From: "Yu, Mingli" <mingli.yu@windriver.com>
To: Steve Sakoman <steve@sakoman.com>,
"Yu, Mingli" <mingli.yu@eng.windriver.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [kirkstone][PATCH] curl: Fix CVE-2023-27536
Date: Wed, 19 Apr 2023 13:33:55 +0800 [thread overview]
Message-ID: <6428c683-615d-f73a-de15-86783a96cb7e@windriver.com> (raw)
In-Reply-To: <CAOSpxdbuzJiBAiSw4P3+YJc6rUqg1zvU_vsVds9zWq3L5V=EzQ@mail.gmail.com>
On 4/18/23 00:42, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> There is also a patch submitted today that fixes this CVE as well as
> two others: https://lists.openembedded.org/g/openembedded-core/message/180143
I'm fine with the patch as
https://lists.openembedded.org/g/openembedded-core/message/180143.
Thanks,
>
> Could you review the above patch and ack if you approve. It would be
> nice to fix all three patches in a single commit if possible.
>
> Thanks!
>
> Steve
>
> On Sun, Apr 16, 2023 at 8:22 PM Yu, Mingli <mingli.yu@eng.windriver.com> wrote:
>>
>> From: Mingli Yu <mingli.yu@windriver.com>
>>
>> Backport patch [1] to fix CVE-2023-27536.
>>
>> [1] https://github.com/curl/curl/commit/cb49e67303dba
>>
>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>> ---
>> .../curl/curl/CVE-2023-27536.patch | 57 +++++++++++++++++++
>> meta/recipes-support/curl/curl_7.82.0.bb | 1 +
>> 2 files changed, 58 insertions(+)
>> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
>> new file mode 100644
>> index 0000000000..842c70785a
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
>> @@ -0,0 +1,57 @@
>> +From 6b1ef6d5ebbfd5e68dea1eea2dc0c6cc4dc2e394 Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg <daniel@haxx.se>
>> +Date: Mon, 17 Apr 2023 05:36:18 +0000
>> +Subject: [PATCH] url: only reuse connections with same GSS delegation
>> +
>> +Reported-by: Harry Sintonen
>> +Closes #10731
>> +
>> +CVE: CVE-2023-27536
>> +
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dba]
>> +
>> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
>> +---
>> + lib/url.c | 6 ++++++
>> + lib/urldata.h | 1 +
>> + 2 files changed, 7 insertions(+)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index df4377d..8c43c3b 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -1350,6 +1350,11 @@ ConnectionExists(struct Curl_easy *data,
>> + }
>> + }
>> +
>> ++ /* GSS delegation differences do not actually affect every connection
>> ++ and auth method, but this check takes precaution before efficiency */
>> ++ if(needle->gssapi_delegation != check->gssapi_delegation)
>> ++ continue;
>> ++
>> + /* If multiplexing isn't enabled on the h2 connection and h1 is
>> + explicitly requested, handle it: */
>> + if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
>> +@@ -1807,6 +1812,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
>> + conn->fclosesocket = data->set.fclosesocket;
>> + conn->closesocket_client = data->set.closesocket_client;
>> + conn->lastused = Curl_now(); /* used now */
>> ++ conn->gssapi_delegation = data->set.gssapi_delegation;
>> +
>> + return conn;
>> + error:
>> +diff --git a/lib/urldata.h b/lib/urldata.h
>> +index 69eb2ee..c2a7e6c 100644
>> +--- a/lib/urldata.h
>> ++++ b/lib/urldata.h
>> +@@ -1131,6 +1131,7 @@ struct connectdata {
>> + int socks5_gssapi_enctype;
>> + #endif
>> + unsigned short localport;
>> ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
>> + };
>> +
>> + /* The end of connectdata. */
>> +--
>> +2.23.0
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
>> index 945745cdde..888527857a 100644
>> --- a/meta/recipes-support/curl/curl_7.82.0.bb
>> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
>> @@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>> file://CVE-2023-23914_5-4.patch \
>> file://CVE-2023-23914_5-5.patch \
>> file://CVE-2023-23916.patch \
>> + file://CVE-2023-27536.patch \
>> "
>> SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>>
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#180120): https://lists.openembedded.org/g/openembedded-core/message/180120
>> Mute This Topic: https://lists.openembedded.org/mt/98313621/3620601
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
prev parent reply other threads:[~2023-04-19 5:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-17 6:22 [kirkstone][PATCH] curl: Fix CVE-2023-27536 mingli.yu
2023-04-17 16:42 ` [OE-core] " Steve Sakoman
2023-04-19 5:33 ` Yu, Mingli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6428c683-615d-f73a-de15-86783a96cb7e@windriver.com \
--to=mingli.yu@windriver.com \
--cc=mingli.yu@eng.windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox