rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects

Browse Source
This commit is contained in:
Kamil Dudka 2022-05-02 10:00:34 +02:00
parent 858e381746
commit 36d4ce9e14
2 changed files with 95 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
0013-curl-7.76.1-CVE-2022-27774.patch
View File

@ -1,7 +1,7 @@
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se> From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 16:24:33 +0200 Date: Mon, 25 Apr 2022 16:24:33 +0200
Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
To make it available after the connection ended. To make it available after the connection ended.
@ -48,7 +48,7 @@ index f92052a..5218f76 100644
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se> From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 16:24:33 +0200 Date: Mon, 25 Apr 2022 16:24:33 +0200
Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
auth auth
... unless explicitly permitted. ... unless explicitly permitted.
@ -133,7 +133,7 @@ index 1f8019b..752fe14 100644
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se> From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 16:24:33 +0200 Date: Mon, 25 Apr 2022 16:24:33 +0200
Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774 Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
- Test 973 redirects from HTTP to FTP, clear auth - Test 973 redirects from HTTP to FTP, clear auth
- Test 974 redirects from HTTP to HTTP different port, clear auth - Test 974 redirects from HTTP to HTTP different port, clear auth
@ -545,3 +545,91 @@ index 0000000..c4dd61e
-- --
2.34.1 2.34.1
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 17:59:15 +0200
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
either
Follow-up to 620ea21410030
Reported-by: Harry Sintonen
Closes #8751
Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http.c | 10 +++++-----
lib/http.h | 6 ++++++
lib/vtls/openssl.c | 3 ++-
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 0791dcf..4433824 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
}
/*
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
- * data" can (still) be sent to this host.
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
*/
-static bool allow_auth_to_host(struct Curl_easy *data)
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
{
struct connectdata *conn = data->conn;
return (!data->state.this_is_a_follow ||
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
/* To prevent the user+password to get sent to other than the original host
due to a location-follow */
- if(allow_auth_to_host(data)
+ if(Curl_allow_auth_to_host(data)
|| conn->bits.netrc)
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
else
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
checkprefix("Cookie:", compare)) &&
/* be careful of sending this potentially sensitive header to
other hosts */
- !allow_auth_to_host(data))
+ !Curl_allow_auth_to_host(data))
;
else {
#ifdef USE_HYPER
diff --git a/lib/http.h b/lib/http.h
index 07e963d..9000bae 100644
--- a/lib/http.h
+++ b/lib/http.h
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
bool proxytunnel); /* TRUE if this is the request setting
up the proxy tunnel */
+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
+
#endif /* HEADER_CURL_HTTP_H */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1bafe96..97c5666 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
#endif
#ifdef USE_OPENSSL_SRP
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+ Curl_allow_auth_to_host(data)) {
char * const ssl_username = SSL_SET_OPTION(username);
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
--
2.34.1

5
curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.76.1 Version: 7.76.1
Release: 16%{?dist} Release: 17%{?dist}
License: MIT License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -452,6 +452,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-17
- fix leak of SRP credentials in redirects (CVE-2022-27774)
* Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-16 * Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-16
- add missing tests to Makefile - add missing tests to Makefile