fix CVE-2022-43551 CVE-2022-43552

(cherry picked from commit cb54a69f4247fd602d026d292f2fe14017fd0fcf)
2022-12-30 02:55:49 +00:00 · 2022-12-30 02:55:49 +00:00 · 4e51d47a71
commit 4e51d47a71
parent 671df1d480
3 changed files with 119 additions and 1 deletions
--- a/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch
+++ b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch
@ -0,0 +1,32 @@
+From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:36:55 +0100
+Subject: [PATCH 1/2] http: use the IDN decoded name in HSTS checks
+
+Otherwise it stores the info HSTS into the persistent cache for the IDN
+name which will not match when the HSTS status is later checked for
+using the decoded name.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #10111
+---
+ lib/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 85528a221..a784745a8 100644
+--- a/lib/http.c
+++ b/lib/http.c
+@@ -3646,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
+   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+           (conn->handler->flags & PROTOPT_SSL)) {
+     CURLcode check =
+-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
+      Curl_hsts_parse(data->hsts, conn->host.name,
+                       headp + strlen("Strict-Transport-Security:"));
+     if(check)
+       infof(data, "Illegal STS header skipped");
+-- 
+2.33.0
+
--- a/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch
+++ b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch
@ -0,0 +1,78 @@
+From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH 2/2] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 2cfe041df..48d5a2fe0 100644
+--- a/lib/smb.c
+++ b/lib/smb.c
+@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 24d3f1efb..22bc81e75 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.33.0
+
--- a/curl.spec
+++ b/curl.spec
@ -6,7 +6,7 @@

 Name:           curl
 Version:        7.79.1
-Release:        12
+Release:        13
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@ -31,6 +31,8 @@ Patch16:        backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes
 Patch17:        backport-CVE-2022-32221.patch
 Patch18:        backport-CVE-2022-42916.patch
 Patch19:        backport-CVE-2022-42915.patch
+Patch20:        backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch
+Patch21:        backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch

 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@ -205,6 +207,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*

 %changelog
+* Thu Dec 22 2022 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-13
+- Type:cves
+- CVE:CVE-2022-43551 CVE-2022-43552
+- SUG:NA
+- DESC:fix CVE-2022-43551 CVE-2022-43552
+
 * Thu Oct 27 2022 yanglu <yanglu72@h-partners.com> - 7.79.1-12
 - Type:cves
 - CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916