Your message dated Sat, 29 Jun 2024 10:47:47 +0000
with message-id <e1snvcr-002brj...@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1068947,
regarding bullseye-pu: package curl/7.74.0-1.3+deb11u12
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068947
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: c...@packages.debian.org, guilhe...@puida.xyz
Control: affects -1 + src:curl
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
1. Fix CVE-2024-2398
> When an application tells libcurl it wants to allow HTTP/2 server
> push, and the amount of received headers for the push surpasses the
> maximum allowed limit (1000), libcurl aborts the server push. When
> aborting, libcurl inadvertently does not free all the previously
> allocated headers and instead leaks the memory. Further, this error
> condition fails silently and is therefore not easily detected by an
> application.
[ Impact ]
The vulnerability is present in bullseye's curl code and can be
exploited by malicious actors.
[ Tests ]
Upstream provides an extensive test suite, and there are no test
failures when building the package.
[ Risks ]
The patch is not very complex, but some amount of backporting was needed
to apply it to the version of curl in bullseye. There is a chance of
introducing bugs here, but the test suite should catch most of them.
samueloph also reviewed my changes.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1. Imported and backported the upstream patch that fixes CVE-2024-2398.
--puida
diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog 2023-12-10 03:05:18.000000000 -0300
+++ curl-7.74.0/debian/changelog 2024-04-09 22:00:20.000000000 -0300
@@ -1,3 +1,12 @@
+curl (7.74.0-1.3+deb11u12) bullseye; urgency=medium
+
+ * Team upload.
+ * Import patch to fix CVE-2024-2398: Memory leak when HTTP/2 server push is
+ aborted.
+ * d/p/CVE-2024-2398.patch: Backport patch.
+
+ -- Guilherme Puida Moreira <guilhe...@puida.xyz> Tue, 09 Apr 2024 22:00:20 -0300
+
curl (7.74.0-1.3+deb11u11) bullseye-security; urgency=high
* Add patch to fix CVE-2023-46218
diff -Nru curl-7.74.0/debian/patches/CVE-2024-2398.patch curl-7.74.0/debian/patches/CVE-2024-2398.patch
--- curl-7.74.0/debian/patches/CVE-2024-2398.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.74.0/debian/patches/CVE-2024-2398.patch 2024-04-09 21:58:53.000000000 -0300
@@ -0,0 +1,88 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <ste...@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Backported by: Guilherme Puida Moreira <guilhe...@puida.xyz>:
+ * Changed h2_stream_ctx to HTTP in free_push_headers.
+ * Dropped unnaplicable hunk in push_promise, since it changed some code
+ that does not yet exist.
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+Index: curl/lib/http2.c
+===================================================================
+--- curl.orig/lib/http2.c
++++ curl/lib/http2.c
+@@ -155,6 +155,15 @@ static CURLcode http2_disconnect(struct
+ return CURLE_OK;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++ size_t i;
++ for(i = 0; i<stream->push_headers_used; i++)
++ free(stream->push_headers[i]);
++ Curl_safefree(stream->push_headers);
++ stream->push_headers_used = 0;
++}
++
+ /*
+ * The server may send us data at any point (e.g. PING frames). Therefore,
+ * we cannot assume that an HTTP/2 socket is dead just because it is readable.
+@@ -525,7 +534,6 @@ static int push_promise(struct Curl_easy
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+- size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -560,11 +568,7 @@ static int push_promise(struct Curl_easy
+ Curl_set_in_callback(data, false);
+
+ /* free the headers again */
+- for(i = 0; i<stream->push_headers_used; i++)
+- free(stream->push_headers[i]);
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- stream->push_headers_used = 0;
++ free_push_headers(stream);
+
+ if(rv) {
+ DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1001,10 +1005,10 @@ static int on_header(nghttp2_session *se
+ stream->push_headers_alloc) {
+ char **headp;
+ stream->push_headers_alloc *= 2;
+- headp = Curl_saferealloc(stream->push_headers,
+- stream->push_headers_alloc * sizeof(char *));
++ headp = realloc(stream->push_headers,
++ stream->push_headers_alloc * sizeof(char *));
+ if(!headp) {
+- stream->push_headers = NULL;
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers = headp;
+@@ -1170,14 +1174,7 @@ void Curl_http2_done(struct Curl_easy *d
+ setup */
+ Curl_dyn_free(&http->header_recvbuf);
+ Curl_dyn_free(&http->trailer_recvbuf);
+- if(http->push_headers) {
+- /* if they weren't used and then freed before */
+- for(; http->push_headers_used > 0; --http->push_headers_used) {
+- free(http->push_headers[http->push_headers_used - 1]);
+- }
+- free(http->push_headers);
+- http->push_headers = NULL;
+- }
++ free_push_headers(http);
+
+ if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+ !httpc->h2) /* not HTTP/2 ? */
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series 2023-12-10 03:05:18.000000000 -0300
+++ curl-7.74.0/debian/patches/series 2024-04-09 21:07:01.000000000 -0300
@@ -48,6 +48,9 @@
# Patches from 8.5.0.
CVE-2023-46218.patch
+# Patches from 8.7.0.
+CVE-2024-2398.patch
+
# Always add CVE patches before these two patches
90_gnutls.patch
99_nss.patch
--- End Message ---
--- Begin Message ---
Version: 11.10
The upload requested in this bug has been released as part of 11.10.
--- End Message ---
