CC: curl: fix some security vulnerabilities
authorHauke Mehrtens <hauke@hauke-m.de>
Sun, 12 Jul 2015 16:03:51 +0000 (16:03 +0000)
committerHauke Mehrtens <hauke@hauke-m.de>
Sun, 12 Jul 2015 16:03:51 +0000 (16:03 +0000)
This fixes the following security vulnerabilities in curl:
* CVE-2015-3143
* CVE-2015-3144
* CVE-2015-3145
* CVE-2015-3148
* CVE-2015-3153
* CVE-2015-3236
* CVE-2015-3237

This was fixed in trunk with update to version 7.43.0 in r46169.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46312

package/network/utils/curl/patches/010-CVE-2015-3143.patch [new file with mode: 0644]
package/network/utils/curl/patches/011-CVE-2015-3144.patch [new file with mode: 0644]
package/network/utils/curl/patches/012-CVE-2015-3145.patch [new file with mode: 0644]
package/network/utils/curl/patches/013-CVE-2015-3148.patch [new file with mode: 0644]
package/network/utils/curl/patches/014-CVE-2015-3153.patch [new file with mode: 0644]
package/network/utils/curl/patches/015-CVE-2015-3236.patch [new file with mode: 0644]
package/network/utils/curl/patches/016-CVE-2015-3237.patch [new file with mode: 0644]
package/network/utils/curl/patches/200-no_docs_tests.patch

