From 4e51d47a7133a98e2e356c346077f1f4f1e48b63 Mon Sep 17 00:00:00 2001 From: sherlock2010 <15151851377@163.com> Date: Fri, 30 Dec 2022 02:55:49 +0000 Subject: [PATCH] fix CVE-2022-43551 CVE-2022-43552 (cherry picked from commit cb54a69f4247fd602d026d292f2fe14017fd0fcf) --- ...-the-IDN-decoded-name-in-HSTS-checks.patch | 32 ++++++++ ...ot-free-the-protocol-struct-in-_done.patch | 78 +++++++++++++++++++ curl.spec | 10 ++- 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch create mode 100644 backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch diff --git a/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch new file mode 100644 index 0000000..da5b110 --- /dev/null +++ b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch @@ -0,0 +1,32 @@ +From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH 1/2] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 85528a221..a784745a8 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3646,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); +-- +2.33.0 + diff --git a/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch new file mode 100644 index 0000000..92690b0 --- /dev/null +++ b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch @@ -0,0 +1,78 @@ +From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH 2/2] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 2cfe041df..48d5a2fe0 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 24d3f1efb..22bc81e75 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index fbea214..3859174 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 12 +Release: 13 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -31,6 +31,8 @@ Patch16: backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes Patch17: backport-CVE-2022-32221.patch Patch18: backport-CVE-2022-42916.patch Patch19: backport-CVE-2022-42915.patch +Patch20: backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch +Patch21: backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -205,6 +207,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Thu Dec 22 2022 zhouyihang - 7.79.1-13 +- Type:cves +- CVE:CVE-2022-43551 CVE-2022-43552 +- SUG:NA +- DESC:fix CVE-2022-43551 CVE-2022-43552 + * Thu Oct 27 2022 yanglu - 7.79.1-12 - Type:cves - CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916