From 31474cc7399f4f6b33bd7ece718e40f90f43f47a Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 17 Jul 2015 01:30:20 +0200 Subject: [PATCH] gnurl: fix vulnerabilities, refresh patches being based on curl 0.70.0 gnurl is affected by CVE-2015-3144 CVE-2015-3145 CVE-2015-3153 CVE-2015-3236 Import patches from curl package to fix that. Signed-off-by: Daniel Golle --- net/gnurl/Makefile | 2 +- ...-gtls-add-support-for-CURLOPT_CAPATH.patch | 31 ++---- net/gnurl/patches/011-CVE-2015-3144.patch | 32 +++++++ net/gnurl/patches/012-CVE-2015-3145.patch | 53 +++++++++++ net/gnurl/patches/014-CVE-2015-3153.patch | 95 +++++++++++++++++++ net/gnurl/patches/015-CVE-2015-3236.patch | 42 ++++++++ net/gnurl/patches/100-check_long_long.patch | 2 +- net/gnurl/patches/200-no_docs_tests.patch | 12 +-- 8 files changed, 240 insertions(+), 29 deletions(-) create mode 100644 net/gnurl/patches/011-CVE-2015-3144.patch create mode 100644 net/gnurl/patches/012-CVE-2015-3145.patch create mode 100644 net/gnurl/patches/014-CVE-2015-3153.patch create mode 100644 net/gnurl/patches/015-CVE-2015-3236.patch diff --git a/net/gnurl/Makefile b/net/gnurl/Makefile index c63b1ffbb..b9dea2fea 100644 --- a/net/gnurl/Makefile +++ b/net/gnurl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnurl PKG_VERSION:=7.40.0 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://gnunet.org/sites/default/files diff --git a/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch b/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch index 37d862f01..563f5f3a5 100644 --- a/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch +++ b/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch @@ -10,11 +10,9 @@ Subject: [PATCH] gtls: add support for CURLOPT_CAPATH lib/vtls/gtls.h | 3 +++ 4 files changed, 29 insertions(+), 5 deletions(-) -diff --git a/acinclude.m4 b/acinclude.m4 -index 6ed7ffb..ca01869 100644 --- a/acinclude.m4 +++ b/acinclude.m4 -@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), +@@ -2614,8 +2614,8 @@ AC_HELP_STRING([--without-ca-path], [Don capath="no" elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then dnl --with-ca-path given @@ -25,11 +23,9 @@ index 6ed7ffb..ca01869 100644 fi capath="$want_capath" ca="no" -diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3 -index 642953d..6695f9f 100644 --- a/docs/libcurl/opts/CURLOPT_CAPATH.3 +++ b/docs/libcurl/opts/CURLOPT_CAPATH.3 -@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. +@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IM .SH EXAMPLE TODO .SH AVAILABILITY @@ -41,13 +37,11 @@ index 642953d..6695f9f 100644 .SH RETURN VALUE Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 05aef19..c792540 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c -@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE; - # if (GNUTLS_VERSION_NUMBER >= 0x03020d) - # define HAS_OCSP +@@ -98,6 +98,10 @@ static bool gtls_inited = FALSE; + # define HAS_ALPN + # endif # endif + +# if (GNUTLS_VERSION_NUMBER >= 0x030306) @@ -55,8 +49,8 @@ index 05aef19..c792540 100644 +# endif #endif - #ifdef HAS_OCSP -@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn, + /* +@@ -463,6 +467,24 @@ gtls_connect_step1(struct connectdata *c rc, data->set.ssl.CAfile); } @@ -81,13 +75,11 @@ index 05aef19..c792540 100644 if(data->set.ssl.CRLfile) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, -diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h -index c3867e5..af1cb5b 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h -@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void); - /* Set the API backend definition to GnuTLS */ - #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS +@@ -53,6 +53,9 @@ void Curl_gtls_md5sum(unsigned char *tmp + unsigned char *md5sum, /* output */ + size_t md5len); +/* this backend supports the CAPATH option */ +#define have_curlssl_ca_path 1 @@ -95,6 +87,3 @@ index c3867e5..af1cb5b 100644 /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup --- -2.4.4 - diff --git a/net/gnurl/patches/011-CVE-2015-3144.patch b/net/gnurl/patches/011-CVE-2015-3144.patch new file mode 100644 index 000000000..3d752167a --- /dev/null +++ b/net/gnurl/patches/011-CVE-2015-3144.patch @@ -0,0 +1,32 @@ +From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 