From 98d9092bd98df34c01ec6d056f8ee500cd9d9ff3 Mon Sep 17 00:00:00 2001 From: sherlock2010 <15151851377@163.com> Date: Thu, 22 Dec 2022 08:08:34 +0000 Subject: [PATCH] fix CVE-2022-43551 CVE-2022-43552 --- ...-the-IDN-decoded-name-in-HSTS-checks.patch | 32 ++++++++ ...ot-free-the-protocol-struct-in-_done.patch | 78 +++++++++++++++++++ curl.spec | 10 ++- 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch create mode 100644 backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch diff --git a/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch new file mode 100644 index 0000000..b437a08 --- /dev/null +++ b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch @@ -0,0 +1,32 @@ +From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH 1/2] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 85528a221..a784745a8 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3646,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + #endif + )) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); +-- +2.33.0 + diff --git a/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch new file mode 100644 index 0000000..92690b0 --- /dev/null +++ b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch @@ -0,0 +1,78 @@ +From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH 2/2] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 2cfe041df..48d5a2fe0 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 24d3f1efb..22bc81e75 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index 2ca0b79..acc60ae 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.86.0 -Release: 1 +Release: 2 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -15,6 +15,8 @@ Source: https://curl.haxx.se/download/curl-%{version}.tar.xz Patch1: backport-0101-curl-7.32.0-multilib.patch Patch2: backport-curl-7.84.0-test3026.patch Patch3: backport-curl-7.86.0-noproxy.patch +Patch4: backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch +Patch5: backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -201,6 +203,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Thu Dec 22 2022 zhouyihang - 7.86.0-2 +- Type:cves +- ID:CVE-2022-43551 CVE-2022-43552 +- SUG:NA +- DESC:fix CVE-2022-43551 CVE-2022-43552 + * Wed Nov 16 2022 xinghe - 7.86.0-1 - Type:requirements - ID:NA