Resolves: CVE-2023-27535 - fix FTP too eager connection reuse
This commit is contained in:
parent
24e3e7fe0e
commit
39cf42ac8f
231
0048-curl-7.61.1-CVE-2023-27535.patch
Normal file
231
0048-curl-7.61.1-CVE-2023-27535.patch
Normal file
@ -0,0 +1,231 @@
|
||||
From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 6 Oct 2022 00:49:10 +0200
|
||||
Subject: [PATCH 1/2] strcase: add Curl_timestrcmp
|
||||
|
||||
This is a strcmp() alternative function for comparing "secrets",
|
||||
designed to take the same time no matter the content to not leak
|
||||
match/non-match info to observers based on how fast it is.
|
||||
|
||||
The time this function takes is only a function of the shortest input
|
||||
string.
|
||||
|
||||
Reported-by: Trail of Bits
|
||||
|
||||
Closes #9658
|
||||
|
||||
Upstream-commit: ed5095ed94281989e103c72e032200b83be37878
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/strcase.c | 22 ++++++++++++++++++++++
|
||||
lib/strcase.h | 1 +
|
||||
2 files changed, 23 insertions(+)
|
||||
|
||||
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||
index f932485..c73907d 100644
|
||||
--- a/lib/strcase.c
|
||||
+++ b/lib/strcase.c
|
||||
@@ -175,6 +175,28 @@ bool Curl_safecmp(char *a, char *b)
|
||||
return !a && !b;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
|
||||
+ * function spends is a function of the shortest string, not of the contents.
|
||||
+ */
|
||||
+int Curl_timestrcmp(const char *a, const char *b)
|
||||
+{
|
||||
+ int match = 0;
|
||||
+ int i = 0;
|
||||
+
|
||||
+ if(a && b) {
|
||||
+ while(1) {
|
||||
+ match |= a[i]^b[i];
|
||||
+ if(!a[i] || !b[i])
|
||||
+ break;
|
||||
+ i++;
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ return a || b;
|
||||
+ return match;
|
||||
+}
|
||||
+
|
||||
/* --- public functions --- */
|
||||
|
||||
int curl_strequal(const char *first, const char *second)
|
||||
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||
index d245929..11a67a1 100644
|
||||
--- a/lib/strcase.h
|
||||
+++ b/lib/strcase.h
|
||||
@@ -48,5 +48,6 @@ char Curl_raw_toupper(char in);
|
||||
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||
|
||||
bool Curl_safecmp(char *a, char *b);
|
||||
+int Curl_timestrcmp(const char *first, const char *second);
|
||||
|
||||
#endif /* HEADER_CURL_STRCASE_H */
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
||||
From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 9 Mar 2023 17:47:06 +0100
|
||||
Subject: [PATCH 2/2] ftp: add more conditions for connection reuse
|
||||
|
||||
Reported-by: Harry Sintonen
|
||||
Closes #10730
|
||||
|
||||
Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/ftp.c | 28 ++++++++++++++++++++++++++--
|
||||
lib/ftp.h | 5 +++++
|
||||
lib/setopt.c | 2 +-
|
||||
lib/url.c | 13 ++++++++++++-
|
||||
lib/urldata.h | 4 ++--
|
||||
5 files changed, 46 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||
index 9442832..df15bc0 100644
|
||||
--- a/lib/ftp.c
|
||||
+++ b/lib/ftp.c
|
||||
@@ -4080,6 +4080,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
|
||||
}
|
||||
|
||||
freedirs(ftpc);
|
||||
+ Curl_safefree(ftpc->account);
|
||||
+ Curl_safefree(ftpc->alternative_to_user);
|
||||
free(ftpc->prevpath);
|
||||
ftpc->prevpath = NULL;
|
||||
free(ftpc->server_os);
|
||||
@@ -4391,11 +4393,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
|
||||
struct Curl_easy *data = conn->data;
|
||||
char *type;
|
||||
struct FTP *ftp;
|
||||
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||
|
||||
- conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
|
||||
+ ftp = calloc(sizeof(struct FTP), 1);
|
||||
if(NULL == ftp)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
+ /* clone connection related data that is FTP specific */
|
||||
+ if(data->set.str[STRING_FTP_ACCOUNT]) {
|
||||
+ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
|
||||
+ if(!ftpc->account) {
|
||||
+ free(ftp);
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
|
||||
+ ftpc->alternative_to_user =
|
||||
+ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
|
||||
+ if(!ftpc->alternative_to_user) {
|
||||
+ Curl_safefree(ftpc->account);
|
||||
+ free(ftp);
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+ data->req.protop = ftp;
|
||||
+
|
||||
data->state.path++; /* don't include the initial slash */
|
||||
data->state.slash_removed = TRUE; /* we've skipped the slash */
|
||||
|
||||
@@ -4445,7 +4467,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
|
||||
if(isBadFtpString(ftp->passwd))
|
||||
return CURLE_URL_MALFORMAT;
|
||||
|
||||
- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
|
||||
+ ftpc->known_filesize = -1; /* unknown size for now */
|
||||
+ ftpc->use_ssl = data->set.use_ssl;
|
||||
+ ftpc->ccc = data->set.ftp_ccc;
|
||||
|
||||
return CURLE_OK;
|
||||
}
|
||||
