Resolves: CVE-2022-32221 - fix POST following PUT confusion
This commit is contained in:
parent
641c248102
commit
f618f2c219
251
0022-curl-7.76.1-CVE-2022-32221.patch
Normal file
251
0022-curl-7.76.1-CVE-2022-32221.patch
Normal file
@ -0,0 +1,251 @@
|
||||
From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 15 Sep 2022 09:22:45 +0200
|
||||
Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field
|
||||
|
||||
Reported-by: RobBotic1 on github
|
||||
Fixes #9507
|
||||
Closes #9511
|
||||
|
||||
Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/setopt.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index d5e3b50..b8793b4 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -628,6 +628,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
}
|
||||
else
|
||||
data->set.method = HTTPREQ_GET;
|
||||
+ data->set.upload = FALSE;
|
||||
break;
|
||||
|
||||
case CURLOPT_HTTPPOST:
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
||||
From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 15 Sep 2022 09:23:33 +0200
|
||||
Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle
|
||||
|
||||
Reproduced #9507, verifies the fix
|
||||
|
||||
Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
tests/data/Makefile.inc | 1 +
|
||||
tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++
|
||||
tests/libtest/Makefile.inc | 5 +++
|
||||
tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 158 insertions(+)
|
||||
create mode 100644 tests/data/test1948
|
||||
create mode 100644 tests/libtest/lib1948.c
|
||||
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index 818ee08..0cfab9b 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -217,6 +217,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
|
||||
test1916 test1917 test1918 \
|
||||
\
|
||||
test1933 test1934 test1935 test1936 \
|
||||
+test1948 \
|
||||
\
|
||||
test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \
|
||||
test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \
|
||||
diff --git a/tests/data/test1948 b/tests/data/test1948
|
||||
new file mode 100644
|
||||
index 0000000..639523d
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test1948
|
||||
@@ -0,0 +1,73 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HTTP POST
|
||||
+HTTP PUT
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Thu, 01 Nov 2001 14:49:00 GMT
|
||||
+Content-Type: text/html
|
||||
+Content-Length: 6
|
||||
+
|
||||
+hello
|
||||
+</data>
|
||||
+<datacheck>
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Thu, 01 Nov 2001 14:49:00 GMT
|
||||
+Content-Type: text/html
|
||||
+Content-Length: 6
|
||||
+
|
||||
+hello
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Thu, 01 Nov 2001 14:49:00 GMT
|
||||
+Content-Type: text/html
|
||||
+Content-Length: 6
|
||||
+
|
||||
+hello
|
||||
+</datacheck>
|
||||
+</reply>
|
||||
+
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+
|
||||
+<name>
|
||||
+CURLOPT_POST after CURLOPT_UPLOAD reusing handle
|
||||
+</name>
|
||||
+<tool>
|
||||
+lib%TESTNUMBER
|
||||
+</tool>
|
||||
+
|
||||
+<command>
|
||||
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<protocol>
|
||||
+PUT /%TESTNUMBER HTTP/1.1
|
||||
+Host: %HOSTIP:%HTTPPORT
|
||||
+Accept: */*
|
||||
+Content-Length: 22
|
||||
+Expect: 100-continue
|
||||
+
|
||||
+This is test PUT data
|
||||
+POST /1948 HTTP/1.1
|
||||
+Host: %HOSTIP:%HTTPPORT
|
||||
+Accept: */*
|
||||
+Content-Length: 22
|
||||
+Content-Type: application/x-www-form-urlencoded
|
||||
+
|
||||
+This is test PUT data
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||
index 83a8af4..3192eca 100644
|
||||
--- a/tests/libtest/Makefile.inc
|
||||
+++ b/tests/libtest/Makefile.inc
|
||||
@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
|
||||
lib1591 lib1592 lib1593 lib1594 lib1596 \
|
||||
lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
|
||||
lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
|
||||
+ lib1948 \
|
||||
lib3010
|
||||
|
||||
chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
|
||||
@@ -690,6 +691,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1936_LDADD = $(TESTUTIL_LIBS)
|
||||
lib1936_CPPFLAGS = $(AM_CPPFLAGS)
|
||||
|
||||
+lib1948_SOURCES = lib1948.c $(SUPPORTFILES)
|
||||
+lib1948_LDADD = $(TESTUTIL_LIBS)
|
||||
+lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948
|
||||
+
|
||||
lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib3010_LDADD = $(TESTUTIL_LIBS)
|
||||
lib3010_CPPFLAGS = $(AM_CPPFLAGS)
|
||||
diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c
|
||||
new file mode 100644
|
||||
index 0000000..7c891a2
|
||||
--- /dev/null
|
||||
+++ b/tests/libtest/lib1948.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+/***************************************************************************
|
||||
+ * _ _ ____ _
|
||||
+ * Project ___| | | | _ \| |
|
||||
+ * / __| | | | |_) | |
|
||||
+ * | (__| |_| | _ <| |___
|
||||
+ * \___|\___/|_| \_\_____|
|
||||
+ *
|
||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+ *
|
||||
+ * This software is licensed as described in the file COPYING, which
|
||||
+ * you should have received as part of this distribution. The terms
|
||||
+ * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||
+ *
|
||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||
+ * copies of the Software, and permit persons to whom the Software is
|
||||
+ * furnished to do so, under the terms of the COPYING file.
|
||||
+ *
|
||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||
+ * KIND, either express or implied.
|
||||
+ *
|
||||
+ * SPDX-License-Identifier: curl
|
||||
+ *
|
||||
+ ***************************************************************************/
|
||||
+
|
||||
+#include "test.h"
|
||||
+
|
||||
+typedef struct
|
||||
+{
|
||||
+ char *buf;
|
||||
+ size_t len;
|
||||
+} put_buffer;
|
||||
+
|
||||
+static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream)
|
||||
+{
|
||||
+ put_buffer *putdata = (put_buffer *)stream;
|
||||
+ size_t totalsize = size * nmemb;
|
||||
+ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize;
|
||||
+ memcpy(ptr, putdata->buf, tocopy);
|
||||
+ putdata->len -= tocopy;
|
||||
+ putdata->buf += tocopy;
|
||||
+ return tocopy;
|
||||
+}
|
||||
+
|
||||
+int test(char *URL)
|
||||
+{
|
||||
+ CURL *curl;
|
||||
+ CURLcode res = CURLE_OUT_OF_MEMORY;
|
||||
+
|
||||
+ curl_global_init(CURL_GLOBAL_DEFAULT);
|
||||
+
|
||||
+ curl = curl_easy_init();
|
||||
+ if(curl) {
|
||||
+ const char *testput = "This is test PUT data\n";
|
||||
+ put_buffer pbuf;
|
||||
+
|
||||
+ /* PUT */
|
||||
+ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
|
||||
+ curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
|
||||
+ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback);
|
||||
+ pbuf.buf = (char *)testput;
|
||||
+ pbuf.len = strlen(testput);
|
||||
+ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf);
|
||||
+ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput));
|
||||
+ res = curl_easy_setopt(curl, CURLOPT_URL, URL);
|
||||
+ if(!res)
|
||||
+ res = curl_easy_perform(curl);
|
||||
+ if(!res) {
|
||||
+ /* POST */
|
||||
+ curl_easy_setopt(curl, CURLOPT_POST, 1L);
|
||||
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput);
|
||||
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput));
|
||||
+ res = curl_easy_perform(curl);
|
||||
+ }
|
||||
+ curl_easy_cleanup(curl);
|
||||
+ }
|
||||
+
|
||||
+ curl_global_cleanup();
|
||||
+ return (int)res;
|
||||
+}
|
||||
--
|
||||
2.37.3
|
||||
|
@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||
index 080421b..ea3b806 100644
|
||||
--- a/tests/libtest/Makefile.inc
|
||||
+++ b/tests/libtest/Makefile.inc
|
||||
@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
@@ -593,6 +593,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1559_LDADD = $(TESTUTIL_LIBS)
|
||||
|
||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.76.1
|
||||
Release: 20%{?dist}
|
||||
Release: 21%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -65,6 +65,9 @@ Patch20: 0020-curl-7.76.1-openldap-rebase.patch
|
||||
# control code in cookie denial of service (CVE-2022-35252)
|
||||
Patch21: 0021-curl-7.76.1-CVE-2022-35252.patch
|
||||
|
||||
# fix POST following PUT confusion (CVE-2022-32221)
|
||||
Patch22: 0022-curl-7.76.1-CVE-2022-32221.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -260,6 +263,7 @@ be installed.
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -480,6 +484,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed Oct 26 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-21
|
||||
- fix POST following PUT confusion (CVE-2022-32221)
|
||||
|
||||
* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-20
|
||||
- control code in cookie denial of service (CVE-2022-35252)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user