On Wed, Aug 4, 2021 at 7:27 AM Steve Sakoman via lists.openembedded.org <steve=sakoman....@lists.openembedded.org> wrote: > > On Wed, Aug 4, 2021 at 7:06 AM Mike Crowe via lists.openembedded.org > <yocto=mac.mcrowe....@lists.openembedded.org> wrote: > > > > curl v7.78 contained fixes for five CVEs: > > > > CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support > > for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink" > > so these fixes are unnecessary. > > > > CVE-2021-22926[3] only affects builds for MacOS. > > > > CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the > > patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close > > enough that the patch for CVE-2021-22924 applies without conflicts. The > > CVE-2021-22925 patch required only a small tweak to apply. > > > > [1] https://curl.se/docs/CVE-2021-22922.html > > [2] https://curl.se/docs/CVE-2021-22923.html > > [3] https://curl.se/docs/CVE-2021-22926.html > > [4] https://curl.se/docs/CVE-2021-22924.html > > [5] https://curl.se/docs/CVE-2021-22925.html > > This patch wouldn't apply because there's another curl CVE fix in my > testing queue (curl: Fix for CVE-2021-22898): > > https://lists.openembedded.org/g/openembedded-core/message/154145 > > I went ahead and did the required fixup so no need for you to do anything.
Sigh. I spoke too soon. Your CVE-2021-22925 patch and the previous CVE-2021-22898 patch both touch lib/telnet.c so your patch won't apply now. You mentioned that you had to tweak the CVE-2021-22925 patch, might this be related to the CVE-2021-22898 fix (which is a one-liner)? Steve > > Signed-off-by: Mike Crowe <m...@mcrowe.com> > > --- > > .../curl/curl/CVE-2021-22924.patch | 226 ++++++++++++++++++ > > .../curl/curl/CVE-2021-22925.patch | 43 ++++ > > meta/recipes-support/curl/curl_7.69.1.bb | 3 + > > 3 files changed, 272 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22924.patch > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22925.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch > > b/meta/recipes-support/curl/curl/CVE-2021-22924.patch > > new file mode 100644 > > index 0000000000..68fde45ddf > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch > > @@ -0,0 +1,226 @@ > > +Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and > > + case sensitivity CVE-2021-22924 > > + > > +Reported-by: Harry Sintonen > > +Bug: https://curl.se/docs/CVE-2021-22924.html > > +CVE: CVE-2021-22924 > > +Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 > > +Signed-off-by: Mike Crowe <m...@mcrowe.com> > > +--- > > + lib/url.c | 5 +++-- > > + lib/urldata.h | 2 +- > > + lib/vtls/gtls.c | 10 +++++----- > > + lib/vtls/nss.c | 4 ++-- > > + lib/vtls/openssl.c | 12 ++++++------ > > + lib/vtls/vtls.c | 23 ++++++++++++++++++----- > > + 6 files changed, 35 insertions(+), 21 deletions(-) > > + > > +diff --git a/lib/url.c b/lib/url.c > > +index 47fc66aed..eebad8d32 100644 > > +--- a/lib/url.c > > ++++ b/lib/url.c > > +@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data, > > + data->set.proxy_ssl.primary.CApath = > > data->set.str[STRING_SSL_CAPATH_PROXY]; > > + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; > > + data->set.proxy_ssl.primary.CAfile = > > data->set.str[STRING_SSL_CAFILE_PROXY]; > > ++ data->set.ssl.primary.issuercert = > > data->set.str[STRING_SSL_ISSUERCERT_ORIG]; > > ++ data->set.proxy_ssl.primary.issuercert = > > ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; > > + data->set.ssl.primary.random_file = > > data->set.str[STRING_SSL_RANDOM_FILE]; > > + data->set.proxy_ssl.primary.random_file = > > + data->set.str[STRING_SSL_RANDOM_FILE]; > > +@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data, > > + > > + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; > > + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; > > +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; > > +- data->set.proxy_ssl.issuercert = > > data->set.str[STRING_SSL_ISSUERCERT_PROXY]; > > + data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; > > + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; > > + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; > > +diff --git a/lib/urldata.h b/lib/urldata.h > > +index fbb8b645e..615fbf369 100644 > > +--- a/lib/urldata.h > > ++++ b/lib/urldata.h > > +@@ -224,6 +224,7 @@ struct ssl_primary_config { > > + long version_max; /* max supported version the client wants to > > use*/ > > + char *CApath; /* certificate dir (doesn't work on windows) */ > > + char *CAfile; /* certificate to verify peer against */ > > ++ char *issuercert; /* optional issuer certificate filename */ > > + char *clientcert; > > + char *random_file; /* path to file containing "random" data */ > > + char *egdsocket; /* path to file containing the EGD daemon socket > > */ > > +@@ -240,7 +241,6 @@ struct ssl_config_data { > > + struct ssl_primary_config primary; > > + long