diff --git a/package/network/utils/curl/patches/010-CVE-2015-3143.patch b/package/network/utils/curl/patches/010-CVE-2015-3143.patch
new file mode 100644 (file)
index 0000000..697c9c9
--- /dev/null
@@ -0,0 +1,28 @@
+From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 13:26:46 +0200
+Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
+ match
+
+CVE-2015-3143
+
+Bug: http://curl.haxx.se/docs/adv_20150422A.html
+Reported-by: Paras Sethia
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3184,7 +3184,11 @@ ConnectionExists(struct SessionHandle *d
+       }
+       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
++#if defined(USE_NTLM)
++         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
++#else
+          wantNTLMhttp) {
++#endif
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
diff --git a/package/network/utils/curl/patches/011-CVE-2015-3144.patch b/package/network/utils/curl/patches/011-CVE-2015-3144.patch
new file mode 100644 (file)
index 0000000..7da9489
--- /dev/null
@@ -0,0 +1,32 @@
+From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 23:52:04 +0200
+Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a URL is given with a zero-length host name, like in "http://:80" or
+just ":80", `fix_hostname()` will index the host name pointer with a -1
+offset (as it blindly assumes a non-zero length) and both read and
+assign that address.
+
+CVE-2015-3144
+
+Bug: http://curl.haxx.se/docs/adv_20150422D.html
+Reported-by: Hanno Böck
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3606,7 +3606,7 @@ static void fix_hostname(struct SessionH
+   host->dispname = host->name;
+   len = strlen(host->name);
+-  if(host->name[len-1] == '.')
++  if(len && (host->name[len-1] == '.'))
+     /* strip off a single trailing dot if present, primarily for SNI but
+        there's no use for it */
+     host->name[len-1]=0;
diff --git a/package/network/utils/curl/patches/012-CVE-2015-3145.patch b/package/network/utils/curl/patches/012-CVE-2015-3145.patch
new file mode 100644 (file)
index 0000000..c7ecbe9
--- /dev/null
@@ -0,0 +1,53 @@
+From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 16:37:40 +0200
+Subject: [PATCH] cookie: cookie parser out of boundary memory access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The internal libcurl function called sanitize_cookie_path() that cleans
+up the path element as given to it from a remote site or when read from
+a file, did not properly validate the input. If given a path that
+consisted of a single double-quote, libcurl would index a newly
+allocated memory area with index -1 and assign a zero to it, thus
+destroying heap memory it wasn't supposed to.
+
+CVE-2015-3145
+
+Bug: http://curl.haxx.se/docs/adv_20150422C.html
+Reported-by: Hanno Böck
+---
+ lib/cookie.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const
+     return NULL;
+   /* some stupid site sends path attribute with '"'. */
++  len = strlen(new_path);
+   if(new_path[0] == '\"') {
+-    memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
++    memmove((void *)new_path, (const void *)(new_path + 1), len);
++    len--;
+   }
+-  if(new_path[strlen(new_path) - 1] == '\"') {
+-    new_path[strlen(new_path) - 1] = 0x0;
++  if(len && (new_path[len - 1] == '\"')) {
++    new_path[len - 1] = 0x0;
++    len--;
+   }
+   /* RFC6265 5.2.4 The Path Attribute */
+@@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const
+   }
+   /* convert /hoge/ to /hoge */
+-  len = strlen(new_path);
+-  if(1 < len && new_path[len - 1] == '/') {
++  if(len && new_path[len - 1] == '/') {
+     new_path[len - 1] = 0x0;
+   }
diff --git a/package/network/utils/curl/patches/013-CVE-2015-3148.patch b/package/network/utils/curl/patches/013-CVE-2015-3148.patch
new file mode 100644 (file)
index 0000000..ed52160
--- /dev/null
@@ -0,0 +1,37 @@
+From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 18 Apr 2015 23:50:16 +0200
+Subject: [PATCH] http_done: close Negotiate connections when done
+
+When doing HTTP requests Negotiate authenticated, the entire connnection
+may become authenticated and not just the specific HTTP request which is
+otherwise how HTTP works, as Negotiate can basically use NTLM under the
+hood. curl was not adhering to this fact but would assume that such
+requests would also be authenticated per request.
+
+CVE-2015-3148
+
+Bug: http://curl.haxx.se/docs/adv_20150422B.html
+Reported-by: Isaac Boukris
+---
+ lib/http.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -1493,8 +1493,14 @@ CURLcode Curl_http_done(struct connectda
+ #ifdef USE_SPNEGO
+   if(data->state.proxyneg.state == GSS_AUTHSENT ||
+-      data->state.negotiate.state == GSS_AUTHSENT)
++      data->state.negotiate.state == GSS_AUTHSENT) {
++    /* add forbid re-use if http-code != 401 as a WA
++     * only needed for 401 that failed handling
++     * otherwie state will be RECV with current code */
++    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
++      connclose(conn, "Negotiate transfer completed");
+     Curl_cleanup_negotiate(data);
++  }
+ #endif
+   /* set the proper values (possibly modified on POST) */
diff --git a/package/network/utils/curl/patches/014-CVE-2015-3153.patch b/package/network/utils/curl/patches/014-CVE-2015-3153.patch
new file mode 100644 (file)
index 0000000..f6d37d4
--- /dev/null
@@ -0,0 +1,95 @@
+From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Apr 2015 15:58:21 +0200
+Subject: [PATCH] CURLOPT_HEADEROPT: default to separate
+
+Make the HTTP headers separated by default for improved security and
+reduced risk for information leakage.
+
+Bug: http://curl.haxx.se/docs/adv_20150429.html
+Reported-by: Yehezkel Horowitz, Oren Souroujon
+---
+ docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
+ lib/url.c                             |  1 +
