[kirkstone][PATCH] curl: Fix CVE-2023-27536

[kirkstone][PATCH] curl: Fix CVE-2023-27536

[mingli.yu]

From: Mingli Yu <mingli.yu@windriver.com>

Backport patch [1] to fix CVE-2023-27536.

[1] https://github.com/curl/curl/commit/cb49e67303dba

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
 .../curl/curl/CVE-2023-27536.patch            | 57 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 0000000000..842c70785a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,57 @@
+From 6b1ef6d5ebbfd5e68dea1eea2dc0c6cc4dc2e394 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 17 Apr 2023 05:36:18 +0000
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+CVE: CVE-2023-27536
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dba]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index df4377d..8c43c3b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1350,6 +1350,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
++      /* GSS delegation differences do not actually affect every connection
++         and auth method, but this check takes precaution before efficiency */
++      if(needle->gssapi_delegation != check->gssapi_delegation)
++        continue;
++
+       /* If multiplexing isn't enabled on the h2 connection and h1 is
+          explicitly requested, handle it: */
+       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1807,6 +1812,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 69eb2ee..c2a7e6c 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1131,6 +1131,7 @@ struct connectdata {
+   int socks5_gssapi_enctype;
+ #endif
+   unsigned short localport;
++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+ 
+ /* The end of connectdata. */
+-- 
+2.23.0
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 945745cdde..888527857a 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-23914_5-4.patch \
            file://CVE-2023-23914_5-5.patch \
            file://CVE-2023-23916.patch \
+           file://CVE-2023-27536.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 
-- 
2.25.1

Re: [OE-core] [kirkstone][PATCH] curl: Fix CVE-2023-27536

[Steve Sakoman]

There is also a patch submitted today that fixes this CVE as well as
two others: https://lists.openembedded.org/g/openembedded-core/message/180143

Could you review the above patch and ack if you approve.  It would be
nice to fix all three patches in a single commit if possible.

Thanks!

Steve

On Sun, Apr 16, 2023 at 8:22 PM Yu, Mingli <mingli.yu@eng.windriver.com> wrote:
>
> From: Mingli Yu <mingli.yu@windriver.com>
>
> Backport patch [1] to fix CVE-2023-27536.
>
> [1] https://github.com/curl/curl/commit/cb49e67303dba
>
> Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
> ---
>  .../curl/curl/CVE-2023-27536.patch            | 57 +++++++++++++++++++
>  meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
>  2 files changed, 58 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
> new file mode 100644
> index 0000000000..842c70785a
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
> @@ -0,0 +1,57 @@
> +From 6b1ef6d5ebbfd5e68dea1eea2dc0c6cc4dc2e394 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Mon, 17 Apr 2023 05:36:18 +0000
> +Subject: [PATCH] url: only reuse connections with same GSS delegation
> +
> +Reported-by: Harry Sintonen
> +Closes #10731
> +
> +CVE: CVE-2023-27536
> +
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dba]
> +
> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
> +---
> + lib/url.c     | 6 ++++++
> + lib/urldata.h | 1 +
> + 2 files changed, 7 insertions(+)
> +
> +diff --git a/lib/url.c b/lib/url.c
> +index df4377d..8c43c3b 100644
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -1350,6 +1350,11 @@ ConnectionExists(struct Curl_easy *data,
> +         }
> +       }
> +
> ++      /* GSS delegation differences do not actually affect every connection
> ++         and auth method, but this check takes precaution before efficiency */
> ++      if(needle->gssapi_delegation != check->gssapi_delegation)
> ++        continue;
> ++
> +       /* If multiplexing isn't enabled on the h2 connection and h1 is
> +          explicitly requested, handle it: */
> +       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
> +@@ -1807,6 +1812,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
> +   conn->fclosesocket = data->set.fclosesocket;
> +   conn->closesocket_client = data->set.closesocket_client;
> +   conn->lastused = Curl_now(); /* used now */
> ++  conn->gssapi_delegation = data->set.gssapi_delegation;
> +
> +   return conn;
> +   error:
> +diff --git a/lib/urldata.h b/lib/urldata.h
> +index 69eb2ee..c2a7e6c 100644
> +--- a/lib/urldata.h
> ++++ b/lib/urldata.h
> +@@ -1131,6 +1131,7 @@ struct connectdata {
> +   int socks5_gssapi_enctype;
> + #endif
> +   unsigned short localport;
> ++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
> + };
> +
> + /* The end of connectdata. */
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index 945745cdde..888527857a 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>             file://CVE-2023-23914_5-4.patch \
>             file://CVE-2023-23914_5-5.patch \
>             file://CVE-2023-23916.patch \
> +           file://CVE-2023-27536.patch \
>             "
>  SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180120): https://lists.openembedded.org/g/openembedded-core/message/180120
> Mute This Topic: https://lists.openembedded.org/mt/98313621/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core] [kirkstone][PATCH] curl: Fix CVE-2023-27536

