curl

curl

[Valek, Andrej]

Hello Steve,

I have a question about curl. Would it be possible to backport some
fixes for CVEs from kirkstone to dunfell? 

CVE-2022-32221
CVE-2022-42915
CVE-2022-42916
CVE-2022-43552 
CVE-2022-43551

Thank you,
Andrej

Re: curl

[Steve Sakoman]

On Thu, Mar 9, 2023 at 5:15 AM Valek, Andrej <andrej.valek@siemens.com> wrote:

> I have a question about curl. Would it be possible to backport some
> fixes for CVEs from kirkstone to dunfell?

The curl versions in kirkstone and dunfell are different, so a direct
cherry-pick of those patches may or may not work.

If you could test cherry-picking them and then submit the patches to
the list (with your Signed-off-by added) I would be happy to take them
:-)

Steve

[OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552

[Andrej Valek]

https://curl.se/docs/CVE-2022-43552.html

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../curl/curl/CVE-2022-43552.patch            | 79 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-43552.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
new file mode 100644
index 0000000000..7dc7dfa5ae
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,79 @@
+From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+CVE: CVE-2022-43552
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 2cfe041dff072..48d5a2fe006d5 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct conne
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
+ static CURLcode smb_parse_url_path(struct connectdata *conn);
+@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_s
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_s
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(conn->data->req.protop);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+diff -Naurp curl-7.69.1.orig/lib/telnet.c curl-7.69.1/lib/telnet.c
+--- curl-7.69.1.orig/lib/telnet.c	2020-03-09 16:31:01.000000000 +0100
++++ curl-7.69.1/lib/telnet.c	2023-03-10 10:35:27.978378949 +0100
+@@ -1290,8 +1290,6 @@ static CURLcode telnet_done(struct conne
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+ 
+-  Curl_safefree(conn->data->req.protop);
+-
+   return CURLE_OK;
+ }
+ 
\ No newline at end of file
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 63faae6296..899daf8eac 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -41,6 +41,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2022-35252.patch \
            file://CVE-2022-32221.patch \
            file://CVE-2022-35260.patch \
+           file://CVE-2022-43552.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
-- 
2.39.2

[OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Andrej Valek]

All mentioned CVEs are related to HSTS check feature, which is not
implemented in version 7.69.1 .

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..ea36c0bd3d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
 # This CVE issue affects Windows only Hence whitelisting this CVE
 CVE_CHECK_WHITELIST += "CVE-2021-22897"
 
+# HSTS check feature is not implemented
+CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
+
 inherit autotools pkgconfig binconfig multilib_header
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
-- 
2.39.2

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Steve Sakoman]

On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek <andrej.valek@siemens.com> wrote:
>
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .

Is this due to an error in the CPE database?  If so, perhaps the
better approach would be to send a version correction request to
cpe_dictionary@nist.gov

Steve

> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
>  # This CVE issue affects Windows only Hence whitelisting this CVE
>  CVE_CHECK_WHITELIST += "CVE-2021-22897"
>
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
>  inherit autotools pkgconfig binconfig multilib_header
>
>  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
> --
> 2.39.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#178321): https://lists.openembedded.org/g/openembedded-core/message/178321
> Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Steve Sakoman]

On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek <andrej.valek@siemens.com> wrote:
> >
> > All mentioned CVEs are related to HSTS check feature, which is not
> > implemented in version 7.69.1 .
>
> Is this due to an error in the CPE database?  If so, perhaps the
> better approach would be to send a version correction request to
> cpe_dictionary@nist.gov

Hmmm . . . looking at the most recent dunfell CVE report I see that
only CVE-2022-42916 is listed.

The CPE database indicates the issue is present for versions 7.57.0
onwards up to but not including 7.88.0

Steve


> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> >  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
> > index 899daf8eac..ea36c0bd3d 100644
> > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
> >  # This CVE issue affects Windows only Hence whitelisting this CVE
> >  CVE_CHECK_WHITELIST += "CVE-2021-22897"
> >
> > +# HSTS check feature is not implemented
> > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> > +
> >  inherit autotools pkgconfig binconfig multilib_header
> >
> >  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > --
> > 2.39.2
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#178493): https://lists.openembedded.org/g/openembedded-core/message/178493
> Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Valek, Andrej]

Hello Steve,

Ok, looks like I received a wrong notification, sorry. So you can keep
there only the 42916.
Basically all the HSTS check features are not implemented in the 7.69.1
version.