+ tests/data/test1527                   |  2 +-
+ tests/data/test287                    |  2 +-
+ tests/libtest/lib1527.c               |  1 +
+ 5 files changed, 10 insertions(+), 8 deletions(-)
+
+--- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3
++++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle,
+ Pass a long that is a bitmask of options of how to deal with headers. The two
+ mutually exclusive options are:
+-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
+-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
+-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
+-have any effect.
++\fBCURLHEADER_UNIFIED\fP - the headers specified in
++\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
++proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
++any effect.
+ \fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
+ sent to a server and not to a proxy. Proxy headers must be set with
+@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil
+ headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
+ the server.
+ .SH DEFAULT
+-CURLHEADER_UNIFIED
++CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
+ .SH PROTOCOLS
+ HTTP
+ .SH EXAMPLE
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct Us
+   set->ssl_enable_alpn = TRUE;
+   set->expect_100_timeout = 1000L; /* Wait for a second by default. */
++  set->sep_headers = TRUE; /* separated header lists by default */
+   return result;
+ }
+--- a/tests/data/test1527
++++ b/tests/data/test1527
+@@ -45,7 +45,7 @@ http-proxy
+ lib1527
+ </tool>
+  <name>
+-Check same headers are generated without CURLOPT_PROXYHEADER
++Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
+  </name>
+  <command>
+  http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
+--- a/tests/data/test287
++++ b/tests/data/test287
+@@ -28,7 +28,7 @@ http
+ HTTP proxy CONNECT with custom User-Agent header
+  </name>
+  <command>
+-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
++http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
+ </command>
+ </client>
+--- a/tests/libtest/lib1527.c
++++ b/tests/libtest/lib1527.c
+@@ -83,6 +83,7 @@ int test(char *URL)
+   test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
+   test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
+   test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
++  test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
+   res = curl_easy_perform(curl);
diff --git a/package/network/utils/curl/patches/015-CVE-2015-3236.patch b/package/network/utils/curl/patches/015-CVE-2015-3236.patch
new file mode 100644 (file)
index 0000000..720fb94
--- /dev/null
@@ -0,0 +1,42 @@
+From e6d7c30734487246e83b95520e81bc1ccf0a2376 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 28 May 2015 20:04:35 +0200
+Subject: [PATCH] http: do not leak basic auth credentials on re-used
+ connections
+
+CVE-2015-3236
+
+This partially reverts commit curl-7_39_0-237-g87c4abb
+
+Bug: http://curl.haxx.se/docs/adv_20150617A.html
+---
+ lib/http.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2333,20 +2333,12 @@ CURLcode Curl_http(struct connectdata *c
+                      te
+       );
+-  /*
+-   * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with
+-   * the connection and shouldn't be repeated over it either.
+-   */
+-  switch (data->state.authhost.picked) {
+-  case CURLAUTH_NEGOTIATE:
+-  case CURLAUTH_NTLM:
+-  case CURLAUTH_NTLM_WB:
+-    Curl_safefree(conn->allocptr.userpwd);
+-    break;
+-  }
++  /* clear userpwd to avoid re-using credentials from re-used connections */
++  Curl_safefree(conn->allocptr.userpwd);
+   /*
+-   * Same for proxyuserpwd
++   * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated
++   * with the connection and shouldn't be repeated over it either.
+    */
+   switch (data->state.authproxy.picked) {
+   case CURLAUTH_NEGOTIATE:
diff --git a/package/network/utils/curl/patches/016-CVE-2015-3237.patch b/package/network/utils/curl/patches/016-CVE-2015-3237.patch
new file mode 100644 (file)
index 0000000..6942a04
--- /dev/null
@@ -0,0 +1,35 @@
+From d2f1a8bdce9d77a277d05adae025d369c1bdd9e6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 22 May 2015 10:28:21 +0200
+Subject: [PATCH] SMB: rangecheck values read off incoming packet
+
+CVE-2015-3237
+
+Detected by Coverity. CID 1299430.
+
+Bug: http://curl.haxx.se/docs/adv_20150617B.html
+---
+ lib/smb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -783,9 +783,15 @@ static CURLcode smb_request_state(struct
+     off = Curl_read16_le(((unsigned char *) msg) +
+                          sizeof(struct smb_header) + 13);
+     if(len > 0) {
+-      result = Curl_client_write(conn, CLIENTWRITE_BODY,
+-                                 (char *)msg + off + sizeof(unsigned int),
+-                                 len);
++      struct smb_conn *smbc = &conn->proto.smbc;
++      if(off + sizeof(unsigned int) + len > smbc->got) {
++        failf(conn->data, "Invalid input packet");
++        result = CURLE_RECV_ERROR;
++      }
++      else
++        result = Curl_client_write(conn, CLIENTWRITE_BODY,
++                                   (char *)msg + off + sizeof(unsigned int),
++                                   len);
+       if(result) {
+         req->result = result;
+         next_state = SMB_CLOSE;
index 6a1fdf5b6b29da620dc6e0b302840a68dbfbd025..2845577f1cbc7f29add2a9c295f31d065ac58980 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \
+@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
  bin_SCRIPTS = curl-config
  
  SUBDIRS = lib src include
@@ -11,7 +11,7 @@
  pkgconfig_DATA = libcurl.pc
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \
+@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
  
  bin_SCRIPTS = curl-config
  SUBDIRS = lib src include