diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-04-25 11:58:58 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-04-25 12:31:28 +0000 |
| commit | 02d241912508f1cd6d33a41a8b8a0117385fdbbe (patch) | |
| tree | ad9eaab9d4ea743020cc5941cc375c868957d69c | |
| parent | 1caeb82fe92fda30c392b98096174b584433763b (diff) | |
| download | aports-02d241912508f1cd6d33a41a8b8a0117385fdbbe.tar.bz2 aports-02d241912508f1cd6d33a41a8b8a0117385fdbbe.tar.xz | |
| -rw-r--r-- | main/curl/APKBUILD | 28 | ||||
| -rw-r--r-- | main/curl/CVE-2017-2629.patch | 42 | ||||
| -rw-r--r-- | main/curl/CVE-2017-7407.patch | 110 | ||||
| -rw-r--r-- | main/curl/CVE-2017-7468.patch | 264 |
4 files changed, 439 insertions, 5 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 5afa7f7141..1e7e43130d 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Sergey Lukin <sergej.lukin@gmail.com> pkgname=curl pkgver=7.52.1 -pkgrel=0 +pkgrel=1 pkgdesc="An URL retrival utility and library" url="http://curl.haxx.se" arch="all" @@ -11,11 +11,19 @@ depends="ca-certificates" depends_dev="zlib-dev openssl-dev libssh2-dev" makedepends="groff $depends_dev perl" subpackages="$pkgname-doc $pkgname-dev" -source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2" +source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2 + CVE-2017-2629.patch + CVE-2017-7407.patch + CVE-2017-7468.patch + " _builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 7.52.1-r1: +# - CVE-2017-7468 +# - CVE-2017-7407 +# - CVE-2017-2629 # 7.52.1-r0: # - CVE-2016-9594 # - CVE-2016-9586 @@ -50,6 +58,7 @@ prepare() { esac done } + build() { cd "$_builddir" ./configure \ @@ -70,6 +79,15 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="dd014df06ff1d12e173de86873f9f77a curl-7.52.1.tar.bz2" -sha256sums="d16185a767cb2c1ba3d5b9096ec54e5ec198b213f45864a38b3bda4bbf87389b curl-7.52.1.tar.bz2" -sha512sums="cf36563c77d096f2c6084354ed6d45ccca7c557828ceab21204e4e8be0d4f0d287839c8cfac906174b86d51a1ee816c2769fc78ef88f039c9645bd2c27982a75 curl-7.52.1.tar.bz2" +md5sums="dd014df06ff1d12e173de86873f9f77a curl-7.52.1.tar.bz2 +d2809e105e897b106428909a2e08bd2b CVE-2017-2629.patch +50cc3a2d1577fc0876aa6baf04a679ff CVE-2017-7407.patch +0e80ef6bc62f62a0d0fd23a03dc54089 CVE-2017-7468.patch" +sha256sums="d16185a767cb2c1ba3d5b9096ec54e5ec198b213f45864a38b3bda4bbf87389b curl-7.52.1.tar.bz2 +33b55a4e4e88c8589e50fa377cad599df80a6841386f8e872d8eff8c8a970585 CVE-2017-2629.patch +a10711694c64ce77b9528d3b5bfefbf0e4083d1046d7c84952f5728bf431ecc0 CVE-2017-7407.patch +9438f2ee4d9542e492bc31ca1e667c7c4dc534e2503f5d8115b0283e75376f40 CVE-2017-7468.patch" +sha512sums="cf36563c77d096f2c6084354ed6d45ccca7c557828ceab21204e4e8be0d4f0d287839c8cfac906174b86d51a1ee816c2769fc78ef88f039c9645bd2c27982a75 curl-7.52.1.tar.bz2 +94b3419b4366f1c404d2f2634485e05d45c9e2ad3bed4a7eba53c17253373ce9b848fc6123b55561f8dac471ab0b2a77f12e22dba8bee9a11d5c531f22fb4b18 CVE-2017-2629.patch +f156c791a8439a4314555ca06c5ee3a23fae77d87d32a19df3c57ea605f9284b66f4a5dcaa5d2c598e93e69bb16c0e51a930c5b39fc8034b517d7b428cdaaf8d CVE-2017-7407.patch +9e620bac1b92d452992df1388c3b93228bcd6db490bc9f0c93480468a9189c85f20b31f27ec1c79e63cd5ee127c40c416542f4b02ed21af490d2938dcd9215b5 CVE-2017-7468.patch" diff --git a/main/curl/CVE-2017-2629.patch b/main/curl/CVE-2017-2629.patch new file mode 100644 index 0000000000..1682d167ed --- /dev/null +++ b/main/curl/CVE-2017-2629.patch @@ -0,0 +1,42 @@ +From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 22 Jan 2017 18:11:55 +0100 +Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again + +The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl +and thus even if the status couldn't be verified, the connection would +be allowed and the user would not be told about the failed verification. + +Regression since cb4e2be7c6d42ca + +CVE-2017-2629 +Bug: https://curl.haxx.se/docs/adv_20170222.html + +Reported-by: Marcus Hoffmann +--- + lib/url.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 8d1c0cc7f..7a2274d50 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4169,12 +4169,15 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + + conn->bits.user_passwd = (data->set.str[STRING_USERNAME]) ? TRUE : FALSE; + conn->bits.ftp_use_epsv = data->set.ftp_use_epsv; + conn->bits.ftp_use_eprt = data->set.ftp_use_eprt; + ++ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->proxy_ssl_config.verifystatus = ++ data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; + + conn->ip_version = data->set.ipver; + +-- +2.11.0 + diff --git a/main/curl/CVE-2017-7407.patch b/main/curl/CVE-2017-7407.patch new file mode 100644 index 0000000000..b82df43ee8 --- /dev/null +++ b/main/curl/CVE-2017-7407.patch @@ -0,0 +1,110 @@ +From 1890d59905414ab84a35892b2e45833654aa5c13 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich <dan@coneharvesters.com> +Date: Sat, 11 Mar 2017 10:59:34 +0100 +Subject: [PATCH] tool_writeout: fixed a buffer read overrun on --write-out + +If a % ended the statement, the string's trailing NUL would be skipped +and memory past the end of the buffer would be accessed and potentially +displayed as part of the --write-out output. Added tests 1440 and 1441 +to check for this kind of condition. + +Reported-by: Brian Carpenter +--- + src/tool_writeout.c | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test1440 | 31 +++++++++++++++++++++++++++++++ + tests/data/test1441 | 31 +++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1440 + create mode 100644 tests/data/test1441 + +--- a/src/tool_writeout.c ++++ b/src/tool_writeout.c +@@ -113,7 +113,7 @@ + double doubleinfo; + + while(ptr && *ptr) { +- if('%' == *ptr) { ++ if('%' == *ptr && ptr[1]) { + if('%' == ptr[1]) { + /* an escaped %-letter */ + fputc('%', stream); +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -150,7 +150,7 @@ + test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \ + test1424 \ + test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \ +-test1436 test1437 test1438 test1439 \ ++test1436 test1437 test1438 test1439 test1440 test1441 \ + \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ +--- /dev/null ++++ b/tests/data/test1440 +@@ -0,0 +1,31 @@ ++<testcase> ++<info> ++<keywords> ++--write-out ++</keywords> ++</info> ++# Server-side ++<reply> ++</reply> ++ ++# Client-side ++<client> ++<server> ++file ++</server> ++ ++<name> ++Check --write-out with trailing %{ ++</name> ++<command> ++file://localhost/%PWD/log/ --write-out '%{' ++</command> ++</client> ++ ++# Verify data ++<verify> ++<stdout nonewline="yes"> ++%{ ++</stdout> ++</verify> ++</testcase> +--- /dev/null ++++ b/tests/data/test1441 +@@ -0,0 +1,31 @@ ++<testcase> ++<info> ++<keywords> ++--write-out ++</keywords> ++</info> ++# Server-side ++<reply> ++</reply> ++ ++# Client-side ++<client> ++<server> ++file ++</server> ++ ++<name> ++Check --write-out with trailing % ++</name> ++<command> ++file://localhost/%PWD/log/ --write-out '%' ++</command> ++</client> ++ ++# Verify data ++<verify> ++<stdout nonewline="yes"> ++% ++</stdout> ++</verify> ++</testcase> diff --git a/main/curl/CVE-2017-7468.patch b/main/curl/CVE-2017-7468.patch new file mode 100644 index 0000000000..3135ec3fe5 --- /dev/null +++ b/main/curl/CVE-2017-7468.patch @@ -0,0 +1,264 @@ +From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001 +From: Jay Satiro <raysatiro@yahoo.com> +Date: Wed, 22 Mar 2017 01:59:49 -0400 +Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is + used + +- Move the sessionid flag to ssl_primary_config so that ssl and + proxy_ssl will each have their own sessionid flag. + +Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that +this issue had been fixed in 247d890, CVE-2016-5419. + +Bug: https://github.com/curl/curl/issues/1341 +Reported-by: lijian996@users.noreply.github.com +--- + lib/url.c | 5 +++-- + lib/urldata.h | 2 +- + lib/vtls/axtls.c | 4 ++-- + lib/vtls/cyassl.c | 4 ++-- + lib/vtls/darwinssl.c | 2 +- + lib/vtls/gtls.c | 4 ++-- + lib/vtls/mbedtls.c | 4 ++-- + lib/vtls/nss.c | 2 +- + lib/vtls/openssl.c | 4 ++-- + lib/vtls/polarssl.c | 4 ++-- + lib/vtls/schannel.c | 4 ++-- + lib/vtls/vtls.c | 9 ++++++--- + 12 files changed, 26 insertions(+), 22 deletions(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -548,7 +548,7 @@ + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +- set->general_ssl.sessionid = TRUE; /* session ID caching enabled by ++ set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by + default */ + set->proxy_ssl = set->ssl; + +@@ -2470,8 +2470,9 @@ + break; + + case CURLOPT_SSL_SESSIONID_CACHE: +- data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ? ++ data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ? + TRUE : FALSE; ++ data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid; + break; + + #ifdef