From 4a9d75cd2141a9eb81b52aaefea319d82680da25 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:25:23 +0100 Subject: [PATCH] Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use --- 0049-curl-7.61.1-CVE-2023-27536.patch | 55 +++++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 60 insertions(+) create mode 100644 0049-curl-7.61.1-CVE-2023-27536.patch diff --git a/0049-curl-7.61.1-CVE-2023-27536.patch b/0049-curl-7.61.1-CVE-2023-27536.patch new file mode 100644 index 0000000..1b266d3 --- /dev/null +++ b/0049-curl-7.61.1-CVE-2023-27536.patch @@ -0,0 +1,55 @@ +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 3b11b7e..cbbc7f3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) { + if(!ssh_config_matches(needle, check)) + continue; +@@ -1949,6 +1954,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + it may live on without (this specific) Curl_easy */ + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index ce90304..9e16f26 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -856,6 +856,8 @@ struct connectdata { + int httpversion; /* the HTTP version*10 reported by the server */ + int rtspversion; /* the RTSP version*10 reported by the server */ + ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ ++ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ + curl_socket_t sock[2]; /* two sockets, the second is used for the data +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index a316e78..99a6903 100644 --- a/curl.spec +++ b/curl.spec @@ -139,6 +139,9 @@ Patch47: 0047-curl-7.61.1-CVE-2023-23916.patch # fix FTP too eager connection reuse (CVE-2023-27535) Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch49: 0049-curl-7.61.1-CVE-2023-27536.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -360,6 +363,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch46 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -523,6 +527,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.61.1-31 +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) * Wed Feb 15 2023 Kamil Dudka - 7.61.1-30