From ebff9aa2ccb92d31bf9e5d42b672128d6bb579eb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:54:37 +0200 Subject: [PATCH] Resolves: CVE-2022-27775 - fix bad local IPv6 connection reuse --- 0011-curl-7.76.1-CVE-2022-27775.patch | 40 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 45 insertions(+) create mode 100644 0011-curl-7.76.1-CVE-2022-27775.patch diff --git a/0011-curl-7.76.1-CVE-2022-27775.patch b/0011-curl-7.76.1-CVE-2022-27775.patch new file mode 100644 index 0000000..769a0fd --- /dev/null +++ b/0011-curl-7.76.1-CVE-2022-27775.patch @@ -0,0 +1,40 @@ +From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 + +Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705 +Signed-off-by: Kamil Dudka +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cd5756a..9b9f683 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + } + + /* Returns number of connections currently held in the connection cache. +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 92fa01d..d1e19cd 100644 --- a/curl.spec +++ b/curl.spec @@ -35,6 +35,9 @@ Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch # fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch +# fix bad local IPv6 connection reuse (CVE-2022-27775) +Patch11: 0011-curl-7.76.1-CVE-2022-27775.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -220,6 +223,7 @@ be installed. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Fedora patches %patch101 -p1 @@ -441,6 +445,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.76.1-15 +- fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) * Tue Oct 26 2021 Kamil Dudka - 7.76.1-14