certverifyresult; /* result from the certificate verification */ > > + char *CRLfile; /* CRL to check certificate revocation */ > > +- char *issuercert;/* optional issuer certificate filename */ > > + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ > > + void *fsslctxp; /* parameter for call back */ > > + char *cert; /* client certificate file name */ > > +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c > > +index 46e149c7d..8c051024f 100644 > > +--- a/lib/vtls/gtls.c > > ++++ b/lib/vtls/gtls.c > > +@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn, > > + if(!chainp) { > > + if(SSL_CONN_CONFIG(verifypeer) || > > + SSL_CONN_CONFIG(verifyhost) || > > +- SSL_SET_OPTION(issuercert)) { > > ++ SSL_CONN_CONFIG(issuercert)) { > > + #ifdef USE_TLS_SRP > > + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP > > + && SSL_SET_OPTION(username) != NULL > > +@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn, > > + gnutls_x509_crt_t format */ > > + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); > > + > > +- if(SSL_SET_OPTION(issuercert)) { > > ++ if(SSL_CONN_CONFIG(issuercert)) { > > + gnutls_x509_crt_init(&x509_issuer); > > +- issuerp = load_file(SSL_SET_OPTION(issuercert)); > > ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); > > + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); > > + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); > > + gnutls_x509_crt_deinit(x509_issuer); > > + unload_file(issuerp); > > + if(rc <= 0) { > > + failf(data, "server certificate issuer check failed (IssuerCert: > > %s)", > > +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); > > ++ > > SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); > > + gnutls_x509_crt_deinit(x509_cert); > > + return CURLE_SSL_ISSUER_ERROR; > > + } > > + infof(data, "\t server certificate issuer check OK (Issuer Cert: > > %s)\n", > > +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); > > ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); > > + } > > + > > + size = sizeof(certbuf); > > +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c > > +index ef51b0d91..375c78b1b 100644 > > +--- a/lib/vtls/nss.c > > ++++ b/lib/vtls/nss.c > > +@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata > > *conn, int sockindex) > > + if(result) > > + goto error; > > + > > +- if(SSL_SET_OPTION(issuercert)) { > > ++ if(SSL_CONN_CONFIG(issuercert)) { > > + SECStatus ret = SECFailure; > > +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); > > ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); > > + if(nickname) { > > + /* we support only nicknames in case of issuercert for now */ > > + ret = check_issuer_cert(BACKEND->handle, nickname); > > +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > > +index 64f43605a..7e81fd3a0 100644 > > +--- a/lib/vtls/openssl.c > > ++++ b/lib/vtls/openssl.c > > +@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn, > > + deallocating the certificate. */ > > + > > + /* e.g. match issuer name with provided issuer certificate */ > > +- if(SSL_SET_OPTION(issuercert)) { > > ++ if(SSL_CONN_CONFIG(issuercert)) { > > + fp = BIO_new(BIO_s_file()); > > + if(fp == NULL) { > > + failf(data, > > +@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata > > *conn, > > + return CURLE_OUT_OF_MEMORY; > > + } > > + > > +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { > > ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { > > + if(strict) > > + failf(data, "SSL: Unable to open issuer cert (%s)", > > +- SSL_SET_OPTION(issuercert)); > > ++ SSL_CONN_CONFIG(issuercert)); > > + BIO_free(fp); > > + X509_free(BACKEND->server_cert); > > + BACKEND->server_cert = NULL; > > +@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn, > > + if(!issuer) { > > + if(strict) > > + failf(data, "SSL: Unable to read issuer cert (%s)", > > +- SSL_SET_OPTION(issuercert)); > > ++ SSL_CONN_CONFIG(issuercert)); > > + BIO_free(fp); > > + X509_free(issuer); > > + X509_free(BACKEND->server_cert); > > +@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn, > > + if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { > > + if(strict) > > + failf(data, "SSL: Certificate issuer check failed (%s)", > > +- SSL_SET_OPTION(issuercert)); > > ++ SSL_CONN_CONFIG(issuercert)); > > + BIO_free(fp); > > + X509_free(issuer); > > + X509_free(BACKEND->server_cert); > > +@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn, > > + } > > + > > + infof(data, " SSL certificate issuer check ok (%s)\n", > > +- SSL_SET_OPTION(issuercert)); > > ++ SSL_CONN_CONFIG(issuercert)); > > + BIO_free(fp); > > + X509_free(issuer); > > + } > > +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c > > +index aaf73ef8f..8c681da14 100644 > > +--- a/lib/vtls/vtls.c > > ++++ b/lib/vtls/vtls.c > > +@@ -82,6 +82,16 @@ > > + else \ > > + dest->var = NULL; > > + > > ++static bool safecmp(char *a, char *b) > > ++{ > > ++ if(a && b) > > ++ return !strcmp(a, b); > > ++ else if(!a && !b) > > ++ return TRUE; /* match */ > > ++ return FALSE; /* no match */ > > ++} > > ++ > > ++ > > + bool > > + Curl_ssl_config_matches(struct ssl_primary_config* data, > > + struct ssl_primary_config* needle) > > +@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* > > data, > > + (data->verifypeer == needle->verifypeer) && > > + (data->verifyhost == needle->verifyhost) && > > + (data->verifystatus == needle->verifystatus) && > > +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && > > +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && > > +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && > > +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && > > +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && > > ++ safecmp(data->CApath, needle->CApath) && > > ++ safecmp(data->CAfile, needle->CAfile) && > > ++ safecmp(data->issuercert, needle->issuercert) && > > ++ safecmp(data->clientcert, needle->clientcert) && > > ++ safecmp(data->random_file, needle->random_file) && > > ++ safecmp(data->egdsocket, needle->egdsocket) && > > + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && > > + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) > > && > > + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) > > +@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct > > ssl_primary_config *source, > > + > > + CLONE_STRING(CApath); > > + CLONE_STRING(CAfile); > > ++ CLONE_STRING(issuercert); > > + CLONE_STRING(clientcert); > > + CLONE_STRING(random_file); > > + CLONE_STRING(egdsocket); > > +@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct > > ssl_primary_config* sslc) > > + { > > + Curl_safefree(sslc->CApath); > > + Curl_safefree(sslc->CAfile); > > ++ Curl_safefree(sslc->issuercert); > > + Curl_safefree(sslc->clientcert); > > + Curl_safefree(sslc->random_file); > > + Curl_safefree(sslc->egdsocket); > > +-- > > +2.30.2 > > + > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch > > b/meta/recipes-support/curl/curl/CVE-2021-22925.patch > > new file mode 100644 > > index 0000000000..daca16d4dc > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch > > @@ -0,0 +1,43 @@ > > +Subject: [PATCH] telnet: fix option parser to not send uninitialized > > + contents CVE-2021-22925 > > + > > +Reported-by: Red Hat Product Security > > +Bug: https://curl.se/docs/CVE-2021-22925.html > > +CVE: CVE-2021-22925 > > +Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 > > +Signed-off-by: Mike Crowe <m...@mcrowe.com> > > +--- > > + lib/telnet.c | 17 +++++++++++------ > > + 1 file changed, 11 insertions(+), 6 deletions(-) > > + > > +diff --git a/lib/telnet.c b/lib/telnet.c > > +index 4bf4c652c..3347ad6d1 100644 > > +--- a/lib/telnet.c > > ++++ b/lib/telnet.c > > +@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) > > + size_t tmplen = (strlen(v->data) + 1); > > + /* Add the variable only if it fits */ > > + if(len + tmplen < (int)sizeof(temp)-6) { > > +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { > > +- msnprintf((char *)&temp[len], sizeof(temp) - len, > > +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, > > +- CURL_NEW_ENV_VALUE, varval); > > +- len += tmplen; > > +- } > > ++ int rv; > > ++ char sep[2] = ""; > > ++ varval[0] = 0; > > ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, > > varval); > > ++ if(rv == 1) > > ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, > > ++ "%c%s", CURL_NEW_ENV_VAR, varname); > > ++ else if(rv >= 2) > > ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, > > ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, > > ++ CURL_NEW_ENV_VALUE, varval); > > + } > > + } > > + msnprintf((char *)&temp[len], sizeof(temp) - len, > > +-- > > +2.30.2 > > + > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > > b/meta/recipes-support/curl/curl_7.69.1.bb > > index 13ab29cf69..27151ca5d7 100644 > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > @@ -19,6 +19,8 @@ SRC_URI = > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > > file://CVE-2020-8286.patch \ > > file://CVE-2021-22876.patch \ > > file://CVE-2021-22890.patch \ > > + file://CVE-2021-22924.patch \ > > + file://CVE-2021-22925.patch \ > > " > > > > SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" > > @@ -26,6 +28,7 @@ SRC_URI[sha256sum] = > > "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 > > > > # Curl has used many names over the years... > > CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl > > libcurl:libcurl daniel_stenberg:curl" > > +CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926" > > > > inherit autotools pkgconfig binconfig multilib_header > > > > -- > > 2.30.2 > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154457): https://lists.openembedded.org/g/openembedded-core/message/154457 Mute This Topic: https://lists.openembedded.org/mt/84666902/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-