From: rak3033@gmail.com
To: openembedded-core@lists.openembedded.org, rak3033@gmail.com
Cc: riyaza1@kpit.com, Ranjitsinh.Rathod@kpit.com
Subject: [meta-oe][dunfell][PATCH] curl: Add fix for CVE-2022-27781 CVE-2022-27782
Date: Mon, 23 May 2022 13:40:41 +0530 [thread overview]
Message-ID: <20220523081041.5680-1-rak3033@gmail.com> (raw)
Add patches for CVE issues: CVE-2022-27781 CVE-2022-27782
CVE-2022-27781
Link: [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917]
CVE-2022-27782
Link: [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
Signed-off-by: Riyaz Ahmed Khan <rak3033@gmail.com>
---
.../curl/curl/CVE-2022-27781.patch | 50 +++++++++++++
.../curl/curl/CVE-2022-27782.patch | 75 +++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 2 +
3 files changed, 127 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
new file mode 100644
index 0000000000..70e75ead4f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
@@ -0,0 +1,50 @@
+From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 10:07:15 +0200
+Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2022-27781
+
+Reported-by: Florian Kohnhäuser
+Bug: https://curl.se/docs/CVE-2022-27781.html
+Closes #8822
+
+CVE: CVE-2022-27781
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ lib/vtls/nss.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 5b7de9f81895..569c0628feb5 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -950,6 +950,9 @@
+ PR_Free(common_name);
+ }
+
++/* A number of certs that will never occur in a real server handshake */
++#define TOO_MANY_CERTS 300
++
+ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+ {
+ CURLcode result = CURLE_OK;
+@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
+ cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
+ while(cert2) {
+ i++;
++ if(i >= TOO_MANY_CERTS) {
++ CERT_DestroyCertificate(cert2);
++ failf(data, "certificate loop");
++ return CURLE_SSL_CERTPROBLEM;
++ }
+ if(cert2->isRoot) {
+ CERT_DestroyCertificate(cert2);
+ break;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782.patch b/meta/recipes-support/curl/curl/CVE-2022-27782.patch
new file mode 100644
index 0000000000..f171f978d7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782.patch
@@ -0,0 +1,75 @@
+From 1645e9b44505abd5cbaf65da5282c3f33b5924a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH] url: check SSH config match on connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+CVE: CVE-2022-27782
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ lib/url.c | 11 +++++++++++
+ lib/vssh/ssh.h | 6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index cf14a333ac69..6b31d4b1315d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1100,6 +1100,12 @@ static void prune_dead_connections(struct Curl_easy *data)
+ }
+ }
+
++static bool ssh_config_matches(struct connectdata *one,
++ struct connectdata *two)
++{
++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
++}
+ /*
+ * Given one filled in connection struct (named needle), this function should
+ * detect if there already is one that has all the significant details
+@@ -1260,6 +1260,11 @@
+ }
+ }
+
++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++ if(!ssh_config_matches(needle, check))
++ continue;
++ }
++
+ if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
+ needle->bits.tunnel_proxy) {
+ /* The requested connection does not use a HTTP proxy or it uses SSL or
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 7972081ec610..30d82e57648e 100644
+--- a/lib/vssh/ssh.h
++++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -131,8 +131,8 @@ struct ssh_conn {
+
+ /* common */
+ const char *passphrase; /* pass-phrase to use */
+- char *rsa_pub; /* path name */
+- char *rsa; /* path name */
++ char *rsa_pub; /* strdup'ed public key file */
++ char *rsa; /* strdup'ed private key file */
+ bool authed; /* the connection has been authenticated fine */
+ bool acceptfail; /* used by the SFTP_QUOTE (continue if
+ quote command fails) */
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index e850376ff8..602caf97ab 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -28,6 +28,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-27776.patch \
file://CVE-2022-27775.patch \
file://CVE-2022-22576.patch \
+ file://CVE-2022-27781.patch \
+ file://CVE-2022-27782.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.17.1
next reply other threads:[~2022-05-23 8:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 8:10 rak3033 [this message]
2022-05-30 11:19 ` [meta-oe][dunfell][PATCH] curl: Add fix for CVE-2022-27781 CVE-2022-27782 Ranjitsinh Rathod
2022-05-30 16:16 ` [OE-core] " Steve Sakoman
[not found] ` <16F3EE351D040CFC.21867@lists.openembedded.org>
2022-05-30 19:12 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220523081041.5680-1-rak3033@gmail.com \
--to=rak3033@gmail.com \
--cc=Ranjitsinh.Rathod@kpit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=riyaza1@kpit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.