep(0.05)
diff --git a/tests/runtests.pl b/tests/runtests.pl
index d6aa5ca..4d395ef 100755
--- a/tests/runtests.pl
+++ b/tests/runtests.pl
@@ -1439,7 +1439,7 @@ sub runhttpserver {
elsif($alt eq "pipe") {
# basically the same, but another ID
$idnum = 3;
- $exe = "python $srcdir/http_pipe.py";
+ $exe = "python3 $srcdir/http_pipe.py";
$verbose_flag .= "1 ";
}
elsif($alt eq "unix") {
--
2.14.3
From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 15 Mar 2018 14:49:56 +0100
Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3
Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
Unfortunately, smbserver.py does not work with Python 3 because
there is no 'impacket' module available for Python 3:
https://github.com/CoreSecurity/impacket/issues/61
---
tests/negtelnetserver.py | 12 ++++++------
tests/smbserver.py | 4 ++--
2 files changed, 8 insertions(+), 8 deletions(-)
tests/negtelnetserver.py | 4 ++--
tests/smbserver.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
index 8cfd409..72ee771 100755
--- a/tests/negtelnetserver.py
+++ b/tests/negtelnetserver.py
@@ -23,7 +23,7 @@ IDENT = "NTEL"
# The strings that indicate the test framework is checking our aliveness
VERIFIED_REQ = b"verifiedserver"
-VERIFIED_RSP = b"WE ROOLZ: {pid}"
+VERIFIED_RSP = "WE ROOLZ: {pid}"
def telnetserver(options):
@@ -34,7 +34,7 @@ def telnetserver(options):
if options.pidfile:
pid = os.getpid()
with open(options.pidfile, "w") as f:
- f.write(b"{0}".format(pid))
+ f.write("{0}".format(pid))
local_bind = (HOST, options.port)
log.info("Listening on %s", local_bind)
@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
response_data = VERIFIED_RSP.format(pid=os.getpid())
response_data = response.encode('ascii')
else:
log.debug("Received normal request - echoing back")
- response_data = data.strip()
@ -95,24 +30,6 @@ index 8cfd409..72ee771 100755
except IOError:
log.exception("IOError hit during request")
@@ -132,7 +132,7 @@ class Negotiator(object):
return buffer
def byte_to_int(self, byte):
- return struct.unpack(b'B', byte)[0]
+ return int(byte)
def no_neg(self, byte, byte_int, buffer):
# Not negotiating anything thus far. Check to see if we
@@ -197,7 +197,7 @@ class Negotiator(object):
self.tcp.sendall(packed_message)
def pack(self, arr):
- return struct.pack(b'{0}B'.format(len(arr)), *arr)
+ return struct.pack('{0}B'.format(len(arr)), *arr)
def send_iac(self, arr):
message = [NegTokens.IAC]
diff --git a/tests/smbserver.py b/tests/smbserver.py
index 195ae39..b09cd44 100755
--- a/tests/smbserver.py

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce
EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi
EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy
fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy
RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B
Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb
51KLH2D0G75wlfMbgMhX/rguuXT2rg==
=vM6i
-----END PGP SIGNATURE-----

11
curl-7.62.0.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5wACgkQXMkI/bce
EsJG4gf+IY2RkT9d7SIBAanHOD2NeT4UtPAOVRVtpW8dD9TIJq4IKOqv8CpcCCRq
OZPJovdxM0qmXcrX2Dlf3zpPuY+bSzBW/xUYsKBBTTXhdUh5dv1Tz3HR6JzMHyT4
hQm1mj6eFHFvayUKxoeQwiw3SkvW6WIlAySwEBzIzaE7icwvJ2dPO7xUOJWLXk/F
pDRCAuHqIIgNzNph0EKXkvLWz5poBzGaK9kpJxmeaS3aWpe0EZ4+N6ju2GfHK5jO
VQSuLWDHCZulv1eve+LOxgRjp/5kqQ/PPc3/99mEOxGRUxwCWVMEWGklAungn4bX
nBPWNGArGJq2+kMP7v5pr0onBz6wxg==
=CWQL
-----END PGP SIGNATURE-----

View File

@ -1,19 +1,10 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
Release: 3%{?dist}
Version: 7.62.0
Release: 1%{?dist}
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
# test320: update expected output for gnutls-3.6.4
Patch1: 0001-curl-7.61.1-test320-gnutls.patch
# update the documentation of --tlsv1.0 in curl(1) man page
Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
# enable TLS 1.3 post-handshake auth in OpenSSL
Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -172,9 +163,6 @@ be installed.
%setup -q
# upstream patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
# Fedora patches
%patch101 -p1
@ -341,6 +329,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Wed Oct 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.62.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2018-16839 - SASL password overflow via integer overflow
CVE-2018-16840 - use-after-free in handle close
CVE-2018-16842 - warning message out-of-buffer read
* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
- enable TLS 1.3 post-handshake auth in OpenSSL
- update the documentation of --tlsv1.0 in curl(1) man page

View File

@ -1 +1 @@
SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a
SHA512 (curl-7.62.0.tar.xz) = 3aace2fc85e1d5ac06a3208980f887b5f1de5e2a1460e130b15cff3f7e5700b958cbb8f296483290961ef41f550245590067f86558dbba25e3d3ac10cec1adcd