16 Apr 2015 23:52:04 +0200 +Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a URL is given with a zero-length host name, like in "http://:80" or +just ":80", `fix_hostname()` will index the host name pointer with a -1 +offset (as it blindly assumes a non-zero length) and both read and +assign that address. + +CVE-2015-3144 + +Bug: http://curl.haxx.se/docs/adv_20150422D.html +Reported-by: Hanno Böck +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -3602,7 +3602,7 @@ static void fix_hostname(struct SessionH + host->dispname = host->name; + + len = strlen(host->name); +- if(host->name[len-1] == '.') ++ if(len && (host->name[len-1] == '.')) + /* strip off a single trailing dot if present, primarily for SNI but + there's no use for it */ + host->name[len-1]=0; diff --git a/net/gnurl/patches/012-CVE-2015-3145.patch b/net/gnurl/patches/012-CVE-2015-3145.patch new file mode 100644 index 000000000..c7ecbe9c2 --- /dev/null +++ b/net/gnurl/patches/012-CVE-2015-3145.patch @@ -0,0 +1,53 @@ +From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 16 Apr 2015 16:37:40 +0200 +Subject: [PATCH] cookie: cookie parser out of boundary memory access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The internal libcurl function called sanitize_cookie_path() that cleans +up the path element as given to it from a remote site or when read from +a file, did not properly validate the input. If given a path that +consisted of a single double-quote, libcurl would index a newly +allocated memory area with index -1 and assign a zero to it, thus +destroying heap memory it wasn't supposed to. + +CVE-2015-3145 + +Bug: http://curl.haxx.se/docs/adv_20150422C.html +Reported-by: Hanno Böck +--- + lib/cookie.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const + return NULL; + + /* some stupid site sends path attribute with '"'. */ ++ len = strlen(new_path); + if(new_path[0] == '\"') { +- memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); ++ memmove((void *)new_path, (const void *)(new_path + 1), len); ++ len--; + } +- if(new_path[strlen(new_path) - 1] == '\"') { +- new_path[strlen(new_path) - 1] = 0x0; ++ if(len && (new_path[len - 1] == '\"')) { ++ new_path[len - 1] = 0x0; ++ len--; + } + + /* RFC6265 5.2.4 The Path Attribute */ +@@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const + } + + /* convert /hoge/ to /hoge */ +- len = strlen(new_path); +- if(1 < len && new_path[len - 1] == '/') { ++ if(len && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + diff --git a/net/gnurl/patches/014-CVE-2015-3153.patch b/net/gnurl/patches/014-CVE-2015-3153.patch new file mode 100644 index 000000000..f6d37d4b5 --- /dev/null +++ b/net/gnurl/patches/014-CVE-2015-3153.patch @@ -0,0 +1,95 @@ +From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Apr 2015 15:58:21 +0200 +Subject: [PATCH] CURLOPT_HEADEROPT: default to separate + +Make the HTTP headers separated by default for improved security and +reduced risk for information leakage. + +Bug: http://curl.haxx.se/docs/adv_20150429.html +Reported-by: Yehezkel Horowitz, Oren Souroujon +--- + docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------ + lib/url.c | 1 + + tests/data/test1527 | 2 +- + tests/data/test287 | 2 +- + tests/libtest/lib1527.c | 1 + + 5 files changed, 10 insertions(+), 8 deletions(-) + +--- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3 ++++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle, + Pass a long that is a bitmask of options of how to deal with headers. The two + mutually exclusive options are: + +-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means +-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers +-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not +-have any effect. ++\fBCURLHEADER_UNIFIED\fP - the headers specified in ++\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and ++proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have ++any effect. + + \fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get + sent to a server and not to a proxy. Proxy headers must be set with +@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil + headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to + the server. + .SH DEFAULT +-CURLHEADER_UNIFIED ++CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then) + .SH PROTOCOLS + HTTP + .SH EXAMPLE +--- a/lib/url.c ++++ b/lib/url.c +@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct Us + set->ssl_enable_alpn = TRUE; + + set->expect_100_timeout = 1000L; /* Wait for a second by default. */ ++ set->sep_headers = TRUE; /* separated header lists by default */ + return result; + } + +--- a/tests/data/test1527 ++++ b/tests/data/test1527 +@@ -45,7 +45,7 @@ http-proxy + lib1527 + + +-Check same headers are generated without CURLOPT_PROXYHEADER ++Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED + + + http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT +--- a/tests/data/test287 ++++ b/tests/data/test287 +@@ -28,7 +28,7 @@ http + HTTP proxy CONNECT with custom User-Agent header + + +-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel ++http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007" + + + +--- a/tests/libtest/lib1527.c ++++ b/tests/libtest/lib1527.c +@@ -83,6 +83,7 @@ int test(char *URL) + test_setopt(curl, CURLOPT_READFUNCTION, read_callback); + test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L); + test_setopt(curl, CURLOPT_INFILESIZE, strlen(data)); ++ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED); + + res = curl_easy_perform(curl); + diff --git a/net/gnurl/patches/015-CVE-2015-3236.patch b/net/gnurl/patches/015-CVE-2015-3236.patch new file mode 100644 index 000000000..41197a265 --- /dev/null +++ b/net/gnurl/patches/015-CVE-2015-3236.patch @@ -0,0 +1,42 @@ +From e6d7c30734487246e83b95520e81bc1ccf0a2376 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 28 May 2015 20:04:35 +0200 +Subject: [PATCH] http: do not leak basic auth credentials on re-used + connections + +CVE-2015-3236 + +This partially reverts commit curl-7_39_0-237-g87c4abb + +Bug: http://curl.haxx.se/docs/adv_20150617A.html +--- + lib/http.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/lib/http.c ++++ b/lib/http.c +@@ -2327,20 +2327,12 @@ CURLcode Curl_http(struct connectdata *c + te + ); + +- /* +- * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with +- * the connection and shouldn't be repeated over it either. +- */ +- switch (data->state.authhost.picked) { +- case CURLAUTH_NEGOTIATE: +- case CURLAUTH_NTLM: +- case CURLAUTH_NTLM_WB: +- Curl_safefree(conn->allocptr.userpwd); +- break; +- } ++ /* clear userpwd to avoid re-using credentials from re-used connections */ ++ Curl_safefree(conn->allocptr.userpwd); + + /* +- * Same for proxyuserpwd ++ * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated ++ * with the connection and shouldn't be repeated over it either. + */ + switch (data->state.authproxy.picked) { + case CURLAUTH_NEGOTIATE: diff --git a/net/gnurl/patches/100-check_long_long.patch b/net/gnurl/patches/100-check_long_long.patch index 2dd8cc72d..7faa45169 100644 --- a/net/gnurl/patches/100-check_long_long.patch +++ b/net/gnurl/patches/100-check_long_long.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -2885,6 +2885,7 @@ CURL_VERIFY_RUNTIMELIBS +@@ -2879,6 +2879,7 @@ CURL_VERIFY_RUNTIMELIBS AC_CHECK_SIZEOF(size_t) AC_CHECK_SIZEOF(long) diff --git a/net/gnurl/patches/200-no_docs_tests.patch b/net/gnurl/patches/200-no_docs_tests.patch index 6a1fdf5b6..6c778f7be 100644 --- a/net/gnurl/patches/200-no_docs_tests.patch +++ b/net/gnurl/patches/200-no_docs_tests.patch @@ -1,22 +1,22 @@ --- a/Makefile.am +++ b/Makefile.am -@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \ - bin_SCRIPTS = curl-config +@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) + bin_SCRIPTS = gnurl-config SUBDIRS = lib src include -DIST_SUBDIRS = $(SUBDIRS) tests packages docs +DIST_SUBDIRS = $(SUBDIRS) packages pkgconfigdir = $(libdir)/pkgconfig - pkgconfig_DATA = libcurl.pc + pkgconfig_DATA = libgnurl.pc --- a/Makefile.in +++ b/Makefile.in -@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ) \ +@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) - bin_SCRIPTS = curl-config + bin_SCRIPTS = gnurl-config SUBDIRS = lib src include -DIST_SUBDIRS = $(SUBDIRS) tests packages docs +DIST_SUBDIRS = $(SUBDIRS) packages pkgconfigdir = $(libdir)/pkgconfig - pkgconfig_DATA = libcurl.pc + pkgconfig_DATA = libgnurl.pc LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \