!336 fix CVE-2024-9681

From: @yangl777 Reviewed-by: @jiangheng12 Signed-off-by: @jiangheng12
2024-11-12 02:55:47 +00:00 · 2024-11-12 02:55:47 +00:00 · 8602edff59
commit 8602edff59
parent 9f334f5233 2e051d6a46
3 changed files with 160 additions and 1 deletions
--- a/backport-CVE-2024-9681.patch
+++ b/backport-CVE-2024-9681.patch
@ -0,0 +1,82 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+  match
+
+- on matching, prefer a full host match and secondary the longest tail
+  subdomain match
+
+Closes #15210
+Conflict:Context adapt
+Reference:https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316
+---
+ lib/hsts.c          | 14 ++++++++++----
+ tests/data/test1660 |  2 +-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index d5e883f51ef0f7..12052ce53c1c5a 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -249,11 +249,13 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+  struct stsentry *bestsub = NULL;
+   if(h) {
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
+    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -275,15 +277,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+       if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+         size_t offs = hlen - ntail;
+         if((hostname[offs-1] == '.') &&
+-           strncasecompare(&hostname[offs], sts->host, ntail))
+-          return sts;
+           strncasecompare(&hostname[offs], sts->host, ntail) &&
+           (ntail > blen)) {
+          /* save the tail match with the longest tail */
+          bestsub = sts;
+          blen = ntail;
+        }
+       }
+       /* avoid strcasecompare because the host name is not null terminated */
+       if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
+  return bestsub;
+ }
+ 
+ /*
+@@ -435,7 +441,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
+    else if(strcasecompare(p, e->host)) {
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index f86126d19cf269..4b6f9615c9d517 100644
+--- a/tests/data/test1660
+++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
--- a/backport-pre-CVE-2024-9681.patch
+++ b/backport-pre-CVE-2024-9681.patch
@ -0,0 +1,69 @@
+From 60d8663afb0fb7f113604404c50840dfe9320039 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Oct 2024 11:20:40 +0200
+Subject: [PATCH] hsts: avoid the local buffer and memcpy on lookup
+
+Closes #15190
+Conflict:Context adapt
+Reference:https://github.com/curl/curl/commit/60d8663afb0fb7f113604404c50840dfe9320039
+---
+ lib/hsts.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 7ecf004..f5e5bbf 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -250,7 +250,6 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+   if(h) {
+-    char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+@@ -258,15 +257,13 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+-    memcpy(buffer, hostname, hlen);
+     if(hostname[hlen-1] == '.')
+       /* remove the trailing dot */
+       --hlen;
+-    buffer[hlen] = 0;
+-    hostname = buffer;
+ 
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
+      size_t ntail;
+       n = e->next;
+       if(sts->expires <= now) {
+         /* remove expired entries */
+@@ -274,16 +271,15 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         hsts_free(sts);
+         continue;
+       }
+-      if(subdomain && sts->includeSubDomains) {
+-        size_t ntail = strlen(sts->host);
+-        if(ntail < hlen) {
+-          size_t offs = hlen - ntail;
+-          if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
+-        }
+      ntail = strlen(sts->host);
+      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+        size_t offs = hlen - ntail;
+        if((hostname[offs-1] == '.') &&
+           strncasecompare(&hostname[offs], sts->host, ntail))
+          return sts;
+       }
+-      if(strcasecompare(hostname, sts->host))
+      /* avoid strcasecompare because the host name is not null terminated */
+      if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-- 
+2.43.0
+
--- a/curl.spec
+++ b/curl.spec
@ -7,7 +7,7 @@

 Name:           curl
 Version:        8.4.0
-Release:        10
+Release:        11
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@ -34,6 +34,8 @@ Patch25:        backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
 Patch26:        backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
 Patch27:        backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
 Patch28:        backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
+Patch29:        backport-pre-CVE-2024-9681.patch
+Patch30:        backport-CVE-2024-9681.patch

 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@ -219,6 +221,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*

 %changelog
+* Mon Nov 11 2024 yanglu <yanglu72@h-partners.com> - 8.4.0-11
+- Type:CVE
+- CVE:CVE-2024-9681
+- SUG:NA
+- DESC:fix CVE-2024-9681
+
 * Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-10
 - Type:bugfix
 - CVE:NA