* [OE-core][kirkstone][PATCH 2/3] curl: Fix CVE-2022-42916
2022-11-29 3:57 [OE-core][kirkstone][PATCH 1/3] curl: Fix CVE-2022-32221 Bhabu Bindu
@ 2022-11-29 3:57 ` Bhabu Bindu
2022-11-29 3:57 ` [OE-core][kirkstone][PATCH 3/3] curl: Fix CVE-2022-42915 Bhabu Bindu
1 sibling, 0 replies; 3+ messages in thread
From: Bhabu Bindu @ 2022-11-29 3:57 UTC (permalink / raw)
To: openembedded-core, bhabu.bindu; +Cc: ranjitsinh.rathod
From: Bhabu Bindu <bhabu.bindu@kpit.com>
HSTS bypass via IDN
Link: https://security-tracker.debian.org/tracker/CVE-2022-42916
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
---
.../curl/curl/CVE-2022-42916.patch | 136 ++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 137 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-42916.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
new file mode 100644
index 0000000000..fbc592280a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
@@ -0,0 +1,136 @@
+From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9791
+
+CVE: CVE-2022-42916
+Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+Comments: Refreshed hunk
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index a3be56bced9de..690c53c81a3c1 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2012,10 +2012,56 @@
+ if(!strcasecompare("file", data->state.up.scheme))
+ return CURLE_OUT_OF_MEMORY;
+ }
++ hostname = data->state.up.hostname;
++
++ if(hostname && hostname[0] == '[') {
++ /* This looks like an IPv6 address literal. See if there is an address
++ scope. */
++ size_t hlen;
++ conn->bits.ipv6_ip = TRUE;
++ /* cut off the brackets! */
++ hostname++;
++ hlen = strlen(hostname);
++ hostname[hlen - 1] = 0;
++
++ zonefrom_url(uh, data, conn);
++ }
++
++ /* make sure the connect struct gets its own copy of the host name */
++ conn->host.rawalloc = strdup(hostname ? hostname : "");
++ if(!conn->host.rawalloc)
++ return CURLE_OUT_OF_MEMORY;
++ conn->host.name = conn->host.rawalloc;
++
++ /*************************************************************
++ * IDN-convert the hostnames
++ *************************************************************/
++ result = Curl_idnconvert_hostname(data, &conn->host);
++ if(result)
++ return result;
++ if(conn->bits.conn_to_host) {
++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
++ if(result)
++ return result;
++ }
++#ifndef CURL_DISABLE_PROXY
++ if(conn->bits.httpproxy) {
++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
++ if(result)
++ return result;
++ }
++ if(conn->bits.socksproxy) {
++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
++ if(result)
++ return result;
++ }
++#endif
+
+ #ifndef CURL_DISABLE_HSTS
++ /* HSTS upgrade */
+ if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
++ /* This MUST use the IDN decoded name */
++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+ char *url;
+ Curl_safefree(data->state.up.scheme);
+ uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+
+ (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+
+- hostname = data->state.up.hostname;
+- if(hostname && hostname[0] == '[') {
+- /* This looks like an IPv6 address literal. See if there is an address
+- scope. */
+- size_t hlen;
+- conn->bits.ipv6_ip = TRUE;
+- /* cut off the brackets! */
+- hostname++;
+- hlen = strlen(hostname);
+- hostname[hlen - 1] = 0;
+-
+- zonefrom_url(uh, data, conn);
+- }
+-
+- /* make sure the connect struct gets its own copy of the host name */
+- conn->host.rawalloc = strdup(hostname ? hostname : "");
+- if(!conn->host.rawalloc)
+- return CURLE_OUT_OF_MEMORY;
+- conn->host.name = conn->host.rawalloc;
+-
+ #ifdef ENABLE_IPV6
+ if(data->set.scope_id)
+ /* Override any scope that was set above. */
+@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ if(result)
+ goto out;
+
+- /*************************************************************
+- * IDN-convert the hostnames
+- *************************************************************/
+- result = Curl_idnconvert_hostname(data, &conn->host);
+- if(result)
+- goto out;
+- if(conn->bits.conn_to_host) {
+- result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+- if(result)
+- goto out;
+- }
+-#ifndef CURL_DISABLE_PROXY
+- if(conn->bits.httpproxy) {
+- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+- if(result)
+- goto out;
+- }
+- if(conn->bits.socksproxy) {
+- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+- if(result)
+- goto out;
+- }
+-#endif
+
+ /*************************************************************
+ * Check whether the host and the "connect to host" are equal.
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 641614fb0d..4d49ac33eb 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2022-32208.patch \
file://CVE-2022-35252.patch \
file://CVE-2022-32221.patch \
+ file://CVE-2022-42916.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [OE-core][kirkstone][PATCH 3/3] curl: Fix CVE-2022-42915
2022-11-29 3:57 [OE-core][kirkstone][PATCH 1/3] curl: Fix CVE-2022-32221 Bhabu Bindu
2022-11-29 3:57 ` [OE-core][kirkstone][PATCH 2/3] curl: Fix CVE-2022-42916 Bhabu Bindu
@ 2022-11-29 3:57 ` Bhabu Bindu
1 sibling, 0 replies; 3+ messages in thread
From: Bhabu Bindu @ 2022-11-29 3:57 UTC (permalink / raw)
To: openembedded-core, bhabu.bindu; +Cc: ranjitsinh.rathod
From: Bhabu Bindu <bhabu.bindu@kpit.com>
HTTP proxy double-free
Link: https://security-tracker.debian.org/tracker/CVE-2022-42915
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
---
.../curl/curl/CVE-2022-42915.patch | 53 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-42915.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42915.patch b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
new file mode 100644
index 0000000000..0f37a80e09
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
@@ -0,0 +1,53 @@
+From 55e1875729f9d9fc7315cec611bffbd2c817ad89 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH] http_proxy: restore the protocol pointer on error
+
+Reported-by: Trail of Bits
+
+Closes #9790
+
+CVE: CVE-2022-42915
+Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315cec611bffbd2c817ad89]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/http_proxy.c | 6 ++----
+ lib/url.c | 9 ---------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c62aa40..cc20b3a801941 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data)
+ Curl_dyn_free(&s->rcvbuf);
+ Curl_dyn_free(&s->req);
+
+- /* restore the protocol pointer, if not already done */
+- if(s->prot_save)
+- data->req.p.http = s->prot_save;
+- s->prot_save = NULL;
++ /* restore the protocol pointer */
++ data->req.p.http = s->prot_save;
+ data->info.httpcode = 0; /* clear it as it might've been used for the
+ proxy */
+ data->req.ignorebody = FALSE;
+diff --git a/lib/url.c b/lib/url.c
+index 690c53c81a3c1..be5ffca2d8b20 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -751,15 +751,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+ DEBUGASSERT(data);
+ infof(data, "Closing connection %ld", conn->connection_id);
+
+-#ifndef USE_HYPER
+- if(conn->connect_state && conn->connect_state->prot_save) {
+- /* If this was closed with a CONNECT in progress, cleanup this temporary
+- struct arrangement */
+- data->req.p.http = NULL;
+- Curl_safefree(conn->connect_state->prot_save);
+- }
+-#endif
+-
+ /* possible left-overs from the async name resolvers */
+ Curl_resolver_cancel(data);
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4d49ac33eb..b0192143fb 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2022-35252.patch \
file://CVE-2022-32221.patch \
file://CVE-2022-42916.patch \
+ file://CVE-2022-42915.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread