main/curl: security fixes (CVE-2014-0138 CVE-2014-0139)

fixes #2817

4 files changed, 243 insertions, 2 deletions

diff --git a/main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch b/main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch
new file mode 100644
index 0000000000..f03f83314a
--- /dev/null
+++ b/main/curl/0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch
@@ -0,0 +1,120 @@
+From ebf315e6f399ec534dbce4741d0463c28ae858e3 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sun, 1 Apr 2012 21:58:17 +0900
+Subject: [PATCH] OpenSSL: Made cert hostname check conform to RFC 6125
+
+This change replaces RFC 2818 based hostname check in OpenSSL build with
+RFC 6125 [1] based one.
+
+The hostname check in RFC 2818 is ambiguous and each project implements
+it in the their own way and they are slightly different. I check curl,
+gnutls, Firefox and Chrome and they are all different.
+
+I don't think there is a bug in current implementation of hostname
+check. But it is not as strict as the modern browsers do. Currently,
+curl allows multiple wildcard character '*' and it matches '.'. (as
+described in the comment in ssluse.c).
+
+Firefox implementation is also based on RFC 2818 but it only allows at
+most one wildcard character and it must be in the left-most label in the
+pattern and the wildcard must not be followed by any character in the
+label.[2] Chromium implementation is based on RFC 6125 as my patch does.
+Firefox and Chromium both require wildcard in the left-most label in the
+presented identifier.
+
+This patch is more strict than the current implementation, so there may
+be some cases where old curl works but new one does not. But at the same
+time I think it is good practice to follow the modern browsers do and
+follow the newer RFC.
+
+[1] http://tools.ietf.org/html/rfc6125#section-6.4.3
+[2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483
+---
+ lib/ssluse.c |   64 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 37 insertions(+), 27 deletions(-)
+
+diff --git a/lib/ssluse.c b/lib/ssluse.c
+index 74563c7..8652cbd 100644
+--- a/lib/ssluse.c
++++ b/lib/ssluse.c
+@@ -1048,40 +1048,50 @@ static int asn1_output(const ASN1_UTCTIME *tm,
+  * E.g.
+  *  "foo.host.com" matches "*.host.com".
+  *
+- * We are a bit more liberal than RFC2818 describes in that we
+- * accept multiple "*" in pattern (similar to what some other browsers do).
+- * E.g.
+- *  "abc.def.domain.com" should strickly not match "*.domain.com", but we
+- *  don't consider "." to be important in CERT checking.
++ * We use the matching rule described in RFC6125, section 6.4.3.
++ * http://tools.ietf.org/html/rfc6125#section-6.4.3
+  */
+ #define HOST_NOMATCH 0
+ #define HOST_MATCH   1
+ 
+ static int hostmatch(const char *hostname, const char *pattern)
+ {
+-  for(;;) {
+-    char c = *pattern++;
+-
+-    if(c == '\0')
+-      return (*hostname ? HOST_NOMATCH : HOST_MATCH);
+-
+-    if(c == '*') {
+-      c = *pattern;
+-      if(c == '\0')      /* "*\0" matches anything remaining */
+-        return HOST_MATCH;
+-
+-      while(*hostname) {
+-        /* The only recursive function in libcurl! */
+-        if(hostmatch(hostname++,pattern) == HOST_MATCH)
+-          return HOST_MATCH;
+-      }
+-      break;
+-    }
+-
+-    if(Curl_raw_toupper(c) != Curl_raw_toupper(*hostname++))
+-      break;
++  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
++  int wildcard_enabled;
++  size_t prefixlen, suffixlen;
++  pattern_wildcard = strchr(pattern, '*');
++  if(pattern_wildcard == NULL) {
++    return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
++  }
++  /* We require at least 2 dots in pattern to avoid too wide wildcard
++     match. */
++  wildcard_enabled = 1;
++  pattern_label_end = strchr(pattern, '.');
++  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
++     pattern_wildcard > pattern_label_end ||
++     Curl_raw_nequal(pattern, "xn--", 4)) {
++    wildcard_enabled = 0;
++  }
++  if(!wildcard_enabled) {
++    return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
++  }
++  hostname_label_end = strchr(hostname, '.');
++  if(hostname_label_end == NULL ||
++     !Curl_raw_equal(pattern_label_end, hostname_label_end)) {
++    return HOST_NOMATCH;
++  }
++  /* The wildcard must match at least one character, so the left-most
++     label of the hostname is at least as large as the left-most label
++     of the pattern. */
++  if(hostname_label_end - hostname < pattern_label_end - pattern) {
++    return HOST_NOMATCH;
+   }
+-  return HOST_NOMATCH;
++  prefixlen = pattern_wildcard - pattern;
++  suffixlen = pattern_label_end - (pattern_wildcard+1);
++  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
++    Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
++                    suffixlen) ?
++    HOST_MATCH : HOST_NOMATCH;
+ }
+ 
+ static int
+-- 
+1.7.10
+
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index a95a38eb50..944ad76946 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.25.0
-pkgrel=3
+pkgrel=4
 pkgdesc="An URL retrival utility and library"
 url="http://curl.haxx.se"
 arch="all"
@@ -13,6 +13,9 @@ source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2
 	CVE-2013-1944.patch
 	CVE-2013-4545.patch
 	CVE-2014-0015-7-27.patch
+	CVE-2014-0138.patch
+	0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch
+	CVE-2014-0139.patch
 	"
 subpackages="$pkgname-doc $pkgname-dev"
 
@@ -46,4 +49,7 @@ package() {
 md5sums="f0303d47d9d3e6e4f08c2863c6504823  curl-7.25.0.tar.bz2
 89747e560198704ab25c21eade95cbd2  CVE-2013-1944.patch
 8bc90390d1cd0d1b7b2cad513ed7e953  CVE-2013-4545.patch
-236ff7d867165b536049dc13f81c5315  CVE-2014-0015-7-27.patch"
+236ff7d867165b536049dc13f81c5315  CVE-2014-0015-7-27.patch
+e1a8857047a1a3c7346494c859389596  CVE-2014-0138.patch
+b93658b8be9c2e9684de44f92d003ebb  0001-OpenSSL-Made-cert-hostname-check-conform-to-RFC-6125.patch
+f35cf248edf107981ea5ff5acf7cbdd0  CVE-2014-0139.patch"
diff --git a/main/curl/CVE-2014-0138.patch b/main/curl/CVE-2014-0138.patch
new file mode 100644
index 0000000000..4ef40813e3
--- /dev/null
+++ b/main/curl/CVE-2014-0138.patch
@@ -0,0 +1,70 @@
+From 0e48212c3fd94280212943b341b4b1cd61b0a44e Mon Sep 17 00:00:00 2001
+From: Steve Holme <steve_holme@hotmail.com>
+Date: Thu, 20 Feb 2014 23:51:36 +0000
+Subject: [PATCH] url: Fixed connection re-use when using different log-in
+ credentials
+
+In addition to FTP, other connection based protocols such as IMAP, POP3,
+SMTP, SCP, SFTP and LDAP require a new connection when different log-in
+credentials are specified. Fixed the detection logic to include these
+other protocols.
+
+Bug: http://curl.haxx.se/docs/adv_20140326A.html
+
+(based on commit 517b06d657aceb11a234b05cc891170c367ab80d)
+---
+ lib/http.c    |    2 +-
+ lib/url.c     |    6 +++---
+ lib/urldata.h |    2 ++
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index ec76bbe..723b6ac 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -148,7 +148,7 @@ const struct Curl_handler Curl_handler_https = {
+   ZERO_NULL,                            /* readwrite */
+   PORT_HTTPS,                           /* defport */
+   CURLPROTO_HTTP | CURLPROTO_HTTPS,     /* protocol */
+-  PROTOPT_SSL                           /* flags */
++  PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */
+ };
+ #endif
+ 
+diff --git a/lib/url.c b/lib/url.c
+index 7924b63..860fe72 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3066,12 +3066,12 @@ ConnectionExists(struct SessionHandle *data,
+             continue;
+           }
+         }
+-        if((needle->handler->protocol & CURLPROTO_FTP) ||
++        if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+            ((needle->handler->protocol & CURLPROTO_HTTP) &&
+             ((data->state.authhost.want & CURLAUTH_NTLM) ||
+              (data->state.authhost.want & CURLAUTH_NTLM_WB)))) {
+-          /* This is FTP or HTTP+NTLM, verify that we're using the same name
+-             and password as well */
++          /* This protocol requires credentials per connection or is HTTP+NTLM,
++             so verify that we're using the same name and password as well */
+           if(!strequal(needle->user, check->user) ||
+              !strequal(needle->passwd, check->passwd)) {
+             /* one of them was different */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 7830686..a11420a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -712,6 +712,8 @@ struct Curl_handler {
+                                       gets a default */
+ #define PROTOPT_NOURLQUERY (1<<6)   /* protocol can't handle
+                                         url query strings (?foo=bar) ! */
++#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request
++                                          as opposed to per connection */
+ 
+ 
+ /* return the count of bytes sent, or -1 on error */
+-- 
+1.7.10
+
+
diff --git a/main/curl/CVE-2014-0139.patch b/main/curl/CVE-2014-0139.patch
new file mode 100644
index 0000000000..f73ac30a68
--- /dev/null
+++ b/main/curl/CVE-2014-0139.patch
@@ -0,0 +1,45 @@
+Description: Reject IP address wildcard matches
+ There are server certificates used with IP address in the CN field, but
+ we MUST not allow wildcard certs for hostnames given as IP addresses
+ only. Therefore we must make Curl_cert_hostcheck() fail such attempts.
+Origin: upstream, http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch
+Forwarded: not-needed
+Author: Daniel Stenberg <daniel@haxx.se>
+Last-Update: 2014-03-23
+
+diff --git a/lib/ssluse.c b/lib/ssluse.c
+index a55ad3c..77317c6 100644
+--- a/lib/ssluse.c
++++ b/lib/ssluse.c
+@@ -50,6 +50,7 @@
+ #include "select.h"
+ #include "sslgen.h"
+ #include "rawstr.h"
++#include "inet_pton.h"
+ 
+ #define _MPRINTF_REPLACE /* use the internal *printf() functions */
+ #include <curl/mprintf.h>
+@@ -1059,10 +1060,23 @@ static int hostmatch(const char *hostname, const char *pattern)
+   const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
+   int wildcard_enabled;
+   size_t prefixlen, suffixlen;
++  struct in_addr ignored;
++#ifdef ENABLE_IPV6
++  struct sockaddr_in6 si6;
++#endif
+   pattern_wildcard = strchr(pattern, '*');
+   if(pattern_wildcard == NULL) {
+     return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
+   }
++
++  /* detect IP address as hostname and fail the match if so */
++  if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
++    return HOST_NOMATCH;
++#ifdef ENABLE_IPV6
++  else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
++    return HOST_NOMATCH;
++#endif
++
+   /* We require at least 2 dots in pattern to avoid too wide wildcard
+      match. */
+   wildcard_enabled = 1;