CC: curl: fix some security vulnerabilities
This fixes the following security vulnerabilities in curl: * CVE-2015-3143 * CVE-2015-3144 * CVE-2015-3145 * CVE-2015-3148 * CVE-2015-3153 * CVE-2015-3236 * CVE-2015-3237 This was fixed in trunk with update to version 7.43.0 in r46169. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> git-svn-id: svn://svn.openwrt.org/openwrt/branches/chaos_calmer@46312 3c298f89-4303-0410-b956-a3cf2f4a3e73zsun
parent
8b1ed5de3f
commit
7400cfec55
|
@ -0,0 +1,28 @@
|
|||
From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 16 Apr 2015 13:26:46 +0200
|
||||
Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
|
||||
match
|
||||
|
||||
CVE-2015-3143
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150422A.html
|
||||
Reported-by: Paras Sethia
|
||||
---
|
||||
lib/url.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -3184,7 +3184,11 @@ ConnectionExists(struct SessionHandle *d
|
||||
}
|
||||
|
||||
if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
|
||||
+#if defined(USE_NTLM)
|
||||
+ (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
|
||||
+#else
|
||||
wantNTLMhttp) {
|
||||
+#endif
|
||||
/* This protocol requires credentials per connection or is HTTP+NTLM,
|
||||
so verify that we're using the same name and password as well */
|
||||
if(!strequal(needle->user, check->user) ||
|
|
@ -0,0 +1,32 @@
|
|||
From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 16 Apr 2015 23:52:04 +0200
|
||||
Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a URL is given with a zero-length host name, like in "http://:80" or
|
||||
just ":80", `fix_hostname()` will index the host name pointer with a -1
|
||||
offset (as it blindly assumes a non-zero length) and both read and
|
||||
assign that address.
|
||||
|
||||
CVE-2015-3144
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150422D.html
|
||||
Reported-by: Hanno Böck
|
||||
---
|
||||
lib/url.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -3606,7 +3606,7 @@ static void fix_hostname(struct SessionH
|
||||
host->dispname = host->name;
|
||||
|
||||
len = strlen(host->name);
|
||||
- if(host->name[len-1] == '.')
|
||||
+ if(len && (host->name[len-1] == '.'))
|
||||
/* strip off a single trailing dot if present, primarily for SNI but
|
||||
there's no use for it */
|
||||
host->name[len-1]=0;
|
|
@ -0,0 +1,53 @@
|
|||
From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 16 Apr 2015 16:37:40 +0200
|
||||
Subject: [PATCH] cookie: cookie parser out of boundary memory access
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The internal libcurl function called sanitize_cookie_path() that cleans
|
||||
up the path element as given to it from a remote site or when read from
|
||||
a file, did not properly validate the input. If given a path that
|
||||
consisted of a single double-quote, libcurl would index a newly
|
||||
allocated memory area with index -1 and assign a zero to it, thus
|
||||
destroying heap memory it wasn't supposed to.
|
||||
|
||||
CVE-2015-3145
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150422C.html
|
||||
Reported-by: Hanno Böck
|
||||
---
|
||||
lib/cookie.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/lib/cookie.c
|
||||
+++ b/lib/cookie.c
|
||||
@@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const
|
||||
return NULL;
|
||||
|
||||
/* some stupid site sends path attribute with '"'. */
|
||||
+ len = strlen(new_path);
|
||||
if(new_path[0] == '\"') {
|
||||
- memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
|
||||
+ memmove((void *)new_path, (const void *)(new_path + 1), len);
|
||||
+ len--;
|
||||
}
|
||||
- if(new_path[strlen(new_path) - 1] == '\"') {
|
||||
- new_path[strlen(new_path) - 1] = 0x0;
|
||||
+ if(len && (new_path[len - 1] == '\"')) {
|
||||
+ new_path[len - 1] = 0x0;
|
||||
+ len--;
|
||||
}
|
||||
|
||||
/* RFC6265 5.2.4 The Path Attribute */
|
||||
@@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const
|
||||
}
|
||||
|
||||
/* convert /hoge/ to /hoge */
|
||||
- len = strlen(new_path);
|
||||
- if(1 < len && new_path[len - 1] == '/') {
|
||||
+ if(len && new_path[len - 1] == '/') {
|
||||
new_path[len - 1] = 0x0;
|
||||
}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sat, 18 Apr 2015 23:50:16 +0200
|
||||
Subject: [PATCH] http_done: close Negotiate connections when done
|
||||
|
||||
When doing HTTP requests Negotiate authenticated, the entire connnection
|
||||
may become authenticated and not just the specific HTTP request which is
|
||||
otherwise how HTTP works, as Negotiate can basically use NTLM under the
|
||||
hood. curl was not adhering to this fact but would assume that such
|
||||
requests would also be authenticated per request.