USE_LIBSSH2 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -354,6 +354,7 @@ + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ + char *cipher_list; /* list of ciphers to use */ ++ bool sessionid; /* cache session IDs or not */ + }; + + struct ssl_config_data { +@@ -383,7 +384,6 @@ + }; + + struct ssl_general_config { +- bool sessionid; /* cache session IDs or not */ + size_t max_ssl_sessions; /* SSL session id cache size */ + }; + +--- a/lib/vtls/axtls.c ++++ b/lib/vtls/axtls.c +@@ -256,7 +256,7 @@ + * 2) setting up callbacks. these seem gnutls specific + */ + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + const uint8_t *ssl_sessionid; + size_t ssl_idsize; + +@@ -386,7 +386,7 @@ + conn->send[sockindex] = axtls_send; + + /* Put our freshly minted SSL session in cache */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl); + size_t ssl_idsize = ssl_get_session_id(ssl); + Curl_ssl_sessionid_lock(conn); +--- a/lib/vtls/cyassl.c ++++ b/lib/vtls/cyassl.c +@@ -383,7 +383,7 @@ + #endif /* HAVE_ALPN */ + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -597,7 +597,7 @@ + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +--- a/lib/vtls/darwinssl.c ++++ b/lib/vtls/darwinssl.c +@@ -1541,7 +1541,7 @@ + #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + char *ssl_sessionid; + size_t ssl_sessionid_len; + +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -782,7 +782,7 @@ + + /* This might be a reconnect, so we check for a session ID in the cache + to speed up things */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *ssl_sessionid; + size_t ssl_idsize; + +@@ -1311,7 +1311,7 @@ + conn->recv[sockindex] = gtls_recv; + conn->send[sockindex] = gtls_send; + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + /* we always unconditionally get the session id here, as even if we + already got it from the cache and asked to use it in the connection, it + might've been rejected and then a new one is in use now and we need to +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -374,7 +374,7 @@ + mbedtls_ssl_list_ciphersuites()); + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -618,7 +618,7 @@ + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1696,7 +1696,7 @@ + goto error; + + /* do not use SSL cache if disabled or we are not going to verify peer */ +- ssl_no_cache = (data->set.general_ssl.sessionid ++ ssl_no_cache = (SSL_SET_OPTION(primary.sessionid) + && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE; + if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) + goto error; +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2161,7 +2161,7 @@ + #endif + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -2915,7 +2915,7 @@ + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -327,7 +327,7 @@ + ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + + /* Check if there's a cached ID we can/should use here! */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); +@@ -555,7 +555,7 @@ + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + int ret; + ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -145,7 +145,7 @@ + connssl->cred = NULL; + + /* check for an existing re-usable credential handle */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { + connssl->cred = old_cred; +@@ -714,7 +714,7 @@ + #endif + + /* save the current session data for possible re-use */ +- if(data->set.general_ssl.sessionid) { ++ if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + struct curl_schannel_cred *old_cred = NULL; + +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -120,6 +120,9 @@ + CLONE_STRING(egdsocket); + CLONE_STRING(random_file); + CLONE_STRING(clientcert); ++ ++ /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */ ++ dest->sessionid = (dest->clientcert ? false : source->sessionid); + return TRUE; + } + +@@ -293,9 +296,9 @@ + int port = isProxy ? (int)conn->port : conn->remote_port; + *ssl_sessionid = NULL; + +- DEBUGASSERT(data->set.general_ssl.sessionid); ++ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + +- if(!data->set.general_ssl.sessionid) ++ if(!SSL_SET_OPTION(primary.sessionid)) + /* session ID re-use is disabled */ + return TRUE; + +@@ -397,7 +400,7 @@ + &conn->proxy_ssl_config : + &conn->ssl_config; + +- DEBUGASSERT(data->set.general_ssl.sessionid); ++ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name); + if(!clone_host) |