new upstream release - 7.87.0
Resolves: CVE-2022-43552 - HTTP Proxy deny use-after-free Resolves: CVE-2022-43551 - Another HSTS bypass via IDN
This commit is contained in:
parent
aa9b0f2a8f
commit
60cc0c5574
@ -1,297 +0,0 @@
|
||||
From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 27 Oct 2022 13:54:27 +0200
|
||||
Subject: [PATCH 1/3] noproxy: also match with adjacent comma
|
||||
|
||||
If the host name is an IP address and the noproxy string contained that
|
||||
IP address with a following comma, it would erroneously not match.
|
||||
|
||||
Extended test 1614 to verify this combo as well.
|
||||
|
||||
Reported-by: Henning Schild
|
||||
|
||||
Fixes #9813
|
||||
Closes #9814
|
||||
|
||||
Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/noproxy.c | 20 ++++++++++++--------
|
||||
tests/data/test1614 | 2 +-
|
||||
tests/unit/unit1614.c | 14 ++++++++++++++
|
||||
3 files changed, 27 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/lib/noproxy.c b/lib/noproxy.c
|
||||
index 81f1e09..d08a16b 100644
|
||||
--- a/lib/noproxy.c
|
||||
+++ b/lib/noproxy.c
|
||||
@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
|
||||
/* FALLTHROUGH */
|
||||
case TYPE_IPV6: {
|
||||
const char *check = token;
|
||||
- char *slash = strchr(check, '/');
|
||||
+ char *slash;
|
||||
unsigned int bits = 0;
|
||||
char checkip[128];
|
||||
+ if(tokenlen >= sizeof(checkip))
|
||||
+ /* this cannot match */
|
||||
+ break;
|
||||
+ /* copy the check name to a temp buffer */
|
||||
+ memcpy(checkip, check, tokenlen);
|
||||
+ checkip[tokenlen] = 0;
|
||||
+ check = checkip;
|
||||
+
|
||||
+ slash = strchr(check, '/');
|
||||
/* if the slash is part of this token, use it */
|
||||
- if(slash && (slash < &check[tokenlen])) {
|
||||
+ if(slash) {
|
||||
bits = atoi(slash + 1);
|
||||
- /* copy the check name to a temp buffer */
|
||||
- if(tokenlen >= sizeof(checkip))
|
||||
- break;
|
||||
- memcpy(checkip, check, tokenlen);
|
||||
- checkip[ slash - check ] = 0;
|
||||
- check = checkip;
|
||||
+ *slash = 0; /* null terminate there */
|
||||
}
|
||||
if(type == TYPE_IPV6)
|
||||
match = Curl_cidr6_match(name, check, bits);
|
||||
diff --git a/tests/data/test1614 b/tests/data/test1614
|
||||
index 4a9d54e..73bdbb4 100644
|
||||
--- a/tests/data/test1614
|
||||
+++ b/tests/data/test1614
|
||||
@@ -16,7 +16,7 @@ unittest
|
||||
proxy
|
||||
</features>
|
||||
<name>
|
||||
-cidr comparisons
|
||||
+noproxy and cidr comparisons
|
||||
</name>
|
||||
</client>
|
||||
<errorcode>
|
||||
diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c
|
||||
index 6028545..c2f563a 100644
|
||||
--- a/tests/unit/unit1614.c
|
||||
+++ b/tests/unit/unit1614.c
|
||||
@@ -77,6 +77,20 @@ UNITTEST_START
|
||||
{ NULL, NULL, 0, FALSE} /* end marker */
|
||||
};
|
||||
struct noproxy list[]= {
|
||||
+ { "127.0.0.1", "127.0.0.1,localhost", TRUE},
|
||||
+ { "127.0.0.1", "127.0.0.1,localhost,", TRUE},
|
||||
+ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE},
|
||||
+ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE},
|
||||
+ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE},
|
||||
+ { "127.0.0.1", "localhost,127.0.0.1", TRUE},
|
||||
+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1."
|
||||
+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127."
|
||||
+ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE},
|
||||
+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1."
|
||||
+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127."
|
||||
+ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE},
|
||||
+ { "localhost", "localhost,127.0.0.1", TRUE},
|
||||
+ { "localhost", "127.0.0.1,localhost", TRUE},
|
||||
{ "foobar", "barfoo", FALSE},
|
||||
{ "foobar", "foobar", TRUE},
|
||||
{ "192.168.0.1", "foobar", FALSE},
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
||||
From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Fri, 28 Oct 2022 10:51:49 +0200
|
||||
Subject: [PATCH 2/3] noproxy: fix tail-matching
|
||||
|
||||
Also ignore trailing dots in both host name and comparison pattern.
|
||||
|
||||
Regression in 7.86.0 (from 1e9a538e05c0)
|
||||
|
||||
Extended test 1614 to verify better.
|
||||
|
||||
Reported-by: Henning Schild
|
||||
Fixes #9821
|
||||
Closes #9822
|
||||
|
||||
Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/noproxy.c | 30 +++++++++++++++++++++++-------
|
||||
tests/unit/unit1614.c | 9 +++++++++
|
||||
2 files changed, 32 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/lib/noproxy.c b/lib/noproxy.c
|
||||
index d08a16b..01f8f47 100644
|
||||
--- a/lib/noproxy.c
|
||||
+++ b/lib/noproxy.c
|
||||
@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
|
||||
}
|
||||
else {
|
||||
unsigned int address;
|
||||
+ namelen = strlen(name);
|
||||
if(1 == Curl_inet_pton(AF_INET, name, &address))
|
||||
type = TYPE_IPV4;
|
||||
- namelen = strlen(name);
|
||||
+ else {
|
||||
+ /* ignore trailing dots in the host name */
|
||||
+ if(name[namelen - 1] == '.')
|
||||
+ namelen--;
|
||||
+ }
|
||||
}
|
||||
|
||||
while(*p) {
|
||||
@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
|
||||
if(tokenlen) {
|
||||
switch(type) {
|
||||
case TYPE_HOST:
|
||||
- if(*token == '.') {
|
||||
- ++token;
|
||||
- --tokenlen;
|
||||
- /* tailmatch */
|
||||
- match = (tokenlen <= namelen) &&
|
||||
- strncasecompare(token, name + (namelen - tokenlen), namelen);
|
||||
+ /* ignore trailing dots in the token to check */
|
||||
+ if(token[tokenlen - 1] == '.')
|
||||
+ tokenlen--;
|
||||
+
|
||||
+ if(tokenlen && (*token == '.')) {
|
||||
+ /* A: example.com matches '.example.com'
|
||||
+ B: www.example.com matches '.example.com'
|
||||
+ C: nonexample.com DOES NOT match '.example.com'
|
||||
+ */
|
||||
+ if((tokenlen - 1) == namelen)
|
||||
+ /* case A, exact match without leading dot */
|
||||
+ match = strncasecompare(token + 1, name, namelen);
|
||||
+ else if(tokenlen < namelen)
|
||||
+ /* case B, tailmatch with leading dot */
|
||||
+ match = strncasecompare(token, name + (namelen - tokenlen),
|
||||
+ tokenlen);
|
||||
+ /* case C passes through, not a match */
|
||||
}
|
||||
else
|
||||
match = (tokenlen == namelen) &&
|
||||
diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c
|
||||
index c2f563a..8f62b70 100644
|
||||
--- a/tests/unit/unit1614.c
|
||||
+++ b/tests/unit/unit1614.c
|
||||
@@ -77,6 +77,15 @@ UNITTEST_START
|
||||
{ NULL, NULL, 0, FALSE} /* end marker */
|
||||
};
|
||||
struct noproxy list[]= {
|
||||
+ { "www.example.com", "localhost,.example.com,.example.de", TRUE},
|
||||
+ { "www.example.com.", "localhost,.example.com,.example.de", TRUE},
|
||||
+ { "example.com", "localhost,.example.com,.example.de", TRUE},
|
||||
+ { "example.com.", "localhost,.example.com,.example.de", TRUE},
|
||||
+ { "www.example.com", "localhost,.example.com.,.example.de", TRUE},
|
||||
+ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE},
|
||||
+ { "example.com", "localhost,example.com,.example.de", TRUE},
|
||||
+ { "example.com.", "localhost,example.com,.example.de", TRUE},
|
||||
+ { "www.example.com", "localhost,example.com,.example.de", FALSE},
|
||||
{ "127.0.0.1", "127.0.0.1,localhost", TRUE},
|
||||
{ "127.0.0.1", "127.0.0.1,localhost,", TRUE},
|
||||
{ "127.0.0.1", "127.0.0.1/8,localhost,", TRUE},
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
||||
From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 6 Nov 2022 23:19:51 +0100
|
||||
Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier
|
||||
|
||||
A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
|
||||
differently than before. This restores the logic to how it used to work:
|
||||
|
||||
All names listed in NO_PROXY are tailmatched against the used domain
|
||||
name, if the lengths are identical it needs a full match.
|
||||
|
||||
Update the docs, update test 1614.
|
||||
|
||||
Reported-by: Stuart Henderson
|
||||
Fixes #9842
|
||||
Closes #9858
|
||||
|
||||
Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_NOPROXY.3 | 4 ----
|
||||
lib/noproxy.c | 32 +++++++++++++++--------------
|
||||
tests/unit/unit1614.c | 3 ++-
|
||||
3 files changed, 19 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3
|
||||
index 149eaac..98c7920 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_NOPROXY.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3
|
||||
@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the
|
||||
hostname itself. For example, "ample.com" would match ample.com, ample.com:80,
|
||||
and www.ample.com, but not www.example.com or ample.com.org.
|
||||
|
||||
-If the name in the \fInoproxy\fP list has a leading period, it is a domain
|
||||
-match against the provided host name. This way ".example.com" will switch off
|
||||
-proxy use for both "www.example.com" as well as for "foo.example.com".
|
||||
-
|
||||
Setting the \fInoproxy\fP string to "" (an empty string) will explicitly
|
||||
enable the proxy for all host names, even if there is an environment variable
|
||||
set for it.
|
||||
diff --git a/lib/noproxy.c b/lib/noproxy.c
|
||||
index 01f8f47..31d1ca7 100644
|
||||
--- a/lib/noproxy.c
|
||||
+++ b/lib/noproxy.c
|
||||
@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
|
||||
tokenlen--;
|
||||
|
||||
if(tokenlen && (*token == '.')) {
|
||||
- /* A: example.com matches '.example.com'
|
||||
- B: www.example.com matches '.example.com'
|
||||
- C: nonexample.com DOES NOT match '.example.com'
|
||||
- */
|
||||
- if((tokenlen - 1) == namelen)
|
||||
- /* case A, exact match without leading dot */
|
||||
- match = strncasecompare(token + 1, name, namelen);
|
||||
- else if(tokenlen < namelen)
|
||||
- /* case B, tailmatch with leading dot */
|
||||
- match = strncasecompare(token, name + (namelen - tokenlen),
|
||||
- tokenlen);
|
||||
- /* case C passes through, not a match */
|
||||
+ /* ignore leading token dot as well */
|
||||
+ token++;
|
||||
+ tokenlen--;
|
||||
}
|
||||
- else
|
||||
- match = (tokenlen == namelen) &&
|
||||
- strncasecompare(token, name, namelen);
|
||||
+ /* A: example.com matches 'example.com'
|
||||
+ B: www.example.com matches 'example.com'
|
||||
+ C: nonexample.com DOES NOT match 'example.com'
|
||||
+ */
|
||||
+ if(tokenlen == namelen)
|
||||
+ /* case A, exact match */
|
||||
+ match = strncasecompare(token, name, namelen);
|
||||
+ else if(tokenlen < namelen) {
|
||||
+ /* case B, tailmatch domain */
|
||||
+ match = (name[namelen - tokenlen - 1] == '.') &&
|
||||
+ strncasecompare(token, name + (namelen - tokenlen),
|
||||
+ tokenlen);
|
||||
+ }
|
||||
+ /* case C passes through, not a match */
|
||||
break;
|
||||
case TYPE_IPV4:
|
||||
/* FALLTHROUGH */
|
||||
diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c
|
||||
index 8f62b70..523d102 100644
|
||||
--- a/tests/unit/unit1614.c
|
||||
+++ b/tests/unit/unit1614.c
|
||||
@@ -85,7 +85,8 @@ UNITTEST_START
|
||||
{ "www.example.com", "localhost,www.example.com.,.example.de", TRUE},
|
||||
{ "example.com", "localhost,example.com,.example.de", TRUE},
|
||||
{ "example.com.", "localhost,example.com,.example.de", TRUE},
|
||||
- { "www.example.com", "localhost,example.com,.example.de", FALSE},
|
||||
+ { "nexample.com", "localhost,example.com,.example.de", FALSE},
|
||||
+ { "www.example.com", "localhost,example.com,.example.de", TRUE},
|
||||
{ "127.0.0.1", "127.0.0.1,localhost", TRUE},
|
||||
{ "127.0.0.1", "127.0.0.1,localhost,", TRUE},
|
||||
{ "127.0.0.1", "127.0.0.1/8,localhost,", TRUE},
|
||||
--
|
||||
2.37.3
|
||||
|
@ -55,7 +55,7 @@ diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
|
||||
index 43fe335..70cd7a4 100644
|
||||
--- a/tests/libtest/lib3026.c
|
||||
+++ b/tests/libtest/lib3026.c
|
||||
@@ -139,8 +139,8 @@ int test(char *URL)
|
||||
@@ -147,8 +147,8 @@ int test(char *URL)
|
||||
results[i] = CURL_LAST; /* initialize with invalid value */
|
||||
res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
|
||||
if(res) {
|
||||
|
13
curl.spec
13
curl.spec
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.86.0
|
||||
Release: 4%{?dist}
|
||||
Version: 7.87.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||
@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
||||
Source2: mykey.asc
|
||||
|
||||
# fix regression in noproxy matching
|
||||
Patch1: 0001-curl-7.86.0-noproxy.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -197,7 +194,6 @@ be installed.
|
||||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -431,6 +427,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed Dec 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.87.0-1
|
||||
- new upstream release, which fixes the following vulnerabilities
|
||||
CVE-2022-43552 - HTTP Proxy deny use-after-free
|
||||
CVE-2022-43551 - Another HSTS bypass via IDN
|
||||
|
||||
* Tue Nov 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.86.0-4
|
||||
- noproxy: tailmatch like in 7.85.0 and earlier (#2149224)
|
||||
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (curl-7.86.0.tar.xz) = 18e03a3c00f22125e07bddb18becbf5acdca22baeb7b29f45ef189a5c56f95b2d51247813f7a9a90f04eb051739e9aa7d3a1c5be397bae75d763a2b918d1b656
|
||||
SHA512 (curl-7.86.0.tar.xz.asc) = 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0
|
||||
SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7
|
||||
SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4
|
||||
|
Loading…
Reference in New Issue
Block a user