|
||||
|
||||
CVE-2015-3148
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150422B.html
|
||||
Reported-by: Isaac Boukris
|
||||
---
|
||||
lib/http.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/lib/http.c
|
||||
+++ b/lib/http.c
|
||||
@@ -1493,8 +1493,14 @@ CURLcode Curl_http_done(struct connectda
|
||||
|
||||
#ifdef USE_SPNEGO
|
||||
if(data->state.proxyneg.state == GSS_AUTHSENT ||
|
||||
- data->state.negotiate.state == GSS_AUTHSENT)
|
||||
+ data->state.negotiate.state == GSS_AUTHSENT) {
|
||||
+ /* add forbid re-use if http-code != 401 as a WA
|
||||
+ * only needed for 401 that failed handling
|
||||
+ * otherwie state will be RECV with current code */
|
||||
+ if((data->req.httpcode != 401) && (data->req.httpcode != 407))
|
||||
+ connclose(conn, "Negotiate transfer completed");
|
||||
Curl_cleanup_negotiate(data);
|
||||
+ }
|
||||
#endif
|
||||
|
||||
/* set the proper values (possibly modified on POST) */
|
|
@ -0,0 +1,95 @@
|
|||
From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 23 Apr 2015 15:58:21 +0200
|
||||
Subject: [PATCH] CURLOPT_HEADEROPT: default to separate
|
||||
|
||||
Make the HTTP headers separated by default for improved security and
|
||||
reduced risk for information leakage.
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150429.html
|
||||
Reported-by: Yehezkel Horowitz, Oren Souroujon
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
|
||||
lib/url.c | 1 +
|
||||
tests/data/test1527 | 2 +-
|
||||
tests/data/test287 | 2 +-
|
||||
tests/libtest/lib1527.c | 1 +
|
||||
5 files changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
--- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
|
||||
@@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle,
|
||||
Pass a long that is a bitmask of options of how to deal with headers. The two
|
||||
mutually exclusive options are:
|
||||
|
||||
-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
|
||||
-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
|
||||
-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
|
||||
-have any effect.
|
||||
+\fBCURLHEADER_UNIFIED\fP - the headers specified in
|
||||
+\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
|
||||
+proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
|
||||
+any effect.
|
||||
|
||||
\fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
|
||||
sent to a server and not to a proxy. Proxy headers must be set with
|
||||
@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil
|
||||
headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
|
||||
the server.
|
||||
.SH DEFAULT
|
||||
-CURLHEADER_UNIFIED
|
||||
+CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
|
||||
.SH PROTOCOLS
|
||||
HTTP
|
||||
.SH EXAMPLE
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct Us
|
||||
set->ssl_enable_alpn = TRUE;
|
||||
|
||||
set->expect_100_timeout = 1000L; /* Wait for a second by default. */
|
||||
+ set->sep_headers = TRUE; /* separated header lists by default */
|
||||
return result;
|
||||
}
|
||||
|
||||
--- a/tests/data/test1527
|
||||
+++ b/tests/data/test1527
|
||||
@@ -45,7 +45,7 @@ http-proxy
|
||||
lib1527
|
||||
</tool>
|
||||
<name>
|
||||
-Check same headers are generated without CURLOPT_PROXYHEADER
|
||||
+Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
|
||||
</name>
|
||||
<command>
|
||||
http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
|
||||
--- a/tests/data/test287
|
||||
+++ b/tests/data/test287
|
||||
@@ -28,7 +28,7 @@ http
|
||||
HTTP proxy CONNECT with custom User-Agent header
|
||||
</name>
|
||||
<command>
|
||||
-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
|
||||
+http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
|
||||
</command>
|
||||
</client>
|
||||
|
||||
--- a/tests/libtest/lib1527.c
|
||||
+++ b/tests/libtest/lib1527.c
|
||||
@@ -83,6 +83,7 @@ int test(char *URL)
|
||||
test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
|
||||
test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
|
||||
test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
|
||||
+ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
|
||||
|
||||
res = curl_easy_perform(curl);
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From e6d7c30734487246e83b95520e81bc1ccf0a2376 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 28 May 2015 20:04:35 +0200
|
||||
Subject: [PATCH] http: do not leak basic auth credentials on re-used
|
||||
connections
|
||||
|
||||
CVE-2015-3236
|
||||
|
||||
This partially reverts commit curl-7_39_0-237-g87c4abb
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150617A.html
|
||||
---
|
||||
lib/http.c | 16 ++++------------
|
||||
1 file changed, 4 insertions(+), 12 deletions(-)
|
||||
|
||||
--- a/lib/http.c
|
||||
+++ b/lib/http.c
|
||||
@@ -2333,20 +2333,12 @@ CURLcode Curl_http(struct connectdata *c
|
||||
te
|
||||
);
|
||||
|
||||
- /*
|
||||
- * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with
|
||||
- * the connection and shouldn't be repeated over it either.
|
||||
- */
|
||||
- switch (data->state.authhost.picked) {
|
||||
- case CURLAUTH_NEGOTIATE:
|
||||
- case CURLAUTH_NTLM:
|
||||
- case CURLAUTH_NTLM_WB:
|
||||
- Curl_safefree(conn->allocptr.userpwd);
|
||||
- break;
|
||||
- }
|
||||
+ /* clear userpwd to avoid re-using credentials from re-used connections */
|
||||
+ Curl_safefree(conn->allocptr.userpwd);
|
||||
|
||||
/*
|
||||
- * Same for proxyuserpwd
|
||||
+ * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated
|
||||
+ * with the connection and shouldn't be repeated over it either.
|
||||
*/
|
||||
switch (data->state.authproxy.picked) {
|
||||
case CURLAUTH_NEGOTIATE:
|
|
@ -0,0 +1,35 @@
|
|||
From d2f1a8bdce9d77a277d05adae025d369c1bdd9e6 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Fri, 22 May 2015 10:28:21 +0200
|
||||
Subject: [PATCH] SMB: rangecheck values read off incoming packet
|
||||
|
||||
CVE-2015-3237
|
||||
|
||||
Detected by Coverity. CID 1299430.
|
||||
|
||||
Bug: http://curl.haxx.se/docs/adv_20150617B.html
|
||||
---
|
||||
lib/smb.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/lib/smb.c
|
||||
+++ b/lib/smb.c
|
||||
@@ -783,9 +783,15 @@ static CURLcode smb_request_state(struct
|
||||
off = Curl_read16_le(((unsigned char *) msg) +
|
||||
sizeof(struct smb_header) + 13);
|
||||
if(len > 0) {
|
||||
- result = Curl_client_write(conn, CLIENTWRITE_BODY,
|
||||
- (char *)msg + off + sizeof(unsigned int),
|
||||
- len);
|
||||
+ struct smb_conn *smbc = &conn->proto.smbc;
|
||||
+ if(off + sizeof(unsigned int) + len > smbc->got) {
|
||||
+ failf(conn->data, "Invalid input packet");
|
||||
+ result = CURLE_RECV_ERROR;
|
||||
+ }
|
||||
+ else
|
||||
+ result = Curl_client_write(conn, CLIENTWRITE_BODY,
|
||||
+ (char *)msg + off + sizeof(unsigned int),
|
||||
+ len);
|
||||
if(result) {
|
||||
req->result = result;
|
||||
next_state = SMB_CLOSE;
|
|
@ -1,6 +1,6 @@
|
|||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \
|
||||
@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
|
||||
bin_SCRIPTS = curl-config
|
||||
|
||||
SUBDIRS = lib src include
|
||||
|
@ -11,7 +11,7 @@
|
|||
pkgconfig_DATA = libcurl.pc
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \
|
||||
@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
|
||||
|
||||
bin_SCRIPTS = curl-config
|
||||
SUBDIRS = lib src include
|
||||
|
|
Loading…
Reference in New Issue