diff --git a/SOURCES/0040-curl-7.61.1-CVE-2022-32208.patch b/SOURCES/0040-curl-7.61.1-CVE-2022-32208.patch new file mode 100644 index 0000000..be34732 --- /dev/null +++ b/SOURCES/0040-curl-7.61.1-CVE-2022-32208.patch @@ -0,0 +1,86 @@ +From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09 +Signed-off-by: Kamil Dudka +--- + lib/krb5.c | 5 +---- + lib/security.c | 19 +++++++++++++++---- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index 787137c..6f9e1f7 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +diff --git a/lib/security.c b/lib/security.c +index 52cce97..c95f290 100644 +--- a/lib/security.c ++++ b/lib/security.c +@@ -64,6 +64,10 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++/* Max string input length is a precaution against abuse and to detect junk ++ input easier and better. */ ++#define CURL_MAX_INPUT_LENGTH 8000000 ++ + static const struct { + enum protection_level level; + const char *name; +@@ -192,6 +196,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -200,7 +205,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -208,8 +216,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } +-- +2.35.3 + diff --git a/SOURCES/0041-curl-7.61.1-CVE-2022-32206.patch b/SOURCES/0041-curl-7.61.1-CVE-2022-32206.patch new file mode 100644 index 0000000..636a7f5 --- /dev/null +++ b/SOURCES/0041-curl-7.61.1-CVE-2022-32206.patch @@ -0,0 +1,144 @@ +From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH 1/2] content_encoding: return error on too many compression + steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 + +Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c03637a..6f994b3 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len) + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct connectdata *conn, +@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, + { + struct Curl_easy *data = conn->data; + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(conn, encoding, k->writer_stack); + if(!writer) +-- +2.35.3 + + +From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:29:07 +0200 +Subject: [PATCH 2/2] test387: verify rejection of compression chain attack + +Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+) + create mode 100644 tests/data/test387 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 98d5516..9b5f4fb 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -61,6 +61,7 @@ test325 test326 test330 \ + test340 \ + \ + test350 test351 test352 test353 test354 \ ++test387 \ + test393 test394 test395 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +diff --git a/tests/data/test387 b/tests/data/test387 +new file mode 100644 +index 0000000..015ec25 +--- /dev/null ++++ b/tests/data/test387 +@@ -0,0 +1,53 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with overly long compression chain ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/7.61.1 ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to 5 content encodings ++ ++ ++ +-- +2.35.3 + diff --git a/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch b/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch new file mode 100644 index 0000000..02ad592 --- /dev/null +++ b/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch @@ -0,0 +1,43 @@ +From 9ea407a0476d22cde575826c18b5aa56b57ac9b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Felix=20H=C3=A4dicke?= +Date: Wed, 23 Jan 2019 23:10:39 +0100 +Subject: [PATCH] setopt: enable CURLOPT_SSH_KNOWNHOSTS and + CURLOPT_SSH_KEYFUNCTION for libssh + +CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for +libssh as well. So accepting these options only when compiling with +libssh2 is wrong here. + +Fixes #3493 +Closes #3494 + +Upstream-commit: 3cbf731d9ec7146f9f1a6ac0fbd9af7fe358f5bb +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index b07ccfe..88a05ff 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2208,7 +2208,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + result = Curl_setstropt(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5], + va_arg(param, char *)); + break; +-#ifdef HAVE_LIBSSH2_KNOWNHOST_API ++ + case CURLOPT_SSH_KNOWNHOSTS: + /* + * Store the file name to read known hosts from. +@@ -2229,7 +2229,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + */ + data->set.ssh_keyfunc_userp = va_arg(param, void *); + break; +-#endif /* HAVE_LIBSSH2_KNOWNHOST_API */ + #endif /* USE_LIBSSH2 */ + + case CURLOPT_HTTP_TRANSFER_DECODING: +-- +2.34.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 5c43cf7..29634bd 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 22%{?dist}.3 +Release: 25%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -112,6 +112,15 @@ Patch38: 0038-curl-7.61.1-CVE-2022-27774.patch # fix too eager reuse of TLS and SSH connections (CVE-2022-27782) Patch39: 0039-curl-7.61.1-CVE-2022-27782.patch +# fix FTP-KRB bad message verification (CVE-2022-32208) +Patch40: 0040-curl-7.61.1-CVE-2022-32208.patch + +# fix HTTP compression denial of service (CVE-2022-32206) +Patch41: 0041-curl-7.61.1-CVE-2022-32206.patch + +# setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) +Patch42: 0042-curl-7.61.1-ssh-known-hosts.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -324,6 +333,9 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448 sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -486,13 +498,16 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed May 11 2022 Kamil Dudka - 7.61.1-22.el8_6.3 -- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) +* Wed Jun 29 2022 Kamil Dudka - 7.61.1-25 +- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) +- fix HTTP compression denial of service (CVE-2022-32206) +- fix FTP-KRB bad message verification (CVE-2022-32208) -* Tue May 04 2022 Kamil Dudka - 7.61.1-22.el8_6.2 +* Wed May 11 2022 Kamil Dudka - 7.61.1-24 +- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) - fix invalid type in printf() argument detected by Coverity -* Thu Apr 28 2022 Kamil Dudka - 7.61.1-22.el8_6.1 +* Thu Apr 28 2022 Kamil Dudka - 7.61.1-23 - fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)