Regards,
Andrej

On Tue, 2023-03-14 at 04:39 -1000, Steve Sakoman wrote:
> On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> > 
> > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek
> > <andrej.valek@siemens.com> wrote:
> > > 
> > > All mentioned CVEs are related to HSTS check feature, which is
> > > not
> > > implemented in version 7.69.1 .
> > 
> > Is this due to an error in the CPE database?  If so, perhaps the
> > better approach would be to send a version correction request to
> > cpe_dictionary@nist.gov
> 
> Hmmm . . . looking at the most recent dunfell CVE report I see that
> only CVE-2022-42916 is listed.
> 
> The CPE database indicates the issue is present for versions 7.57.0
> onwards up to but not including 7.88.0
> 
> Steve
> 
> 
> > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > ---
> > >  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > index 899daf8eac..ea36c0bd3d 100644
> > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > 22923 CVE-2021-22926 CVE-2021-229
> > >  # This CVE issue affects Windows only Hence whitelisting this
> > > CVE
> > >  CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > > 
> > > +# HSTS check feature is not implemented
> > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > 43551"
> > > +
> > >  inherit autotools pkgconfig binconfig multilib_header
> > > 
> > >  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > --
> > > 2.39.2
> > > 
> > > 
> > > 
> > > 
> > 
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#178493):
> > https://lists.openembedded.org/g/openembedded-core/message/178493
> > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe:
> > https://lists.openembedded.org/g/openembedded-core/unsub [
> > steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > 

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Steve Sakoman]

On Tue, Mar 14, 2023 at 5:07 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello Steve,
>
> Ok, looks like I received a wrong notification, sorry. So you can keep
> there only the 42916.
> Basically all the HSTS check features are not implemented in the 7.69.1
> version.

I still have the same comment on how we should handle this issue:

> > > Is this due to an error in the CPE database?  If so, perhaps the
> > > better approach would be to send a version correction request to
> > > cpe_dictionary@nist.gov

Steve

> > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > ---
> > > >  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > index 899daf8eac..ea36c0bd3d 100644
> > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > > 22923 CVE-2021-22926 CVE-2021-229
> > > >  # This CVE issue affects Windows only Hence whitelisting this
> > > > CVE
> > > >  CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > > >
> > > > +# HSTS check feature is not implemented
> > > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > > 43551"
> > > > +
> > > >  inherit autotools pkgconfig binconfig multilib_header
> > > >
> > > >  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > > --
> > > > 2.39.2
> > > >
> > > >
> > > >
> > > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#178493):
> > > https://lists.openembedded.org/g/openembedded-core/message/178493
> > > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe:
> > > https://lists.openembedded.org/g/openembedded-core/unsub [
> > > steve@sakoman.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
>

[OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897

[Andrej Valek]

