From f58185cd40f76fa6f90a82f51fe56aec9e57528e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Sep 2021 09:10:21 +0200 Subject: [PATCH] Resolves: CVE-2021-22945 - fix use-after-free and double-free in MQTT sending --- 0007-curl-7.76.1-CVE-2021-22945.patch | 33 +++++++++++++++++++++++++++ curl.spec | 9 +++++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 0007-curl-7.76.1-CVE-2021-22945.patch diff --git a/0007-curl-7.76.1-CVE-2021-22945.patch b/0007-curl-7.76.1-CVE-2021-22945.patch new file mode 100644 index 0000000..4d301fc --- /dev/null +++ b/0007-curl-7.76.1-CVE-2021-22945.patch @@ -0,0 +1,33 @@ +From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001 +From: z2_ on hackerone <> +Date: Tue, 24 Aug 2021 09:50:33 +0200 +Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds + +CVE-2021-22945 + +Bug: https://curl.se/docs/CVE-2021-22945.html + +Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49 +Signed-off-by: Kamil Dudka +--- + lib/mqtt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/mqtt.c b/lib/mqtt.c +index d88fa73..f3fc045 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data, + mq->sendleftovers = sendleftovers; + mq->nsend = nsend; + } ++ else { ++ mq->sendleftovers = NULL; ++ mq->nsend = 0; ++ } + return result; + } + +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index 14d8917..f8d32db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 11%{?dist} +Release: 12%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -23,6 +23,9 @@ Patch5: 0005-curl-7.76.1-CVE-2021-22924.patch # fix TELNET stack contents disclosure again (CVE-2021-22925) Patch6: 0006-curl-7.76.1-CVE-2021-22925.patch +# fix use-after-free and double-free in MQTT sending (CVE-2021-22945) +Patch7: 0007-curl-7.76.1-CVE-2021-22945.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -204,6 +207,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -383,6 +387,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Sep 17 2021 Kamil Dudka - 7.76.1-12 +- fix use-after-free and double-free in MQTT sending (CVE-2021-22945) + * Mon Aug 09 2021 Mohan Boddu - 7.76.1-11 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688