Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "Valek, Andrej" <andrej.valek@siemens.com>
To: "openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Cc: "steve@sakoman.com" <steve@sakoman.com>
Subject: Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897
Date: Fri, 10 Mar 2023 13:09:27 +0000	[thread overview]
Message-ID: <042af09c08da4dad435693220f221a70548a2a91.camel@siemens.com> (raw)
In-Reply-To: <20230310124549.119027-1-andrej.valek@siemens.com>

Hello again,

Looks like that this patch showed some isses/open points:
- CVE-2021-22897 is white-listed already, but in hardknott is fixed
already
https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
 - So do we have to ignore the patch, or apply and remove the
whitelist, or remove patch from hardknott?
- Https certificate at yocto.io has been expired ;)

Regards,
Andrej

On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> https://curl.se/docs/CVE-2021-22897.html
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  .../curl/curl/CVE-2021-22897.patch            | 73
> +++++++++++++++++++
>  meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
>  2 files changed, 74 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> 22897.patch
> 
> diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> new file mode 100644
> index 0000000000..cbd6c067ce
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> @@ -0,0 +1,73 @@
> +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00
> 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 23 Apr 2021 10:54:10 +0200
> +Subject: [PATCH] schannel: don't use static to store selected
> ciphers
> +
> +CVE-2021-22897
> +
> +Bug: https://curl.se/docs/CVE-2021-22897.html
> +
> +Upstream-Status: Backport
> +[
> https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> 2834511]
> +
> +CVE: CVE-2021-22897
> +
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +Signed-off-by: Khairul Rohaizzat Jamaluddin
> <khairul.rohaizzat.jamaluddin@intel.com>
> +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> +---
> + lib/vtls/schannel.c | 9 +++++----
> + lib/vtls/schannel.h | 3 +++
> + 2 files changed, 8 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> +index 8c25ac5dd5a5..dba7072273a9 100644
> +--- a/lib/vtls/schannel.c
> ++++ b/lib/vtls/schannel.c
> +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> + }
> + 
> + static CURLcode
> +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> ++                int *algIds)
> + {
> +   char *startCur = ciphers;
> +   int algCount = 0;
> +-  static ALG_ID algIds[45]; /*There are 45 listed in the MS
> headers*/
> +-  while(startCur && (0 != *startCur) && (algCount < 45)) {
> ++  while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS))
> {
> +     long alg = strtol(startCur, 0, 0);
> +     if(!alg)
> +       alg = get_alg_id_by_name(startCur);
> +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> +     }
> + 
> +     if(SSL_CONN_CONFIG(cipher_list)) {
> +-      result = set_ssl_ciphers(&schannel_cred,
> SSL_CONN_CONFIG(cipher_list));
> ++      result = set_ssl_ciphers(&schannel_cred,
> SSL_CONN_CONFIG(cipher_list),
> ++                               BACKEND->algIds);
> +       if(CURLE_OK != result) {
> +         failf(data, "Unable to set ciphers to passed via
> SSL_CONN_CONFIG");
> +         return result;
> +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> +index 2952caa1a5a1..77853aa30f96 100644
> +--- a/lib/vtls/schannel.h
> ++++ b/lib/vtls/schannel.h
> +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> + #endif
> + #endif
> + 
> ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers
> */
> ++
> + struct curl_schannel_cred {
> +   CredHandle cred_handle;
> +   TimeStamp time_stamp;
> +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> + #ifdef HAS_MANUAL_VERIFY_API
> +   bool use_manual_cred_validation; /* true if manual cred
> validation is used */
> + #endif
> ++  ALG_ID algIds[NUMOF_CIPHERS];
> + };
> + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> + 
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index ea36c0bd3d..384719dd15 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -19,6 +19,7 @@ SRC_URI =
> "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
>             file://CVE-2020-8286.patch \
>             file://CVE-2021-22876.patch \
>             file://CVE-2021-22890.patch \
> +           file://CVE-2021-22897.patch \
>             file://CVE-2021-22898.patch \
>             file://CVE-2021-22924.patch \
>             file://CVE-2021-22925.patch \

next prev parent reply	other threads:[~2023-03-10 13:09 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-09 15:15 curl Valek, Andrej
2023-03-09 15:24 ` curl Steve Sakoman
2023-03-10  9:54   ` [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552 Andrej Valek
2023-03-10  9:54     ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-03-14 14:26       ` Steve Sakoman
     [not found]       ` <174C4F5C0F6A96A7.18998@lists.openembedded.org>
2023-03-14 14:39         ` Steve Sakoman
2023-03-14 15:07           ` Valek, Andrej
2023-03-14 15:09             ` Steve Sakoman
2023-03-10 12:45   ` [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897 Andrej Valek
2023-03-10 13:09     ` Valek, Andrej [this message]
2023-03-10 14:40       ` Steve Sakoman
2023-03-10 14:49         ` Valek, Andrej
2023-03-10 14:56           ` Steve Sakoman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=042af09c08da4dad435693220f221a70548a2a91.camel@siemens.com \
    --to=andrej.valek@siemens.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=steve@sakoman.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox