diff options
author | Timo Teräs <timo.teras@iki.fi> | 2014-04-17 07:34:31 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-04-18 12:29:09 +0000 |
commit | b40a99c8c0a04a119db0f5fad7fbe186981f054c (patch) | |
tree | a2f867bb3756c8899f125ac63e48f106b2fa43a2 | |
parent | dc904137c8e3e8f68a9410dbc8bfac56b382b50d (diff) | |
download | aports-b40a99c8c0a04a119db0f5fad7fbe186981f054c.tar.bz2 aports-b40a99c8c0a04a119db0f5fad7fbe186981f054c.tar.xz |
main/curl: security fixes (CVE-2014-0138 CVE-2014-0139)
fixes #2817
-rw-r--r-- | main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch | 120 | ||||
-rw-r--r-- | main/curl/APKBUILD | 10 | ||||
-rw-r--r-- | main/curl/CVE-2014-0138.patch | 70 | ||||
-rw-r--r-- | main/curl/CVE-2014-0139.patch | 45 |
4 files changed, 243 insertions, 2 deletions
diff --git a/main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch b/main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch new file mode 100644 index 0000000000..f03f83314a --- /dev/null +++ b/main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch @@ -0,0 +1,120 @@ +From ebf315e6f399ec534dbce4741d0463c28ae858e3 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> +Date: Sun, 1 Apr 2012 21:58:17 +0900 +Subject: [PATCH] OpenSSL: Made cert hostname check conform to RFC 6125 + +This change replaces RFC 2818 based hostname check in OpenSSL build with +RFC 6125 [1] based one. + +The hostname check in RFC 2818 is ambiguous and each project implements +it in the their own way and they are slightly different. I check curl, +gnutls, Firefox and Chrome and they are all different. + +I don't think there is a bug in current implementation of hostname +check. But it is not as strict as the modern browsers do. Currently, +curl allows multiple wildcard character '*' and it matches '.'. (as +described in the comment in ssluse.c). + +Firefox implementation is also based on RFC 2818 but it only allows at +most one wildcard character and it must be in the left-most label in the +pattern and the wildcard must not be followed by any character in the +label.[2] Chromium implementation is based on RFC 6125 as my patch does. +Firefox and Chromium both require wildcard in the left-most label in the +presented identifier. + +This patch is more strict than the current implementation, so there may +be some cases where old curl works but new one does not. But at the same +time I think it is good practice to follow the modern browsers do and +follow the newer RFC. + +[1] http://tools.ietf.org/html/rfc6125#section-6.4.3 +[2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483 +--- + lib/ssluse.c | 64 +++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 37 insertions(+), 27 deletions(-) + +diff --git a/lib/ssluse.c b/lib/ssluse.c +index 74563c7..8652cbd 100644 +--- a/lib/ssluse.c ++++ b/lib/ssluse.c +@@ -1048,40 +1048,50 @@ static int asn1_output(const ASN1_UTCTIME *tm, + * E.g. + * "foo.host.com" matches "*.host.com". + * +- * We are a bit more liberal than RFC2818 describes in that we +- * accept multiple "*" in pattern (similar to what some other browsers do). +- * E.g. +- * "abc.def.domain.com" should strickly not match "*.domain.com", but we +- * don't consider "." to be important in CERT checking. ++ * We use the matching rule described in RFC6125, section 6.4.3. ++ * http://tools.ietf.org/html/rfc6125#section-6.4.3 + */ + #define HOST_NOMATCH 0 + #define HOST_MATCH 1 + + static int hostmatch(const char *hostname, const char *pattern) + { +- for(;;) { +- char c = *pattern++; +- +- if(c == '\0') +- return (*hostname ? HOST_NOMATCH : HOST_MATCH); +- +- if(c == '*') { +- c = *pattern; +- if(c == '\0') /* "*\0" matches anything remaining */ +- return HOST_MATCH; +- +- while(*hostname) { +- /* The only recursive function in libcurl! */ +- if(hostmatch(hostname++,pattern) == HOST_MATCH) +- return HOST_MATCH; +- } +- break; +- } +- +- if(Curl_raw_toupper(c) != Curl_raw_toupper(*hostname++)) +- break; ++ const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; ++ int wildcard_enabled; ++ size_t prefixlen, suffixlen; ++ pattern_wildcard = strchr(pattern, '*'); ++ if(pattern_wildcard == NULL) { ++ return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; ++ } ++ /* We require at least 2 dots in pattern to avoid too wide wildcard ++ match. */ ++ wildcard_enabled = 1; ++ pattern_label_end = strchr(pattern, '.'); ++ if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || ++ pattern_wildcard > pattern_label_end || ++ Curl_raw_nequal(pattern, "xn--", 4)) { ++ wildcard_enabled = 0; ++ } ++ if(!wildcard_enabled) { ++ return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; ++ } ++ hostname_label_end = strchr(hostname, '.'); ++ if(hostname_label_end == NULL || ++ !Curl_raw_equal(pattern_label_end, hostname_label_end)) { ++ return HOST_NOMATCH; ++ } ++ /* The wildcard must match at least one character, so the left-most ++ label of the hostname is at least as large as the left-most label ++ of the pattern. */ ++ if(hostname_label_end - hostname < pattern_label_end - pattern) { ++ return HOST_NOMATCH; + } +- return HOST_NOMATCH; ++ prefixlen = pattern_wildcard - pattern; ++ suffixlen = pattern_label_end - (pattern_wildcard+1); ++ return Curl_raw_nequal(pattern, hostname, prefixlen) && ++ Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, ++ suffixlen) ? ++ HOST_MATCH : HOST_NOMATCH; + } + + static int +-- +1.7.10 + diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index a95a38eb50..944ad76946 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.25.0 -pkgrel=3 +pkgrel=4 pkgdesc="An URL retrival utility and library" url="http://curl.haxx.se" arch="all" @@ -13,6 +13,9 @@ source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2 CVE-2013-1944.patch CVE-2013-4545.patch CVE-2014-0015-7-27.patch + CVE-2014-0138.patch + 0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch + CVE-2014-0139.patch " subpackages="$pkgname-doc $pkgname-dev" @@ -46,4 +49,7 @@ package() { md5sums="f0303d47d9d3e6e4f08c2863c6504823 curl-7.25.0.tar.bz2 89747e560198704ab25c21eade95cbd2 CVE-2013-1944.patch 8bc90390d1cd0d1b7b2cad513ed7e953 CVE-2013-4545.patch -236ff7d867165b536049dc13f81c5315 CVE-2014-0015-7-27.patch" +236ff7d867165b536049dc13f81c5315 CVE-2014-0015-7-27.patch +e1a8857047a1a3c7346494c859389596 CVE-2014-0138.patch +b93658b8be9c2e9684de44f92d003ebb 0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch +f35cf248edf107981ea5ff5acf7cbdd0 CVE-2014-0139.patch" diff --git a/main/curl/CVE-2014-0138.patch b/main/curl/CVE-2014-0138.patch new file mode 100644 index 0000000000..4ef40813e3 --- /dev/null +++ b/main/curl/CVE-2014-0138.patch @@ -0,0 +1,70 @@ +From 0e48212c3fd94280212943b341b4b1cd61b0a44e Mon Sep 17 00:00:00 2001 +From: Steve Holme <steve_holme@hotmail.com> +Date: Thu, 20 Feb 2014 23:51:36 +0000 +Subject: [PATCH] url: Fixed connection re-use when using different log-in + credentials + +In addition to FTP, other connection based protocols such as IMAP, POP3, +SMTP, SCP, SFTP and LDAP require a new connection when different log-in +credentials are specified. Fixed the detection logic to include these +other protocols. + +Bug: http://curl.haxx.se/docs/adv_20140326A.html + +(based on commit 517b06d657aceb11a234b05cc891170c367ab80d) +--- + lib/http.c | 2 +- + lib/url.c | 6 +++--- + lib/urldata.h | 2 ++ + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index ec76bbe..723b6ac 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -148,7 +148,7 @@ const struct Curl_handler Curl_handler_https = { + ZERO_NULL, /* readwrite */ + PORT_HTTPS, /* defport */ + CURLPROTO_HTTP | CURLPROTO_HTTPS, /* protocol */ +- PROTOPT_SSL /* flags */ ++ PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */ + }; + #endif + +diff --git a/lib/url.c b/lib/url.c +index 7924b63..860fe72 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3066,12 +3066,12 @@ ConnectionExists(struct SessionHandle *data, + continue; + } + } +- if((needle->handler->protocol & CURLPROTO_FTP) || ++ if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || + ((needle->handler->protocol & CURLPROTO_HTTP) && + ((data->state.authhost.want & CURLAUTH_NTLM) || + (data->state.authhost.want & CURLAUTH_NTLM_WB)))) { +- /* This is FTP or HTTP+NTLM, verify that we're using the same name +- and password as well */ ++ /* This protocol requires credentials per connection or is HTTP+NTLM, ++ so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 7830686..a11420a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -712,6 +712,8 @@ struct Curl_handler { + gets a default */ + #define PROTOPT_NOURLQUERY (1<<6) /* protocol can't handle + url query strings (?foo=bar) ! */ ++#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request ++ as opposed to per connection */ + + + /* return the count of bytes sent, or -1 on error */ +-- +1.7.10 + + diff --git a/main/curl/CVE-2014-0139.patch b/main/curl/CVE-2014-0139.patch new file mode 100644 index 0000000000..f73ac30a68 --- /dev/null +++ b/main/curl/CVE-2014-0139.patch @@ -0,0 +1,45 @@ +Description: Reject IP address wildcard matches + There are server certificates used with IP address in the CN field, but + we MUST not allow wildcard certs for hostnames given as IP addresses + only. Therefore we must make Curl_cert_hostcheck() fail such attempts. +Origin: upstream, http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch +Forwarded: not-needed +Author: Daniel Stenberg <daniel@haxx.se> +Last-Update: 2014-03-23 + +diff --git a/lib/ssluse.c b/lib/ssluse.c +index a55ad3c..77317c6 100644 +--- a/lib/ssluse.c ++++ b/lib/ssluse.c +@@ -50,6 +50,7 @@ + #include "select.h" + #include "sslgen.h" + #include "rawstr.h" ++#include "inet_pton.h" + + #define _MPRINTF_REPLACE /* use the internal *printf() functions */ + #include <curl/mprintf.h> +@@ -1059,10 +1060,23 @@ static int hostmatch(const char *hostname, const char *pattern) + const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; + int wildcard_enabled; + size_t prefixlen, suffixlen; ++ struct in_addr ignored; ++#ifdef ENABLE_IPV6 ++ struct sockaddr_in6 si6; ++#endif + pattern_wildcard = strchr(pattern, '*'); + if(pattern_wildcard == NULL) { + return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; + } ++ ++ /* detect IP address as hostname and fail the match if so */ ++ if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) ++ return HOST_NOMATCH; ++#ifdef ENABLE_IPV6 ++ else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) ++ return HOST_NOMATCH; ++#endif ++ + /* We require at least 2 dots in pattern to avoid too wide wildcard + match. */ + wildcard_enabled = 1; |