[kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
@ 2023-04-17  8:05 Hitendra Prajapati
  2023-04-17 16:41 ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 3+ messages in thread
From: Hitendra Prajapati @ 2023-04-17  8:05 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hitendra Prajapati

Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../curl/curl/CVE-2023-27538.patch            | 31 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
new file mode 100644
index 0000000000..8ef81fb306
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
@@ -0,0 +1,31 @@
+From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+CVE: CVE-2023-27538
+Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index f5e54c7..7dd342a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+ 
+-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4c18afe293..b0a456016d 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-23916.patch \
            file://CVE-2023-27533.patch \
            file://CVE-2023-27534.patch \
+           file://CVE-2023-27538.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
  2023-04-17  8:05 [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse Hitendra Prajapati
@ 2023-04-17 16:41 ` Steve Sakoman
  2023-04-18  4:22   ` Hitendra Prajapati
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Sakoman @ 2023-04-17 16:41 UTC (permalink / raw)
  To: Hitendra Prajapati; +Cc: openembedded-core

There is also a patch submitted today that fixes this CVE as well as
two others: https://lists.openembedded.org/g/openembedded-core/message/180143

Could you review the above patch and ack if you approve.  It would be
nice to fix all three patches in a single commit if possible.

Thanks!

Steve

On Sun, Apr 16, 2023 at 10:05 PM Hitendra Prajapati
<hprajapati@mvista.com> wrote:
>
> Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  .../curl/curl/CVE-2023-27538.patch            | 31 +++++++++++++++++++
>  meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
>  2 files changed, 32 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
> new file mode 100644
> index 0000000000..8ef81fb306
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
> @@ -0,0 +1,31 @@
> +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 10 Mar 2023 08:22:51 +0100
> +Subject: [PATCH] url: fix the SSH connection reuse check
> +
> +Reported-by: Harry Sintonen
> +Closes #10735
> +
> +CVE: CVE-2023-27538
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + lib/url.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/lib/url.c b/lib/url.c
> +index f5e54c7..7dd342a 100644
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
> +          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
> +         continue;
> +
> +-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
> ++      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
> +         if(!ssh_config_matches(needle, check))
> +           continue;
> +       }
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index 4c18afe293..b0a456016d 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -42,6 +42,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>             file://CVE-2023-23916.patch \
>             file://CVE-2023-27533.patch \
>             file://CVE-2023-27534.patch \
> +           file://CVE-2023-27538.patch \
>             "
>  SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180151): https://lists.openembedded.org/g/openembedded-core/message/180151
> Mute This Topic: https://lists.openembedded.org/mt/98314707/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
  2023-04-17 16:41 ` [OE-core] " Steve Sakoman
@ 2023-04-18  4:22   ` Hitendra Prajapati
  0 siblings, 0 replies; 3+ messages in thread
From: Hitendra Prajapati @ 2023-04-18  4:22 UTC (permalink / raw)
  To: Steve Sakoman; +Cc: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 3403 bytes --]

Hi Steve,

It is fine with combined patch as it contains fix for CVE-2023-27538.

Thank you & Regards,

Hitendra

On 17/04/23 22:11, Steve Sakoman wrote:
> There is also a patch submitted today that fixes this CVE as well as
> two others:https://lists.openembedded.org/g/openembedded-core/message/180143
>
> Could you review the above patch and ack if you approve.  It would be
> nice to fix all three patches in a single commit if possible.
>
> Thanks!
>
> Steve
>
> On Sun, Apr 16, 2023 at 10:05 PM Hitendra Prajapati
> <hprajapati@mvista.com>  wrote:
>> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
>>
>> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> ---
>>   .../curl/curl/CVE-2023-27538.patch            | 31 +++++++++++++++++++
>>   meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
>>   2 files changed, 32 insertions(+)
>>   create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
>> new file mode 100644
>> index 0000000000..8ef81fb306
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
>> @@ -0,0 +1,31 @@
>> +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg<daniel@haxx.se>
>> +Date: Fri, 10 Mar 2023 08:22:51 +0100
>> +Subject: [PATCH] url: fix the SSH connection reuse check
>> +
>> +Reported-by: Harry Sintonen
>> +Closes #10735
>> +
>> +CVE: CVE-2023-27538
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
>> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> +---
>> + lib/url.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index f5e54c7..7dd342a 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
>> +          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
>> +         continue;
>> +
>> +-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
>> ++      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
>> +         if(!ssh_config_matches(needle, check))
>> +           continue;
>> +       }
>> +--
>> +2.25.1
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
>> index 4c18afe293..b0a456016d 100644
>> --- a/meta/recipes-support/curl/curl_7.82.0.bb
>> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
>> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.se/download/${BP}.tar.xz \ file://CVE-2023-23916.patch 
>> \ file://CVE-2023-27533.patch \ file://CVE-2023-27534.patch \ + 
>> file://CVE-2023-27538.patch \ "
>>   SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>>
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#180151):https://lists.openembedded.org/g/openembedded-core/message/180151
>> Mute This Topic:https://lists.openembedded.org/mt/98314707/3620601
>> Group Owner:openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub  [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
-- 
Regards,
Hitendra Prajapati
MontaVista Software LLC

[-- Attachment #2: Type: text/html, Size: 5228 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-04-18  4:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-17  8:05 [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse Hitendra Prajapati
2023-04-17 16:41 ` [OE-core] " Steve Sakoman
2023-04-18  4:22   ` Hitendra Prajapati

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox