curl: fix CVE-2017-7407 and CVE-2017-7468
authorHauke Mehrtens <hauke@hauke-m.de>
Sun, 23 Jul 2017 14:08:47 +0000 (16:08 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Fri, 28 Jul 2017 21:49:39 +0000 (23:49 +0200)
This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
package/network/utils/curl/Makefile
package/network/utils/curl/patches/101-CVE-2017-7407.patch [new file with mode: 0644]
package/network/utils/curl/patches/102-CVE-2017-7468.patch [new file with mode: 0644]

index 68558a9edaeff83e59ccdc28f558883f4d7637d8..9b357a0aa56ac86bf669d7964f35043b10d9398f 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
diff --git a/package/network/utils/curl/patches/101-CVE-2017-7407.patch b/package/network/utils/curl/patches/101-CVE-2017-7407.patch
new file mode 100644 (file)
index 0000000..ba8097b
--- /dev/null
@@ -0,0 +1,165 @@
+From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH] CVE-2017-7407: fixed
+
+Bug: https://curl.haxx.se/docs/adv_20170403.html
+
+Reported-by: Brian Carpenter
+---
+ src/tool_writeout.c     |  6 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
+ 5 files changed, 101 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test1440
+ create mode 100644 tests/data/test1441
+ create mode 100644 tests/data/test1442
+
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutS
+   double doubleinfo;
+   while(ptr && *ptr) {
+-    if('%' == *ptr) {
++    if('%' == *ptr && ptr[1]) {
+       if('%' == ptr[1]) {
+         /* an escaped %-letter */
+         fputc('%', stream);
+@@ -341,7 +341,7 @@ void ourWriteOut(CURL *curl, struct OutS
+         }
+       }
+     }
+-    else if('\\' == *ptr) {
++    else if('\\' == *ptr && ptr[1]) {
+       switch(ptr[1]) {
+       case 'r':
+         fputc('\r', stream);
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -150,7 +150,7 @@ test1408 test1409 test1410 test1411 test
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 test1438 test1439 \
++test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+--- /dev/null
++++ b/tests/data/test1440
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %{
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%{'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%{
++</stdout>
++</verify>
++</testcase>
+--- /dev/null
++++ b/tests/data/test1441
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%
++</stdout>
++</verify>
++</testcase>
+--- /dev/null
++++ b/tests/data/test1442
+@@ -0,0 +1,35 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++FILE
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing \
++</name>
++<command>
++file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
++</command>
++</client>
++
++# Verify data
++<verify>
++<errorcode>
++37
++</errorcode>
++<stdout nonewline="yes">
++\
++</stdout>
++</verify>
++</testcase>
diff --git a/package/network/utils/curl/patches/102-CVE-2017-7468.patch b/package/network/utils/curl/patches/102-CVE-2017-7468.patch
new file mode 100644 (file)
index 0000000..72f5145
--- /dev/null
@@ -0,0 +1,264 @@
+From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 22 Mar 2017 01:59:49 -0400
+Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
+ used
+
+- Move the sessionid flag to ssl_primary_config so that ssl and
+  proxy_ssl will each have their own sessionid flag.
+
+Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
+this issue had been fixed in 247d890, CVE-2016-5419.
+
+Bug: https://github.com/curl/curl/issues/1341
+Reported-by: lijian996@users.noreply.github.com
+---
+ lib/url.c            | 5 +++--
+ lib/urldata.h        | 2 +-
+ lib/vtls/axtls.c     | 4 ++--
+ lib/vtls/cyassl.c    | 4 ++--
+ lib/vtls/darwinssl.c | 2 +-
+ lib/vtls/gtls.c      | 4 ++--
+ lib/vtls/mbedtls.c   | 4 ++--
+ lib/vtls/nss.c       | 2 +-
+ lib/vtls/openssl.c   | 4 ++--
+ lib/vtls/polarssl.c  | 4 ++--
+ lib/vtls/schannel.c  | 4 ++--
+ lib/vtls/vtls.c      | 9 ++++++---
+ 12 files changed, 26 insertions(+), 22 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -548,7 +548,7 @@ CURLcode Curl_init_userdefined(struct Us
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+-  set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
++  set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
+                                         default */
+   set->proxy_ssl = set->ssl;
+@@ -2470,8 +2470,9 @@ CURLcode Curl_setopt(struct Curl_easy *d
+     break;
+   case CURLOPT_SSL_SESSIONID_CACHE:
+-    data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
++    data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
+                                       TRUE : FALSE;
++    data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
+     break;
+ #ifdef USE_LIBSSH2
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -354,6 +354,7 @@ struct ssl_primary_config {
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
++  bool sessionid;        /* cache session IDs or not */
+ };
+ struct ssl_config_data {
+@@ -383,7 +384,6 @@ struct ssl_config_data {
+ };
+ struct ssl_general_config {
+-  bool sessionid; /* cache session IDs or not */
+   size_t max_ssl_sessions; /* SSL session id cache size */
+ };
+--- a/lib/vtls/axtls.c
++++ b/lib/vtls/axtls.c
+@@ -256,7 +256,7 @@ static CURLcode connect_prep(struct conn
+    * 2) setting up callbacks.  these seem gnutls specific
+    */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid;
+     size_t ssl_idsize;
+@@ -386,7 +386,7 @@ static CURLcode connect_finish(struct co
+   conn->send[sockindex] = axtls_send;
+   /* Put our freshly minted SSL session in cache */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl);
+     size_t ssl_idsize = ssl_get_session_id(ssl);
+     Curl_ssl_sessionid_lock(conn);
+--- a/lib/vtls/cyassl.c
++++ b/lib/vtls/cyassl.c
+@@ -383,7 +383,7 @@ cyassl_connect_step1(struct connectdata
+ #endif /* HAVE_ALPN */
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+     Curl_ssl_sessionid_lock(conn);
+@@ -597,7 +597,7 @@ cyassl_connect_step3(struct connectdata
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/darwinssl.c
++++ b/lib/vtls/darwinssl.c
+@@ -1541,7 +1541,7 @@ static CURLcode darwinssl_connect_step1(
+ #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     char *ssl_sessionid;
+     size_t ssl_sessionid_len;
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -782,7 +782,7 @@ gtls_connect_step1(struct connectdata *c
+   /* This might be a reconnect, so we check for a session ID in the cache
+      to speed up things */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid;
+     size_t ssl_idsize;
+@@ -1311,7 +1311,7 @@ gtls_connect_step3(struct connectdata *c
+   conn->recv[sockindex] = gtls_recv;
+   conn->send[sockindex] = gtls_send;
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     /* we always unconditionally get the session id here, as even if we
+        already got it from the cache and asked to use it in the connection, it
+        might've been rejected and then a new one is in use now and we need to
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -374,7 +374,7 @@ mbed_connect_step1(struct connectdata *c
+                                 mbedtls_ssl_list_ciphersuites());
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+     Curl_ssl_sessionid_lock(conn);
+@@ -618,7 +618,7 @@ mbed_connect_step3(struct connectdata *c
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1696,7 +1696,7 @@ static CURLcode nss_setup_connect(struct
+     goto error;
+   /* do not use SSL cache if disabled or we are not going to verify peer */
+-  ssl_no_cache = (data->set.general_ssl.sessionid
++  ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
+                   && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
+   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
+     goto error;
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2161,7 +2161,7 @@ static CURLcode ossl_connect_step1(struc
+ #endif
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+     Curl_ssl_sessionid_lock(conn);
+@@ -2915,7 +2915,7 @@ static CURLcode ossl_connect_step3(struc
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/polarssl.c
++++ b/lib/vtls/polarssl.c
+@@ -327,7 +327,7 @@ polarssl_connect_step1(struct connectdat
+   ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+     Curl_ssl_sessionid_lock(conn);
+@@ -555,7 +555,7 @@ polarssl_connect_step3(struct connectdat
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -145,7 +145,7 @@ schannel_connect_step1(struct connectdat
+   connssl->cred = NULL;
+   /* check for an existing re-usable credential handle */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+     if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+       connssl->cred = old_cred;
+@@ -714,7 +714,7 @@ schannel_connect_step3(struct connectdat
+ #endif
+   /* save the current session data for possible re-use */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     struct curl_schannel_cred *old_cred = NULL;
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -120,6 +120,9 @@ Curl_clone_primary_ssl_config(struct ssl
+   CLONE_STRING(egdsocket);
+   CLONE_STRING(random_file);
+   CLONE_STRING(clientcert);
++
++  /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
++  dest->sessionid = (dest->clientcert ? false : source->sessionid);
+   return TRUE;
+ }
+@@ -293,9 +296,9 @@ bool Curl_ssl_getsessionid(struct connec
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
++  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+-  if(!data->set.general_ssl.sessionid)
++  if(!SSL_SET_OPTION(primary.sessionid))
+     /* session ID re-use is disabled */
+     return TRUE;
+@@ -397,7 +400,7 @@ CURLcode Curl_ssl_addsessionid(struct co
+                                            &conn->proxy_ssl_config :
+                                            &conn->ssl_config;
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
++  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+   clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
+   if(!clone_host)