Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects

2022-05-02 10:00:34 +02:00 · 2022-05-02 10:00:34 +02:00 · 36d4ce9e14
commit 36d4ce9e14
parent 858e381746
2 changed files with 95 additions and 4 deletions
--- a/0013-curl-7.76.1-CVE-2022-27774.patch
+++ b/0013-curl-7.76.1-CVE-2022-27774.patch
@ -1,7 +1,7 @@
 From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct
+Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct

 To make it available after the connection ended.

@ -48,7 +48,7 @@ index f92052a..5218f76 100644
 From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear
+Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
 auth

 ... unless explicitly permitted.
@ -133,7 +133,7 @@ index 1f8019b..752fe14 100644
 From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774
+Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774

 - Test 973 redirects from HTTP to FTP, clear auth
 - Test 974 redirects from HTTP to HTTP different port, clear auth
@ -545,3 +545,91 @@ index 0000000..c4dd61e
 -- 
 2.34.1

+
+From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 17:59:15 +0200
+Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
+ either
+
+Follow-up to 620ea21410030
+
+Reported-by: Harry Sintonen
+Closes #8751
+
+Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c         | 10 +++++-----
+ lib/http.h         |  6 ++++++
+ lib/vtls/openssl.c |  3 ++-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 0791dcf..4433824 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
+ }
+ 
+ /*
+- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+- * data" can (still) be sent to this host.
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+  */
+-static bool allow_auth_to_host(struct Curl_easy *data)
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   return (!data->state.this_is_a_follow ||
+@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
+ 
+   /* To prevent the user+password to get sent to other than the original host
+      due to a location-follow */
+-  if(allow_auth_to_host(data)
+  if(Curl_allow_auth_to_host(data)
+      || conn->bits.netrc)
+     result = output_auth_headers(data, conn, authhost, request, path, FALSE);
+   else
+@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  !allow_auth_to_host(data))
+                  !Curl_allow_auth_to_host(data))
+             ;
+           else {
+ #ifdef USE_HYPER
+diff --git a/lib/http.h b/lib/http.h
+index 07e963d..9000bae 100644
+--- a/lib/http.h
+++ b/lib/http.h
+@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
+                       bool proxytunnel); /* TRUE if this is the request setting
+                                             up the proxy tunnel */
+ 
+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
+
+ #endif /* HEADER_CURL_HTTP_H */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1bafe96..97c5666 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ #endif
+ 
+ #ifdef USE_OPENSSL_SRP
+-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+     Curl_allow_auth_to_host(data)) {
+     char * const ssl_username = SSL_SET_OPTION(username);
+ 
+     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
+-- 
+2.34.1
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz

@ -452,6 +452,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-17
+- fix leak of SRP credentials in redirects (CVE-2022-27774)
+
 * Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-16
 - add missing tests to Makefile