diff --git a/lib/ftp.h b/lib/ftp.h
|
||||
index 7f6f432..3f33e27 100644
|
||||
--- a/lib/ftp.h
|
||||
+++ b/lib/ftp.h
|
||||
@@ -117,6 +117,8 @@ struct FTP {
|
||||
struct */
|
||||
struct ftp_conn {
|
||||
struct pingpong pp;
|
||||
+ char *account;
|
||||
+ char *alternative_to_user;
|
||||
char *entrypath; /* the PWD reply when we logged on */
|
||||
char **dirs; /* realloc()ed array for path components */
|
||||
int dirdepth; /* number of entries used in the 'dirs' array */
|
||||
@@ -144,6 +146,9 @@ struct ftp_conn {
|
||||
ftpstate state; /* always use ftp.c:state() to change state! */
|
||||
ftpstate state_saved; /* transfer type saved to be reloaded after
|
||||
data connection is established */
|
||||
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||
+ IMAP or POP3 or others! (type: curl_usessl)*/
|
||||
+ unsigned char ccc; /* ccc level for this connection */
|
||||
curl_off_t retr_size_saved; /* Size of retrieved file saved */
|
||||
char *server_os; /* The target server operating system. */
|
||||
curl_off_t known_filesize; /* file size is different from -1, if wildcard
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index 3339a67..6fc111d 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -2039,7 +2039,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||
arg = va_arg(param, long);
|
||||
if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL))
|
||||
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
- data->set.use_ssl = (curl_usessl)arg;
|
||||
+ data->set.use_ssl = (unsigned char)arg;
|
||||
break;
|
||||
|
||||
case CURLOPT_SSL_OPTIONS:
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index 61ba832..4e21838 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -1309,7 +1309,18 @@ ConnectionExists(struct Curl_easy *data,
|
||||
if(!ssh_config_matches(needle, check))
|
||||
continue;
|
||||
}
|
||||
-
|
||||
+#ifndef CURL_DISABLE_FTP
|
||||
+ if(needle->handler->protocol & (CURLPROTO_FTP|CURLPROTO_FTPS)) {
|
||||
+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
|
||||
+ if(Curl_timestrcmp(needle->proto.ftpc.account,
|
||||
+ check->proto.ftpc.account) ||
|
||||
+ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
|
||||
+ check->proto.ftpc.alternative_to_user) ||
|
||||
+ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
|
||||
+ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif
|
||||
if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
|
||||
needle->bits.tunnel_proxy) {
|
||||
/* The requested connection does not use a HTTP proxy or it uses SSL or
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index 9d9ca92..4e2f5b9 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -1498,6 +1498,8 @@ struct UserDefined {
|
||||
curl_write_callback fwrite_header; /* function that stores headers */
|
||||
curl_write_callback fwrite_rtp; /* function that stores interleaved RTP */
|
||||
curl_read_callback fread_func_set; /* function that reads the input */
|
||||
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||
+ IMAP or POP3 or others! (type: curl_usessl)*/
|
||||
int is_fread_set; /* boolean, has read callback been set to non-NULL? */
|
||||
int is_fwrite_set; /* boolean, has write callback been set to non-NULL? */
|
||||
curl_progress_callback fprogress; /* OLD and deprecated progress callback */
|
||||
@@ -1622,8 +1624,6 @@ struct UserDefined {
|
||||
bool ftp_use_eprt; /* if EPRT is to be attempted or not */
|
||||
bool ftp_use_pret; /* if PRET is to be used before PASV or not */
|
||||
|
||||
- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||
- IMAP or POP3 or others! */
|
||||
curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */
|
||||
curl_ftpccc ftp_ccc; /* FTP CCC options */
|
||||
bool no_signal; /* do not use any signal/alarm handler */
|
||||
--
|
||||
2.39.2
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.61.1
|
||||
Release: 30%{?dist}
|
||||
Release: 31%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -136,6 +136,9 @@ Patch46: 0046-curl-7.61.1-h2-window-size.patch
|
||||
# fix HTTP multi-header compression denial of service (CVE-2023-23916)
|
||||
Patch47: 0047-curl-7.61.1-CVE-2023-23916.patch
|
||||
|
||||
# fix FTP too eager connection reuse (CVE-2023-27535)
|
||||
Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -356,6 +359,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
|
||||
%patch45 -p1
|
||||
%patch46 -p1
|
||||
%patch47 -p1
|
||||
%patch48 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
@ -518,6 +522,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-31
|
||||
- fix FTP too eager connection reuse (CVE-2023-27535)
|
||||
|
||||
* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30
|
||||
- fix HTTP multi-header compression denial of service (CVE-2023-23916)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user