import CS curl-7.76.1-28.el9

2024-03-28 09:59:30 +00:00 · 2024-03-28 09:59:30 +00:00 · e74b4d7f86
commit e74b4d7f86
parent 5696f59fb1
3 changed files with 320 additions and 1 deletions
--- a/SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
+++ b/SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
@ -0,0 +1,169 @@
 From be17dc9d31e805c03372b690dde67838b3bfc12d Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Wed, 24 May 2023 16:34:11 +0200
 Subject: [PATCH] libssh: when keyboard-interactive auth fails, try password
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The state machine had a mistake in that it would not carry on to that
 next step.
 This also adds a verbose output what methods that are available from the
 server and renames the macros that change to the next auth methods to
 try.
 Reported-by: 左潇峰
 Fixes #11196
 Closes #11197
 ---
 lib/vssh/libssh.c | 43 +++++++++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 16 deletions(-)
 diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
 index 7ebe61321419f..1cecb649cb623 100644
 --- a/lib/vssh/libssh.c
 +++ b/lib/vssh/libssh.c
@@ -565,7 +565,7 @@ static int myssh_is_known(struct Curl_easy *data)
   break; \
 }
 -#define MOVE_TO_LAST_AUTH \
 +#define MOVE_TO_PASSWD_AUTH \
   if(sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD) { \
     rc = SSH_OK; \
     state(data, SSH_AUTH_PASS_INIT); \
@@ -575,25 +575,25 @@ static int myssh_is_known(struct Curl_easy *data)
     MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); \
   }
 -#define MOVE_TO_TERTIARY_AUTH \
 +#define MOVE_TO_KEY_AUTH \
   if(sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { \
     rc = SSH_OK; \
     state(data, SSH_AUTH_KEY_INIT); \
     break; \
   } \
   else { \
 -    MOVE_TO_LAST_AUTH; \
 +    MOVE_TO_PASSWD_AUTH; \
   }
 -#define MOVE_TO_SECONDARY_AUTH \
 +#define MOVE_TO_GSSAPI_AUTH \
   if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { \
     rc = SSH_OK; \
     state(data, SSH_AUTH_GSSAPI); \
     break; \
   } \
   else { \
 -    MOVE_TO_TERTIARY_AUTH; \
 +    MOVE_TO_KEY_AUTH; \
   }
 static
 int myssh_auth_interactive(struct connectdata *conn)
@@ -740,6 +740,16 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
         }
         sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
 +        if(sshc->auth_methods)
 +          infof(data, "SSH authentication methods available: %s%s%s%s",
 +                sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
 +                "public key, ": "",
 +                sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC ?
 +                "GSSAPI, " : "",
 +                sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE ?
 +                "keyboard-interactive, " : "",
 +                sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
 +                "password": "");
         if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
           state(data, SSH_AUTH_PKEY_INIT);
           infof(data, "Authentication using SSH public key file\n");
@@ -761,8 +761,8 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
       }
     case SSH_AUTH_PKEY_INIT:
       if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY)) {
 -        MOVE_TO_SECONDARY_AUTH;
 +        MOVE_TO_GSSAPI_AUTH;
       }
       /* Two choices, (1) private key was given on CMD,
        * (2) use the "default" keys. */
@@ -776,7 +776,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
           }
           if(rc != SSH_OK) {
 -            MOVE_TO_SECONDARY_AUTH;
 +            MOVE_TO_GSSAPI_AUTH;
           }
         }
@@ -826,7 +836,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
           break;
         }
 -        MOVE_TO_SECONDARY_AUTH;
 +        MOVE_TO_GSSAPI_AUTH;
       }
       break;
     case SSH_AUTH_PKEY:
@@ -828,13 +828,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
       }
       else {
         infof(data, "Failed public key authentication (rc: %d)\n", rc);
 -        MOVE_TO_SECONDARY_AUTH;
 +        MOVE_TO_GSSAPI_AUTH;
       }
       break;
     case SSH_AUTH_GSSAPI:
       if(!(data->set.ssh_auth_types & CURLSSH_AUTH_GSSAPI)) {
 -        MOVE_TO_TERTIARY_AUTH;
 +        MOVE_TO_KEY_AUTH;
       }
       rc = ssh_userauth_gssapi(sshc->ssh_session);
@@ -851,7 +851,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
         break;
       }
 -      MOVE_TO_TERTIARY_AUTH;
 +      MOVE_TO_KEY_AUTH;
       break;
     case SSH_AUTH_KEY_INIT:
@@ -859,13 +859,12 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
         state(data, SSH_AUTH_KEY);
       }
       else {
 -        MOVE_TO_LAST_AUTH;
 +        MOVE_TO_PASSWD_AUTH;
       }
       break;
     case SSH_AUTH_KEY:
 -
 -      /* Authentication failed. Continue with keyboard-interactive now. */
 +      /* keyboard-interactive authentication */
       rc = myssh_auth_interactive(conn);
       if(rc == SSH_AGAIN) {
         break;
@@ -873,13 +873,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
       if(rc == SSH_OK) {
         sshc->authed = TRUE;
         infof(data, "completed keyboard interactive authentication\n");
 +        state(data, SSH_AUTH_DONE);
 +      }
 +      else {
 +        MOVE_TO_PASSWD_AUTH;
       }
 -      state(data, SSH_AUTH_DONE);
       break;
     case SSH_AUTH_PASS_INIT:
       if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PASSWORD)) {
 -        /* Host key authentication is intentionally not implemented */
         MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
       }
       state(data, SSH_AUTH_PASS);
--- a/SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch
+++ b/SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch
@ -0,0 +1,136 @@
 From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001
 From: Jay Satiro <raysatiro@yahoo.com>
 Date: Sat, 30 Sep 2023 03:40:02 -0400
 Subject: [PATCH] socks: return error if hostname too long for remote resolve
 Prior to this change the state machine attempted to change the remote
 resolve to a local resolve if the hostname was longer than 255
 characters. Unfortunately that did not work as intended and caused a
 security issue.
 Name resolvers cannot resolve hostnames longer than 255 characters.
 Bug: https://curl.se/docs/CVE-2023-38545.html
 ---
 lib/socks.c             |  8 +++---
 tests/data/Makefile.inc |  2 +-
 tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 5 deletions(-)
 create mode 100644 tests/data/test728
 diff --git a/lib/socks.c b/lib/socks.c
 index c492d663c..a7b5ab07e 100644
 --- a/lib/socks.c
 +++ b/lib/socks.c
@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
       infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
             hostname, remote_port);
     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
     if(!socks5_resolve_local && hostname_len > 255) {
 -      infof(data, "SOCKS5: server resolving disabled for hostnames of "
 -            "length > 255 [actual len=%zu]\n", hostname_len);
 -      socks5_resolve_local = TRUE;
 +      failf(data, "SOCKS5: the destination hostname is too long to be "
 +            "resolved remotely by the proxy.");
 +      return CURLPX_LONG_HOSTNAME;
     }
     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
       infof(data,
             "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE:
     if(!socks5_resolve_local) {
       socksreq[len++] = 3; /* ATYP: domain name = 3 */
 -      socksreq[len++] = (char) hostname_len; /* one byte address length */
 +      socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
       memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
       len += hostname_len;
       infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 081e344d4..62ee53578 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
 \
 test700 test701 test702 test703 test704 test705 test706 test707 test708 \
 test709 test710 test711 test712 test713 test714 test715 test716 test717 \
 -test718 \
 +test718 test728 \
 \
 test800 test801 test802 test803 test804 test805 test806 test807 test808 \
 test809 test810 test811 test812 test813 test814 test815 test816 test817 \
 diff --git a/tests/data/test728 b/tests/data/test728
 new file mode 100644
 index 000000000..05bcf2883
 --- /dev/null
 +++ b/tests/data/test728
@@ -0,0 +1,64 @@
 +<testcase>
 +<info>
 +<keywords>
 +HTTP
 +HTTP GET
 +SOCKS5
 +SOCKS5h
 +followlocation
 +</keywords>
 +</info>
 +
 +#
 +# Server-side
 +<reply>
 +# The hostname in this redirect is 256 characters and too long (> 255) for
 +# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
 +<data>
 +HTTP/1.1 301 Moved Permanently
 +Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
 +Content-Length: 0
 +Connection: close
 +
 +</data>
 +</reply>
 +
 +#
 +# Client-side
 +<client>
 +<features>
 +proxy
 +</features>
 +<server>
 +http
 +socks5
 +</server>
 + <name>
 +SOCKS5h with HTTP redirect to hostname too long
 + </name>
 + <command>
 +--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
 +</command>
 +</client>
 +
 +#
 +# Verify data after the test has been "shot"
 +<verify>
 +<protocol crlf="yes">
 +GET /%TESTNUMBER HTTP/1.1
 +Host: %HOSTIP:%HTTPPORT
 +User-Agent: curl/%VERSION
 +Accept: */*
 +
 +</protocol>
 +<errorcode>
 +97
 +</errorcode>
 +# the error message is verified because error code CURLE_PROXY (97) may be
 +# returned for any number of reasons and we need to make sure it is
 +# specifically for the reason below so that we know the check is working.
 +<stderr mode="text">
 +curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
 +</stderr>
 +</verify>
 +</testcase>
 -- 
 2.42.0
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 26%{?dist}
+Release: 28%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -95,6 +95,12 @@ Patch30:  0030-curl-7.76.1-CVE-2023-28322.patch
 # fix host name wildcard checking
 Patch31:  0031-curl-7.76.1-CVE-2023-28321.patch
 # when keyboard-interactive auth fails, try password
 Patch32:  0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
 # return error if hostname too long for remote resolve
 Patch33:  0033-curl-7.76.1-CVE-2023-38545.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -300,6 +306,8 @@ be installed.
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
 # Fedora patches
 %patch101 -p1
@ -525,6 +533,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
 * Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-28
 - return error if hostname too long for remote resolve (CVE-2023-38545)
 * Tue Sep 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-27
 - when keyboard-interactive auth fails, try password (#2229800)
 * Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
 - unify the upload/method handling (CVE-2023-28322)
 - fix host name wildcard checking (CVE-2023-28321)