[Yu, Mingli]

On 4/18/23 00:42, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> There is also a patch submitted today that fixes this CVE as well as
> two others: https://lists.openembedded.org/g/openembedded-core/message/180143

I'm fine with the patch as 
https://lists.openembedded.org/g/openembedded-core/message/180143.

Thanks,

> 
> Could you review the above patch and ack if you approve.  It would be
> nice to fix all three patches in a single commit if possible.
> 
> Thanks!
> 
> Steve
> 
> On Sun, Apr 16, 2023 at 8:22 PM Yu, Mingli <mingli.yu@eng.windriver.com> wrote:
>>
>> From: Mingli Yu <mingli.yu@windriver.com>
>>
>> Backport patch [1] to fix CVE-2023-27536.
>>
>> [1] https://github.com/curl/curl/commit/cb49e67303dba
>>
>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>> ---
>>   .../curl/curl/CVE-2023-27536.patch            | 57 +++++++++++++++++++
>>   meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
>>   2 files changed, 58 insertions(+)
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
>> new file mode 100644
>> index 0000000000..842c70785a
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
>> @@ -0,0 +1,57 @@
>> +From 6b1ef6d5ebbfd5e68dea1eea2dc0c6cc4dc2e394 Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg <daniel@haxx.se>
>> +Date: Mon, 17 Apr 2023 05:36:18 +0000
>> +Subject: [PATCH] url: only reuse connections with same GSS delegation
>> +
>> +Reported-by: Harry Sintonen
>> +Closes #10731
>> +
>> +CVE: CVE-2023-27536
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dba]
>> +
>> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>> +---
>> + lib/url.c     | 6 ++++++
>> + lib/urldata.h | 1 +
>> + 2 files changed, 7 insertions(+)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index df4377d..8c43c3b 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -1350,6 +1350,11 @@ ConnectionExists(struct Curl_easy *data,
>> +         }
>> +       }
>> +
>> ++      /* GSS delegation differences do not actually affect every connection
>> ++         and auth method, but this check takes precaution before efficiency */
>> ++      if(needle->gssapi_delegation != check->gssapi_delegation)
>> ++        continue;
>> ++
>> +       /* If multiplexing isn't enabled on the h2 connection and h1 is
>> +          explicitly requested, handle it: */
>> +       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
>> +@@ -1807,6 +1812,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
>> +   conn->fclosesocket = data->set.fclosesocket;
>> +   conn->closesocket_client = data->set.closesocket_client;
>> +   conn->lastused = Curl_now(); /* used now */
>> ++  conn->gssapi_delegation = data->set.gssapi_delegation;
>> +
>> +   return conn;
>> +   error:
>> +diff --git a/lib/urldata.h b/lib/urldata.h
>> +index 69eb2ee..c2a7e6c 100644
>> +--- a/lib/urldata.h
>> ++++ b/lib/urldata.h
>> +@@ -1131,6 +1131,7 @@ struct connectdata {
>> +   int socks5_gssapi_enctype;
>> + #endif
>> +   unsigned short localport;
>> ++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
>> + };
>> +
>> + /* The end of connectdata. */
>> +--
>> +2.23.0
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
>> index 945745cdde..888527857a 100644
>> --- a/meta/recipes-support/curl/curl_7.82.0.bb
>> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
>> @@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>>              file://CVE-2023-23914_5-4.patch \
>>              file://CVE-2023-23914_5-5.patch \
>>              file://CVE-2023-23916.patch \
>> +           file://CVE-2023-27536.patch \
>>              "
>>   SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>>
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#180120): https://lists.openembedded.org/g/openembedded-core/message/180120
>> Mute This Topic: https://lists.openembedded.org/mt/98313621/3620601
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>