https://curl.se/docs/CVE-2021-22897.html

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../curl/curl/CVE-2021-22897.patch            | 73 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22897.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
new file mode 100644
index 0000000000..cbd6c067ce
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
@@ -0,0 +1,73 @@
+From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 23 Apr 2021 10:54:10 +0200
+Subject: [PATCH] schannel: don't use static to store selected ciphers
+
+CVE-2021-22897
+
+Bug: https://curl.se/docs/CVE-2021-22897.html
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511]
+
+CVE: CVE-2021-22897
+
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+---
+ lib/vtls/schannel.c | 9 +++++----
+ lib/vtls/schannel.h | 3 +++
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 8c25ac5dd5a5..dba7072273a9 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
+ }
+ 
+ static CURLcode
+-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
++                int *algIds)
+ {
+   char *startCur = ciphers;
+   int algCount = 0;
+-  static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/
+-  while(startCur && (0 != *startCur) && (algCount < 45)) {
++  while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) {
+     long alg = strtol(startCur, 0, 0);
+     if(!alg)
+       alg = get_alg_id_by_name(startCur);
+@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
+     }
+ 
+     if(SSL_CONN_CONFIG(cipher_list)) {
+-      result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list));
++      result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list),
++                               BACKEND->algIds);
+       if(CURLE_OK != result) {
+         failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG");
+         return result;
+diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
+index 2952caa1a5a1..77853aa30f96 100644
+--- a/lib/vtls/schannel.h
++++ b/lib/vtls/schannel.h
+@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
+ #endif
+ #endif
+ 
++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */
++
+ struct curl_schannel_cred {
+   CredHandle cred_handle;
+   TimeStamp time_stamp;
+@@ -101,6 +103,7 @@ struct ssl_backend_data {
+ #ifdef HAS_MANUAL_VERIFY_API
+   bool use_manual_cred_validation; /* true if manual cred validation is used */
+ #endif
++  ALG_ID algIds[NUMOF_CIPHERS];
+ };
+ #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
+ 
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index ea36c0bd3d..384719dd15 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2020-8286.patch \
            file://CVE-2021-22876.patch \
            file://CVE-2021-22890.patch \
+           file://CVE-2021-22897.patch \
            file://CVE-2021-22898.patch \
            file://CVE-2021-22924.patch \
            file://CVE-2021-22925.patch \
-- 
2.39.2

Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897

[Valek, Andrej]

Hello again,

Looks like that this patch showed some isses/open points:
- CVE-2021-22897 is white-listed already, but in hardknott is fixed
already
https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
 - So do we have to ignore the patch, or apply and remove the
whitelist, or remove patch from hardknott?
- Https certificate at yocto.io has been expired ;)

Regards,
Andrej

On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> https://curl.se/docs/CVE-2021-22897.html
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  .../curl/curl/CVE-2021-22897.patch            | 73
> +++++++++++++++++++
>  meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
>  2 files changed, 74 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> 22897.patch
> 
> diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> new file mode 100644
> index 0000000000..cbd6c067ce
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> @@ -0,0 +1,73 @@
> +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00
> 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 23 Apr 2021 10:54:10 +0200
> +Subject: [PATCH] schannel: don't use static to store selected
> ciphers
> +
> +CVE-2021-22897
> +
> +Bug: https://curl.se/docs/CVE-2021-22897.html
> +
> +Upstream-Status: Backport
> +[
> https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> 2834511]
> +
> +CVE: CVE-2021-22897
> +
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +Signed-off-by: Khairul Rohaizzat Jamaluddin
> <khairul.rohaizzat.jamaluddin@intel.com>
> +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> +---
> + lib/vtls/schannel.c | 9 +++++----
> + lib/vtls/schannel.h | 3 +++
> + 2 files changed, 8 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> +index 8c25ac5dd5a5..dba7072273a9 100644
> +--- a/lib/vtls/schannel.c
> ++++ b/lib/vtls/schannel.c
> +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> + }
> + 
> + static CURLcode
> +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> ++                int *algIds)
> + {
> +   char *startCur = ciphers;
> +   int algCount = 0;
> +-  static ALG_ID algIds[45]; /*There are 45 listed in the MS
> headers*/
> +-  while(startCur && (0 != *startCur) && (algCount < 45)) {
> ++  while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS))
> {
> +     long alg = strtol(startCur, 0, 0);
> +     if(!alg)
> +       alg = get_alg_id_by_name(startCur);
> +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> +     }
> + 
> +     if(SSL_CONN_CONFIG(cipher_list)) {
> +-      result = set_ssl_ciphers(&schannel_cred,
> SSL_CONN_CONFIG(cipher_list));
> ++      result = set_ssl_ciphers(&schannel_cred,
> SSL_CONN_CONFIG(cipher_list),
> ++                               BACKEND->algIds);
> +       if(CURLE_OK != result) {
> +         failf(data, "Unable to set ciphers to passed via
> SSL_CONN_CONFIG");
> +         return result;
> +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> +index 2952caa1a5a1..77853aa30f96 100644
> +--- a/lib/vtls/schannel.h
> ++++ b/lib/vtls/schannel.h
> +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> + #endif
> + #endif
> + 
> ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers
> */
> ++
> + struct curl_schannel_cred {
> +   CredHandle cred_handle;
> +   TimeStamp time_stamp;
> +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> + #ifdef HAS_MANUAL_VERIFY_API
> +   bool use_manual_cred_validation; /* true if manual cred
> validation is used */
> + #endif
> ++  ALG_ID algIds[NUMOF_CIPHERS];
> + };
> + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> + 
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index ea36c0bd3d..384719dd15 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -19,6 +19,7 @@ SRC_URI =
> "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
>             file://CVE-2020-8286.patch \
>             file://CVE-2021-22876.patch \
>             file://CVE-2021-22890.patch \
> +           file://CVE-2021-22897.patch \
>             file://CVE-2021-22898.patch \
>             file://CVE-2021-22924.patch \
>             file://CVE-2021-22925.patch \

Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897

[Steve Sakoman]

On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello again,
>
> Looks like that this patch showed some isses/open points:
> - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> already
> https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
>  - So do we have to ignore the patch, or apply and remove the
> whitelist, or remove patch from hardknott?

Hardknott is no longer being maintained, so nothing needs to be done there.

Since this is a Windows only bug ("It can only trigger when Schannel
is used, which is the native TLS library in Microsoft Windows") I
think the existing whitelist is fine and we don't need this additional
patch.

> - Https certificate at yocto.io has been expired ;)

Can you give me the url which is giving the expired certificate error?

Thanks!

Steve

> Regards,
> Andrej
>
> On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > https://curl.se/docs/CVE-2021-22897.html
> >
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> >  .../curl/curl/CVE-2021-22897.patch            | 73
> > +++++++++++++++++++
> >  meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
> >  2 files changed, 74 insertions(+)
> >  create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > 22897.patch
> >
> > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > new file mode 100644
> > index 0000000000..cbd6c067ce
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > @@ -0,0 +1,73 @@
> > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00
> > 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > +Subject: [PATCH] schannel: don't use static to store selected
> > ciphers
> > +
> > +CVE-2021-22897
> > +
> > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > +
> > +Upstream-Status: Backport
> > +[
> > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > 2834511]
> > +
> > +CVE: CVE-2021-22897
> > +
> > +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > <khairul.rohaizzat.jamaluddin@intel.com>
> > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > +---
> > + lib/vtls/schannel.c | 9 +++++----
> > + lib/vtls/schannel.h | 3 +++
> > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > +index 8c25ac5dd5a5..dba7072273a9 100644
> > +--- a/lib/vtls/schannel.c
> > ++++ b/lib/vtls/schannel.c
> > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > + }
> > +
> > + static CURLcode
> > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > ++                int *algIds)
> > + {
> > +   char *startCur = ciphers;
> > +   int algCount = 0;
> > +-  static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > headers*/
> > +-  while(startCur && (0 != *startCur) && (algCount < 45)) {
> > ++  while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS))
> > {
> > +     long alg = strtol(startCur, 0, 0);
> > +     if(!alg)
> > +       alg = get_alg_id_by_name(startCur);
> > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > +     }
> > +
> > +     if(SSL_CONN_CONFIG(cipher_list)) {
> > +-      result = set_ssl_ciphers(&schannel_cred,
> > SSL_CONN_CONFIG(cipher_list));
> > ++      result = set_ssl_ciphers(&schannel_cred,
> > SSL_CONN_CONFIG(cipher_list),
> > ++                               BACKEND->algIds);
> > +       if(CURLE_OK != result) {
> > +         failf(data, "Unable to set ciphers to passed via
> > SSL_CONN_CONFIG");
> > +         return result;
> > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > +index 2952caa1a5a1..77853aa30f96 100644
> > +--- a/lib/vtls/schannel.h
> > ++++ b/lib/vtls/schannel.h
> > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > + #endif
> > + #endif
> > +
> > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers
> > */
> > ++
> > + struct curl_schannel_cred {
> > +   CredHandle cred_handle;
> > +   TimeStamp time_stamp;
> > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > + #ifdef HAS_MANUAL_VERIFY_API
> > +   bool use_manual_cred_validation; /* true if manual cred
> > validation is used */
> > + #endif
> > ++  ALG_ID algIds[NUMOF_CIPHERS];
> > + };
> > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > +
> > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> > support/curl/curl_7.69.1.bb
> > index ea36c0bd3d..384719dd15 100644
> > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > @@ -19,6 +19,7 @@ SRC_URI =
> > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> >             file://CVE-2020-8286.patch \
> >             file://CVE-2021-22876.patch \
> >             file://CVE-2021-22890.patch \
> > +           file://CVE-2021-22897.patch \
> >             file://CVE-2021-22898.patch \
> >             file://CVE-2021-22924.patch \
> >             file://CVE-2021-22925.patch \
>

Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897

[Valek, Andrej]

Hello Steve,

- patch
 - I'm fine with explanation
- Cert error
 - for example here:
https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt

Regards,
Andrej

On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote:
> On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej
> <andrej.valek@siemens.com> wrote:
> > 
> > Hello again,
> > 
> > Looks like that this patch showed some isses/open points:
> > - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> > already
> > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> >  - So do we have to ignore the patch, or apply and remove the
> > whitelist, or remove patch from hardknott?
> 
> Hardknott is no longer being maintained, so nothing needs to be done
> there.
> 
> Since this is a Windows only bug ("It can only trigger when Schannel
> is used, which is the native TLS library in Microsoft Windows") I
> think the existing whitelist is fine and we don't need this
> additional
> patch.
> 
> > - Https certificate at yocto.io has been expired ;)
> 
> Can you give me the url which is giving the expired certificate
> error?
> 
> Thanks!
> 
> Steve
> 
> > Regards,
> > Andrej
> > 
> > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > > https://curl.se/docs/CVE-2021-22897.html
> > > 
> > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > ---
> > >  .../curl/curl/CVE-2021-22897.patch            | 73
> > > +++++++++++++++++++
> > >  meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
> > >  2 files changed, 74 insertions(+)
> > >  create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > > 22897.patch
> > > 
> > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > new file mode 100644
> > > index 0000000000..cbd6c067ce
> > > --- /dev/null
> > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > @@ -0,0 +1,73 @@
> > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17
> > > 00:00:00
> > > 2001
> > > +From: Daniel Stenberg <daniel@haxx.se>
> > > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > > +Subject: [PATCH] schannel: don't use static to store selected
> > > ciphers
> > > +
> > > +CVE-2021-22897
> > > +
> > > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > > +
> > > +Upstream-Status: Backport
> > > +[
> > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > > 2834511]
> > > +
> > > +CVE: CVE-2021-22897
> > > +
> > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> > > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > +---
> > > + lib/vtls/schannel.c | 9 +++++----
> > > + lib/vtls/schannel.h | 3 +++
> > > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > > +
> > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > > +index 8c25ac5dd5a5..dba7072273a9 100644
> > > +--- a/lib/vtls/schannel.c
> > > ++++ b/lib/vtls/schannel.c
> > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > > + }
> > > +
> > > + static CURLcode
> > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > > ++                int *algIds)
> > > + {
> > > +   char *startCur = ciphers;
> > > +   int algCount = 0;
> > > +-  static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > > headers*/
> > > +-  while(startCur && (0 != *startCur) && (algCount < 45)) {
> > > ++  while(startCur && (0 != *startCur) && (algCount <
> > > NUMOF_CIPHERS))
> > > {
> > > +     long alg = strtol(startCur, 0, 0);
> > > +     if(!alg)
> > > +       alg = get_alg_id_by_name(startCur);
> > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > > +     }
> > > +
> > > +     if(SSL_CONN_CONFIG(cipher_list)) {
> > > +-      result = set_ssl_ciphers(&schannel_cred,
> > > SSL_CONN_CONFIG(cipher_list));
> > > ++      result = set_ssl_ciphers(&schannel_cred,
> > > SSL_CONN_CONFIG(cipher_list),
> > > ++                               BACKEND->algIds);
> > > +       if(CURLE_OK != result) {
> > > +         failf(data, "Unable to set ciphers to passed via
> > > SSL_CONN_CONFIG");
> > > +         return result;
> > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > > +index 2952caa1a5a1..77853aa30f96 100644
> > > +--- a/lib/vtls/schannel.h
> > > ++++ b/lib/vtls/schannel.h
> > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > > + #endif
> > > + #endif
> > > +
> > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS
> > > headers
> > > */
> > > ++
> > > + struct curl_schannel_cred {
> > > +   CredHandle cred_handle;
> > > +   TimeStamp time_stamp;
> > > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > > + #ifdef HAS_MANUAL_VERIFY_API
> > > +   bool use_manual_cred_validation; /* true if manual cred
> > > validation is used */
> > > + #endif
> > > ++  ALG_ID algIds[NUMOF_CIPHERS];
> > > + };
> > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > > +
> > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > b/meta/recipes-
> > > support/curl/curl_7.69.1.bb
> > > index ea36c0bd3d..384719dd15 100644
> > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > @@ -19,6 +19,7 @@ SRC_URI =
> > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> > >             file://CVE-2020-8286.patch \
> > >             file://CVE-2021-22876.patch \
> > >             file://CVE-2021-22890.patch \
> > > +           file://CVE-2021-22897.patch \
> > >             file://CVE-2021-22898.patch \
> > >             file://CVE-2021-22924.patch \
> > >             file://CVE-2021-22925.patch \
> > 

Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897

[Steve Sakoman]

On Fri, Mar 10, 2023 at 4:49 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello Steve,
>
> - patch
>  - I'm fine with explanation
> - Cert error
>  - for example here:
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt

Thanks, I opened a ticket with the infrastructure support team.

Steve

> On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote:
> > On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej
> > <andrej.valek@siemens.com> wrote:
> > >
> > > Hello again,
> > >
> > > Looks like that this patch showed some isses/open points:
> > > - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> > > already
> > > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > >  - So do we have to ignore the patch, or apply and remove the
> > > whitelist, or remove patch from hardknott?
> >
> > Hardknott is no longer being maintained, so nothing needs to be done
> > there.
> >
> > Since this is a Windows only bug ("It can only trigger when Schannel
> > is used, which is the native TLS library in Microsoft Windows") I
> > think the existing whitelist is fine and we don't need this
> > additional
> > patch.
> >
> > > - Https certificate at yocto.io has been expired ;)
> >
> > Can you give me the url which is giving the expired certificate
> > error?
> >
> > Thanks!
> >
> > Steve
> >
> > > Regards,
> > > Andrej
> > >
> > > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > > > https://curl.se/docs/CVE-2021-22897.html
> > > >
> > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > ---
> > > >  .../curl/curl/CVE-2021-22897.patch            | 73
> > > > +++++++++++++++++++
> > > >  meta/recipes-support/curl/curl_7.69.1.bb      |  1 +
> > > >  2 files changed, 74 insertions(+)
> > > >  create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > > > 22897.patch
> > > >
> > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > > new file mode 100644
> > > > index 0000000000..cbd6c067ce
> > > > --- /dev/null
> > > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > > @@ -0,0 +1,73 @@
> > > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17
> > > > 00:00:00
> > > > 2001
> > > > +From: Daniel Stenberg <daniel@haxx.se>
> > > > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > > > +Subject: [PATCH] schannel: don't use static to store selected
> > > > ciphers
> > > > +
> > > > +CVE-2021-22897
> > > > +
> > > > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > > > +
> > > > +Upstream-Status: Backport
> > > > +[
> > > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > > > 2834511]
> > > > +
> > > > +CVE: CVE-2021-22897
> > > > +
> > > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> > > > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > +---
> > > > + lib/vtls/schannel.c | 9 +++++----
> > > > + lib/vtls/schannel.h | 3 +++
> > > > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > > > +
> > > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > > > +index 8c25ac5dd5a5..dba7072273a9 100644
> > > > +--- a/lib/vtls/schannel.c
> > > > ++++ b/lib/vtls/schannel.c
> > > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > > > + }
> > > > +
> > > > + static CURLcode
> > > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > > > ++                int *algIds)
> > > > + {
> > > > +   char *startCur = ciphers;
> > > > +   int algCount = 0;
> > > > +-  static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > > > headers*/
> > > > +-  while(startCur && (0 != *startCur) && (algCount < 45)) {
> > > > ++  while(startCur && (0 != *startCur) && (algCount <
> > > > NUMOF_CIPHERS))
> > > > {
> > > > +     long alg = strtol(startCur, 0, 0);
> > > > +     if(!alg)
> > > > +       alg = get_alg_id_by_name(startCur);
> > > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > > > +     }
> > > > +
> > > > +     if(SSL_CONN_CONFIG(cipher_list)) {
> > > > +-      result = set_ssl_ciphers(&schannel_cred,
> > > > SSL_CONN_CONFIG(cipher_list));
> > > > ++      result = set_ssl_ciphers(&schannel_cred,
> > > > SSL_CONN_CONFIG(cipher_list),
> > > > ++                               BACKEND->algIds);
> > > > +       if(CURLE_OK != result) {
> > > > +         failf(data, "Unable to set ciphers to passed via
> > > > SSL_CONN_CONFIG");
> > > > +         return result;
> > > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > > > +index 2952caa1a5a1..77853aa30f96 100644
> > > > +--- a/lib/vtls/schannel.h
> > > > ++++ b/lib/vtls/schannel.h
> > > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > > > + #endif
> > > > + #endif
> > > > +
> > > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS
> > > > headers
> > > > */
> > > > ++
> > > > + struct curl_schannel_cred {
> > > > +   CredHandle cred_handle;
> > > > +   TimeStamp time_stamp;
> > > > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > > > + #ifdef HAS_MANUAL_VERIFY_API
> > > > +   bool use_manual_cred_validation; /* true if manual cred
> > > > validation is used */
> > > > + #endif
> > > > ++  ALG_ID algIds[NUMOF_CIPHERS];
> > > > + };
> > > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > > > +
> > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > b/meta/recipes-
> > > > support/curl/curl_7.69.1.bb
> > > > index ea36c0bd3d..384719dd15 100644
> > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > @@ -19,6 +19,7 @@ SRC_URI =
> > > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> > > >             file://CVE-2020-8286.patch \
> > > >             file://CVE-2021-22876.patch \
> > > >             file://CVE-2021-22890.patch \
> > > > +           file://CVE-2021-22897.patch \
> > > >             file://CVE-2021-22898.patch \
> > > >             file://CVE-2021-22924.patch \
> > > >             file://CVE-2021-22925.patch \
> > >
>

[OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

[Andrej Valek]

- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
- Optional CVE_STATUS_REASONING flag variable may contain a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"

CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Not applicable"
CVE_STATUS_WIN[reason] = "Issue only applies on Windows"

CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_PATCHED[reason] = "Fixed externally"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 44 ++++++++++++++++++++++++++++++----
 meta/lib/oe/cve_check.py       |  6 +++++
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..44462de7445 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
+# CVE_STATUS[CVE-1234-0002] = "Not applicable"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
 #
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
 # Layers to be excluded
@@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
+        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        set_cves_statuses(d, d.getVar(cve_status_group) or "",
+                          d.getVarFlag(cve_status_group, "status"),
+                          d.getVarFlag(cve_status_group, "reason"))
+}
+
+def set_cves_statuses(d, cves, status, reason=""):
+    for cve in cves.split():
+        d.setVarFlag("CVE_STATUS", cve, status)
+        d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status in ["Not applicable", "Ignored"]:
+            cve_ignore.append(cve)
+        elif status not in ["Patched"]:
+            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         else:
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            write_string += "CVE REASON: %s\n" % reasoning
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +607,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            cve_item["reason"] = reasoning
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a3..f47dd9920ef 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
-- 
2.40.1

[OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Andrej Valek]

All mentioned CVEs are related to HSTS check feature, which is not
implemented in version 7.69.1 .

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..ea36c0bd3d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
 # This CVE issue affects Windows only Hence whitelisting this CVE
 CVE_CHECK_WHITELIST += "CVE-2021-22897"
 
+# HSTS check feature is not implemented
+CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
+
 inherit autotools pkgconfig binconfig multilib_header
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
-- 
2.39.2

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Valek, Andrej]

This was sent by misstate, ignore it please.

Andrej

On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek wrote:
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-
> 2021-22926 CVE-2021-229
>  # This CVE issue affects Windows only Hence whitelisting this CVE
>  CVE_CHECK_WHITELIST += "CVE-2021-22897"
>  
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
>  inherit autotools pkgconfig binconfig multilib_header
>  
>  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls
> libidn proxy threaded-resolver verbose zlib"