diff --git a/0002-curl-7.69.1-CVE-2020-8169.patch b/0002-curl-7.69.1-CVE-2020-8169.patch new file mode 100644 index 0000000..9380c3c --- /dev/null +++ b/0002-curl-7.69.1-CVE-2020-8169.patch @@ -0,0 +1,140 @@ +From 64e66ff04479bf76940916e09cc5094580b06e18 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 May 2020 14:37:12 +0200 +Subject: [PATCH] url: make the updated credentials URL-encoded in the URL + +Found-by: Gregory Jefferis +Reported-by: Jeroen Ooms +Added test 1168 to verify. Bug spotted when doing a redirect. +Bug: https://github.com/jeroen/curl/issues/224 +Closes #5400 + +Upstream-commit: 600a8cded447cd7118ed50142c576567c0cf5158 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++-- + tests/data/Makefile.inc | 1 + + tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 83 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1168 + +diff --git a/lib/url.c b/lib/url.c +index 47fc66a..a826f8a 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Curl_easy *data, + + /* for updated strings, we update them in the URL */ + if(user_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } + if(passwd_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3d8565c..f9535a6 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -133,6 +133,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ + test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ + test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \ ++test1168 \ + \ + test1170 test1171 test1172 test1173 test1174 test1175 test1176 \ + \ +diff --git a/tests/data/test1168 b/tests/data/test1168 +new file mode 100644 +index 0000000..283e91e +--- /dev/null ++++ b/tests/data/test1168 +@@ -0,0 +1,78 @@ ++ ++ ++ ++HTTP ++HTTP GET ++followlocation ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++This server reply is for testing a simple Location: following ++ ++ ++ ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP redirect with credentials using # in user and password ++ ++ ++http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY" ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET /want/1168 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++GET /data/11680002.txt HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++ ++ ++ +-- +2.21.3 + diff --git a/0003-curl-7.69.1-CVE-2020-8177.patch b/0003-curl-7.69.1-CVE-2020-8177.patch new file mode 100644 index 0000000..b2e6bf9 --- /dev/null +++ b/0003-curl-7.69.1-CVE-2020-8177.patch @@ -0,0 +1,68 @@ +From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 31 May 2020 23:09:59 +0200 +Subject: [PATCH] tool_getparam: -i is not OK if -J is used + +Reported-by: sn on hackerone +Bug: https://curl.haxx.se/docs/CVE-2020-8177.html + +Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22 +Signed-off-by: Kamil Dudka +--- + src/tool_cb_hdr.c | 22 ++++------------------ + src/tool_getparam.c | 5 +++++ + 2 files changed, 9 insertions(+), 18 deletions(-) + +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index 3b10238..b80707f 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + filename = parse_filename(p, len); + if(filename) { + if(outs->stream) { +- int rc; +- /* already opened and possibly written to */ +- if(outs->fopened) +- fclose(outs->stream); +- outs->stream = NULL; +- +- /* rename the initial file name to the new file name */ +- rc = rename(outs->filename, filename); +- if(rc != 0) { +- warnf(per->config->global, "Failed to rename %s -> %s: %s\n", +- outs->filename, filename, strerror(errno)); +- } +- if(outs->alloc_filename) +- Curl_safefree(outs->filename); +- if(rc != 0) { +- free(filename); +- return failure; +- } ++ /* indication of problem, get out! */ ++ free(filename); ++ return failure; + } ++ + outs->is_cd_filename = TRUE; + outs->s_isreg = TRUE; + outs->fopened = FALSE; +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 764caa2..c5c7429 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case 'i': ++ if(config->content_disposition) { ++ warnf(global, ++ "--include and --remote-header-name cannot be combined.\n"); ++ return PARAM_BAD_USE; ++ } + config->show_headers = toggle; /* show the headers as well in the + general output stream */ + break; +-- +2.21.3 + diff --git a/0004-curl-7.69.1-CVE-2020-8231.patch b/0004-curl-7.69.1-CVE-2020-8231.patch new file mode 100644 index 0000000..7be6546 --- /dev/null +++ b/0004-curl-7.69.1-CVE-2020-8231.patch @@ -0,0 +1,1088 @@ +From c3359693e17fccdf2a04f0b908bc8f51cdc38133 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Apr 2020 00:33:21 +0200 +Subject: [PATCH 1/3] conncache: various concept cleanups + +More connection cache accesses are protected by locks. + +CONNCACHE_* is a beter prefix for the connection cache lock macros. + +Curl_attach_connnection: now called as soon as there's a connection +struct available and before the connection is added to the connection +cache. + +Curl_disconnect: now assumes that the connection is already removed from +the connection cache. + +Ref: #4915 +Closes #5009 + +Upstream-commit: c06902713998d68202c5a764de910ba8d0e8f54d +Signed-off-by: Kamil Dudka +--- + lib/conncache.c | 87 ++++++++++++++++++++----------------------- + lib/conncache.h | 9 ++--- + lib/hostip.c | 12 +++--- + lib/http_negotiate.h | 6 ++- + lib/http_ntlm.h | 6 ++- + lib/multi.c | 56 ++++++++++++++-------------- + lib/multiif.h | 1 + + lib/url.c | 69 ++++++++++++++++++---------------- + tests/data/test1554 | 14 +++++++ + tests/unit/unit1620.c | 6 +-- + 10 files changed, 139 insertions(+), 127 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cbd3bb1..95fcea6 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -49,53 +49,51 @@ static void conn_llist_dtor(void *user, void *element) + conn->bundle = NULL; + } + +-static CURLcode bundle_create(struct Curl_easy *data, +- struct connectbundle **cb_ptr) ++static CURLcode bundle_create(struct connectbundle **bundlep) + { +- (void)data; +- DEBUGASSERT(*cb_ptr == NULL); +- *cb_ptr = malloc(sizeof(struct connectbundle)); +- if(!*cb_ptr) ++ DEBUGASSERT(*bundlep == NULL); ++ *bundlep = malloc(sizeof(struct connectbundle)); ++ if(!*bundlep) + return CURLE_OUT_OF_MEMORY; + +- (*cb_ptr)->num_connections = 0; +- (*cb_ptr)->multiuse = BUNDLE_UNKNOWN; ++ (*bundlep)->num_connections = 0; ++ (*bundlep)->multiuse = BUNDLE_UNKNOWN; + +- Curl_llist_init(&(*cb_ptr)->conn_list, (curl_llist_dtor) conn_llist_dtor); ++ Curl_llist_init(&(*bundlep)->conn_list, (curl_llist_dtor) conn_llist_dtor); + return CURLE_OK; + } + +-static void bundle_destroy(struct connectbundle *cb_ptr) ++static void bundle_destroy(struct connectbundle *bundle) + { +- if(!cb_ptr) ++ if(!bundle) + return; + +- Curl_llist_destroy(&cb_ptr->conn_list, NULL); ++ Curl_llist_destroy(&bundle->conn_list, NULL); + +- free(cb_ptr); ++ free(bundle); + } + + /* Add a connection to a bundle */ +-static void bundle_add_conn(struct connectbundle *cb_ptr, ++static void bundle_add_conn(struct connectbundle *bundle, + struct connectdata *conn) + { +- Curl_llist_insert_next(&cb_ptr->conn_list, cb_ptr->conn_list.tail, conn, ++ Curl_llist_insert_next(&bundle->conn_list, bundle->conn_list.tail, conn, + &conn->bundle_node); +- conn->bundle = cb_ptr; +- cb_ptr->num_connections++; ++ conn->bundle = bundle; ++ bundle->num_connections++; + } + + /* Remove a connection from a bundle */ +-static int bundle_remove_conn(struct connectbundle *cb_ptr, ++static int bundle_remove_conn(struct connectbundle *bundle, + struct connectdata *conn) + { + struct curl_llist_element *curr; + +- curr = cb_ptr->conn_list.head; ++ curr = bundle->conn_list.head; + while(curr) { + if(curr->ptr == conn) { +- Curl_llist_remove(&cb_ptr->conn_list, curr, NULL); +- cb_ptr->num_connections--; ++ Curl_llist_remove(&bundle->conn_list, curr, NULL); ++ bundle->num_connections--; + conn->bundle = NULL; + return 1; /* we removed a handle */ + } +@@ -162,20 +160,15 @@ static void hashkey(struct connectdata *conn, char *buf, + msnprintf(buf, len, "%ld%s", port, hostname); + } + +-void Curl_conncache_unlock(struct Curl_easy *data) +-{ +- CONN_UNLOCK(data); +-} +- + /* Returns number of connections currently held in the connection cache. + Locks/unlocks the cache itself! + */ + size_t Curl_conncache_size(struct Curl_easy *data) + { + size_t num; +- CONN_LOCK(data); ++ CONNCACHE_LOCK(data); + num = data->state.conn_cache->num_conn; +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + return num; + } + +@@ -188,7 +181,7 @@ struct connectbundle *Curl_conncache_find_bundle(struct connectdata *conn, + const char **hostp) + { + struct connectbundle *bundle = NULL; +- CONN_LOCK(conn->data); ++ CONNCACHE_LOCK(conn->data); + if(connc) { + char key[HASHKEY_SIZE]; + hashkey(conn, key, sizeof(key), hostp); +@@ -235,8 +228,7 @@ CURLcode Curl_conncache_add_conn(struct conncache *connc, + struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- struct connectbundle *bundle; +- struct connectbundle *new_bundle = NULL; ++ struct connectbundle *bundle = NULL; + struct Curl_easy *data = conn->data; + + /* *find_bundle() locks the connection cache */ +@@ -245,20 +237,19 @@ CURLcode Curl_conncache_add_conn(struct conncache *connc, + int rc; + char key[HASHKEY_SIZE]; + +- result = bundle_create(data, &new_bundle); ++ result = bundle_create(&bundle); + if(result) { + goto unlock; + } + + hashkey(conn, key, sizeof(key), NULL); +- rc = conncache_add_bundle(data->state.conn_cache, key, new_bundle); ++ rc = conncache_add_bundle(data->state.conn_cache, key, bundle); + + if(!rc) { +- bundle_destroy(new_bundle); ++ bundle_destroy(bundle); + result = CURLE_OUT_OF_MEMORY; + goto unlock; + } +- bundle = new_bundle; + } + + bundle_add_conn(bundle, conn); +@@ -270,15 +261,17 @@ CURLcode Curl_conncache_add_conn(struct conncache *connc, + conn->connection_id, connc->num_conn)); + + unlock: +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + + return result; + } + + /* +- * Removes the connectdata object from the connection cache *and* clears the +- * ->data pointer association. Pass TRUE/FALSE in the 'lock' argument +- * depending on if the parent function already holds the lock or not. ++ * Removes the connectdata object from the connection cache, but does *not* ++ * clear the conn->data association. The transfer still owns this connection. ++ * ++ * Pass TRUE/FALSE in the 'lock' argument depending on if the parent function ++ * already holds the lock or not. + */ + void Curl_conncache_remove_conn(struct Curl_easy *data, + struct connectdata *conn, bool lock) +@@ -290,7 +283,7 @@ void Curl_conncache_remove_conn(struct Curl_easy *data, + due to a failed connection attempt, before being added to a bundle */ + if(bundle) { + if(lock) { +- CONN_LOCK(data); ++ CONNCACHE_LOCK(data); + } + bundle_remove_conn(bundle, conn); + if(bundle->num_connections == 0) +@@ -301,9 +294,8 @@ void Curl_conncache_remove_conn(struct Curl_easy *data, + DEBUGF(infof(data, "The cache now contains %zu members\n", + connc->num_conn)); + } +- conn->data = NULL; /* clear the association */ + if(lock) { +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + } + } + } +@@ -332,7 +324,7 @@ bool Curl_conncache_foreach(struct Curl_easy *data, + if(!connc) + return FALSE; + +- CONN_LOCK(data); ++ CONNCACHE_LOCK(data); + Curl_hash_start_iterate(&connc->hash, &iter); + + he = Curl_hash_next_element(&iter); +@@ -350,12 +342,12 @@ bool Curl_conncache_foreach(struct Curl_easy *data, + curr = curr->next; + + if(1 == func(conn, param)) { +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + return TRUE; + } + } + } +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + return FALSE; + } + +@@ -494,7 +486,7 @@ Curl_conncache_extract_oldest(struct Curl_easy *data) + + now = Curl_now(); + +- CONN_LOCK(data); ++ CONNCACHE_LOCK(data); + Curl_hash_start_iterate(&connc->hash, &iter); + + he = Curl_hash_next_element(&iter); +@@ -531,7 +523,7 @@ Curl_conncache_extract_oldest(struct Curl_easy *data) + connc->num_conn)); + conn_candidate->data = data; /* associate! */ + } +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + + return conn_candidate; + } +@@ -548,6 +540,7 @@ void Curl_conncache_close_all_connections(struct conncache *connc) + sigpipe_ignore(conn->data, &pipe_st); + /* This will remove the connection from the cache */ + connclose(conn, "kill all"); ++ Curl_conncache_remove_conn(conn->data, conn, TRUE); + (void)Curl_disconnect(connc->closure_handle, conn, FALSE); + sigpipe_restore(&pipe_st); + +diff --git a/lib/conncache.h b/lib/conncache.h +index e3e4c9c..3dda21c 100644 +--- a/lib/conncache.h ++++ b/lib/conncache.h +@@ -45,21 +45,21 @@ struct conncache { + #ifdef CURLDEBUG + /* the debug versions of these macros make extra certain that the lock is + never doubly locked or unlocked */ +-#define CONN_LOCK(x) if((x)->share) { \ ++#define CONNCACHE_LOCK(x) if((x)->share) { \ + Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE); \ + DEBUGASSERT(!(x)->state.conncache_lock); \ + (x)->state.conncache_lock = TRUE; \ + } + +-#define CONN_UNLOCK(x) if((x)->share) { \ ++#define CONNCACHE_UNLOCK(x) if((x)->share) { \ + DEBUGASSERT((x)->state.conncache_lock); \ + (x)->state.conncache_lock = FALSE; \ + Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT); \ + } + #else +-#define CONN_LOCK(x) if((x)->share) \ ++#define CONNCACHE_LOCK(x) if((x)->share) \ + Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE) +-#define CONN_UNLOCK(x) if((x)->share) \ ++#define CONNCACHE_UNLOCK(x) if((x)->share) \ + Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT) + #endif + +@@ -77,7 +77,6 @@ void Curl_conncache_destroy(struct conncache *connc); + struct connectbundle *Curl_conncache_find_bundle(struct connectdata *conn, + struct conncache *connc, + const char **hostp); +-void Curl_conncache_unlock(struct Curl_easy *data); + /* returns number of connections currently held in the connection cache */ + size_t Curl_conncache_size(struct Curl_easy *data); + +diff --git a/lib/hostip.c b/lib/hostip.c +index c0feb79..f5bb634 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -1085,10 +1085,12 @@ CURLcode Curl_once_resolved(struct connectdata *conn, + + result = Curl_setup_conn(conn, protocol_done); + +- if(result) +- /* We're not allowed to return failure with memory left allocated +- in the connectdata struct, free those here */ +- Curl_disconnect(conn->data, conn, TRUE); /* close the connection */ +- ++ if(result) { ++ struct Curl_easy *data = conn->data; ++ DEBUGASSERT(data); ++ Curl_detach_connnection(data); ++ Curl_conncache_remove_conn(data, conn, TRUE); ++ Curl_disconnect(data, conn, TRUE); ++ } + return result; + } +diff --git a/lib/http_negotiate.h b/lib/http_negotiate.h +index 4f0ac16..a737f6f 100644 +--- a/lib/http_negotiate.h ++++ b/lib/http_negotiate.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -33,6 +33,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy); + + void Curl_http_auth_cleanup_negotiate(struct connectdata *conn); + +-#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */ ++#else /* !CURL_DISABLE_HTTP && USE_SPNEGO */ ++#define Curl_http_auth_cleanup_negotiate(x) ++#endif + + #endif /* HEADER_CURL_HTTP_NEGOTIATE_H */ +diff --git a/lib/http_ntlm.h b/lib/http_ntlm.h +index 003714d..3ebdf97 100644 +--- a/lib/http_ntlm.h ++++ b/lib/http_ntlm.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -35,6 +35,8 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy); + + void Curl_http_auth_cleanup_ntlm(struct connectdata *conn); + +-#endif /* !CURL_DISABLE_HTTP && USE_NTLM */ ++#else /* !CURL_DISABLE_HTTP && USE_NTLM */ ++#define Curl_http_auth_cleanup_ntlm(x) ++#endif + + #endif /* HEADER_CURL_HTTP_NTLM_H */ +diff --git a/lib/multi.c b/lib/multi.c +index e10e752..273653d 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -79,7 +79,6 @@ static CURLMcode add_next_timeout(struct curltime now, + static CURLMcode multi_timeout(struct Curl_multi *multi, + long *timeout_ms); + static void process_pending_handles(struct Curl_multi *multi); +-static void detach_connnection(struct Curl_easy *data); + + #ifdef DEBUGBUILD + static const char * const statename[]={ +@@ -112,7 +111,7 @@ static void Curl_init_completed(struct Curl_easy *data) + + /* Important: reset the conn pointer so that we don't point to memory + that could be freed anytime */ +- detach_connnection(data); ++ Curl_detach_connnection(data); + Curl_expire_clear(data); /* stop all timers */ + } + +@@ -506,6 +505,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + easy handle is added */ + memset(&multi->timer_lastcall, 0, sizeof(multi->timer_lastcall)); + ++ CONNCACHE_LOCK(data); + /* The closure handle only ever has default timeouts set. To improve the + state somewhat we clone the timeouts from each added handle so that the + closure handle always has the same timeouts as the most recently added +@@ -515,6 +515,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->set.server_response_timeout; + data->state.conn_cache->closure_handle->set.no_signal = + data->set.no_signal; ++ CONNCACHE_UNLOCK(data); + + Curl_update_timer(multi); + return CURLM_OK; +@@ -589,14 +590,14 @@ static CURLcode multi_done(struct Curl_easy *data, + + process_pending_handles(data->multi); /* connection / multiplex */ + +- CONN_LOCK(data); +- detach_connnection(data); ++ CONNCACHE_LOCK(data); ++ Curl_detach_connnection(data); + if(CONN_INUSE(conn)) { + /* Stop if still used. */ + /* conn->data must not remain pointing to this transfer since it is going + away! Find another to own it! */ + conn->data = conn->easyq.head->ptr; +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + DEBUGF(infof(data, "Connection still in use %zu, " + "no more multi_done now!\n", + conn->easyq.size)); +@@ -647,7 +648,8 @@ static CURLcode multi_done(struct Curl_easy *data, + || (premature && !(conn->handler->flags & PROTOPT_STREAM))) { + CURLcode res2; + connclose(conn, "disconnecting"); +- CONN_UNLOCK(data); ++ Curl_conncache_remove_conn(data, conn, FALSE); ++ CONNCACHE_UNLOCK(data); + res2 = Curl_disconnect(data, conn, premature); + + /* If we had an error already, make sure we return that one. But +@@ -666,7 +668,7 @@ static CURLcode multi_done(struct Curl_easy *data, + conn->bits.conn_to_host ? conn->conn_to_host.dispname : + conn->host.dispname); + /* the connection is no longer in use by this transfer */ +- CONN_UNLOCK(data); ++ CONNCACHE_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ + data->state.lastconnect = conn; +@@ -774,8 +776,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + vanish with this handle */ + + /* Remove the association between the connection and the handle */ +- if(data->conn) +- detach_connnection(data); ++ Curl_detach_connnection(data); + + #ifdef USE_LIBPSL + /* Remove the PSL association. */ +@@ -824,9 +825,13 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) + return (multi && (multi->multiplexing)); + } + +-/* This is the only function that should clear data->conn. This will +- occasionally be called with the pointer already cleared. */ +-static void detach_connnection(struct Curl_easy *data) ++/* ++ * Curl_detach_connnection() removes the given transfer from the connection. ++ * ++ * This is the only function that should clear data->conn. This will ++ * occasionally be called with the data->conn pointer already cleared. ++ */ ++void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + if(conn) +@@ -834,7 +839,11 @@ static void detach_connnection(struct Curl_easy *data) + data->conn = NULL; + } + +-/* This is the only function that should assign data->conn */ ++/* ++ * Curl_attach_connnection() attaches this transfer to this connection. ++ * ++ * This is the only function that should assign data->conn ++ */ + void Curl_attach_connnection(struct Curl_easy *data, + struct connectdata *conn) + { +@@ -1536,19 +1545,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + bool stream_error = FALSE; + rc = CURLM_OK; + +- DEBUGASSERT((data->mstate <= CURLM_STATE_CONNECT) || +- (data->mstate >= CURLM_STATE_DONE) || +- data->conn); +- if(!data->conn && +- data->mstate > CURLM_STATE_CONNECT && +- data->mstate < CURLM_STATE_DONE) { +- /* In all these states, the code will blindly access 'data->conn' +- so this is precaution that it isn't NULL. And it silences static +- analyzers. */ +- failf(data, "In state %d with no conn, bail out!\n", data->mstate); +- return CURLM_INTERNAL_ERROR; +- } +- + if(multi_ischanged(multi, TRUE)) { + DEBUGF(infof(data, "multi changed, check CONNECT_PEND queue!\n")); + process_pending_handles(multi); /* multiplexed */ +@@ -2231,8 +2227,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + * access free'd data, if the connection is free'd and the handle + * removed before we perform the processing in CURLM_STATE_COMPLETED + */ +- if(data->conn) +- detach_connnection(data); ++ Curl_detach_connnection(data); + } + + #ifndef CURL_DISABLE_FTP +@@ -2284,7 +2279,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + /* This is where we make sure that the conn pointer is reset. + We don't have to do this in every case block above where a + failure is detected */ +- detach_connnection(data); ++ Curl_detach_connnection(data); ++ ++ /* remove connection from cache */ ++ Curl_conncache_remove_conn(data, conn, TRUE); + + /* disconnect properly */ + Curl_disconnect(data, conn, dead_connection); +diff --git a/lib/multiif.h b/lib/multiif.h +index bde755e..c07587b 100644 +--- a/lib/multiif.h ++++ b/lib/multiif.h +@@ -33,6 +33,7 @@ void Curl_expire_done(struct Curl_easy *data, expire_id id); + void Curl_update_timer(struct Curl_multi *multi); + void Curl_attach_connnection(struct Curl_easy *data, + struct connectdata *conn); ++void Curl_detach_connnection(struct Curl_easy *data); + bool Curl_multiplex_wanted(const struct Curl_multi *multi); + void Curl_set_in_callback(struct Curl_easy *data, bool value); + bool Curl_is_in_callback(struct Curl_easy *easy); +diff --git a/lib/url.c b/lib/url.c +index a826f8a..4ed0623 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -679,9 +679,7 @@ static void conn_reset_all_postponed_data(struct connectdata *conn) + + static void conn_shutdown(struct connectdata *conn) + { +- if(!conn) +- return; +- ++ DEBUGASSERT(conn); + infof(conn->data, "Closing connection %ld\n", conn->connection_id); + DEBUGASSERT(conn->data); + +@@ -702,16 +700,11 @@ static void conn_shutdown(struct connectdata *conn) + Curl_closesocket(conn, conn->tempsock[0]); + if(CURL_SOCKET_BAD != conn->tempsock[1]) + Curl_closesocket(conn, conn->tempsock[1]); +- +- /* unlink ourselves. this should be called last since other shutdown +- procedures need a valid conn->data and this may clear it. */ +- Curl_conncache_remove_conn(conn->data, conn, TRUE); + } + + static void conn_free(struct connectdata *conn) + { +- if(!conn) +- return; ++ DEBUGASSERT(conn); + + Curl_free_idnconverted_hostname(&conn->host); + Curl_free_idnconverted_hostname(&conn->conn_to_host); +@@ -778,13 +771,17 @@ static void conn_free(struct connectdata *conn) + CURLcode Curl_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead_connection) + { +- if(!conn) +- return CURLE_OK; /* this is closed and fine already */ ++ /* there must be a connection to close */ ++ DEBUGASSERT(conn); + +- if(!data) { +- DEBUGF(infof(data, "DISCONNECT without easy handle, ignoring\n")); +- return CURLE_OK; +- } ++ /* it must be removed from the connection cache */ ++ DEBUGASSERT(!conn->bundle); ++ ++ /* there must be an associated transfer */ ++ DEBUGASSERT(data); ++ ++ /* the transfer must be detached from the connection */ ++ DEBUGASSERT(!data->conn); + + /* + * If this connection isn't marked to force-close, leave it open if there +@@ -800,16 +797,11 @@ CURLcode Curl_disconnect(struct Curl_easy *data, + conn->dns_entry = NULL; + } + +- Curl_hostcache_prune(data); /* kill old DNS cache entries */ +- +-#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) + /* Cleanup NTLM connection-related data */ + Curl_http_auth_cleanup_ntlm(conn); +-#endif +-#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) ++ + /* Cleanup NEGOTIATE connection-related data */ + Curl_http_auth_cleanup_negotiate(conn); +-#endif + + /* the protocol specific disconnect handler and conn_shutdown need a transfer + for the connection! */ +@@ -1006,8 +998,12 @@ static int call_extract_if_dead(struct connectdata *conn, void *param) + static void prune_dead_connections(struct Curl_easy *data) + { + struct curltime now = Curl_now(); +- timediff_t elapsed = ++ timediff_t elapsed; ++ ++ CONNCACHE_LOCK(data); ++ elapsed = + Curl_timediff(now, data->state.conn_cache->last_cleanup); ++ CONNCACHE_UNLOCK(data); + + if(elapsed >= 1000L) { + struct prunedead prune; +@@ -1015,10 +1011,17 @@ static void prune_dead_connections(struct Curl_easy *data) + prune.extracted = NULL; + while(Curl_conncache_foreach(data, data->state.conn_cache, &prune, + call_extract_if_dead)) { ++ /* unlocked */ ++ ++ /* remove connection from cache */ ++ Curl_conncache_remove_conn(data, prune.extracted, TRUE); ++ + /* disconnect it */ + (void)Curl_disconnect(data, prune.extracted, /* dead_connection */TRUE); + } ++ CONNCACHE_LOCK(data); + data->state.conn_cache->last_cleanup = now; ++ CONNCACHE_UNLOCK(data); + } + } + +@@ -1078,7 +1081,7 @@ ConnectionExists(struct Curl_easy *data, + if(data->set.pipewait) { + infof(data, "Server doesn't support multiplex yet, wait\n"); + *waitpipe = TRUE; +- Curl_conncache_unlock(data); ++ CONNCACHE_UNLOCK(data); + return FALSE; /* no re-use */ + } + +@@ -1402,11 +1405,12 @@ ConnectionExists(struct Curl_easy *data, + if(chosen) { + /* mark it as used before releasing the lock */ + chosen->data = data; /* own it! */ +- Curl_conncache_unlock(data); ++ Curl_attach_connnection(data, chosen); ++ CONNCACHE_UNLOCK(data); + *usethis = chosen; + return TRUE; /* yes, we found one to use! */ + } +- Curl_conncache_unlock(data); ++ CONNCACHE_UNLOCK(data); + + if(foundPendingCandidate && data->set.pipewait) { + infof(data, +@@ -3519,6 +3523,7 @@ static CURLcode create_conn(struct Curl_easy *data, + if(!result) { + conn->bits.tcpconnect[FIRSTSOCKET] = TRUE; /* we are "connected */ + ++ Curl_attach_connnection(data, conn); + result = Curl_conncache_add_conn(data->state.conn_cache, conn); + if(result) + goto out; +@@ -3533,7 +3538,6 @@ static CURLcode create_conn(struct Curl_easy *data, + (void)conn->handler->done(conn, result, FALSE); + goto out; + } +- Curl_attach_connnection(data, conn); + Curl_setup_transfer(data, -1, -1, FALSE, -1); + } + +@@ -3683,7 +3687,7 @@ static CURLcode create_conn(struct Curl_easy *data, + + /* The bundle is full. Extract the oldest connection. */ + conn_candidate = Curl_conncache_extract_bundle(data, bundle); +- Curl_conncache_unlock(data); ++ CONNCACHE_UNLOCK(data); + + if(conn_candidate) + (void)Curl_disconnect(data, conn_candidate, +@@ -3695,7 +3699,7 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + else +- Curl_conncache_unlock(data); ++ CONNCACHE_UNLOCK(data); + + } + +@@ -3729,6 +3733,8 @@ static CURLcode create_conn(struct Curl_easy *data, + * This is a brand new connection, so let's store it in the connection + * cache of ours! + */ ++ Curl_attach_connnection(data, conn); ++ + result = Curl_conncache_add_conn(data->state.conn_cache, conn); + if(result) + goto out; +@@ -3883,7 +3889,7 @@ CURLcode Curl_connect(struct Curl_easy *data, + result = create_conn(data, &conn, asyncp); + + if(!result) { +- if(CONN_INUSE(conn)) ++ if(CONN_INUSE(conn) > 1) + /* multiplexed */ + *protocol_done = TRUE; + else if(!*asyncp) { +@@ -3900,11 +3906,10 @@ CURLcode Curl_connect(struct Curl_easy *data, + else if(result && conn) { + /* We're not allowed to return failure with memory left allocated in the + connectdata struct, free those here */ ++ Curl_detach_connnection(data); ++ Curl_conncache_remove_conn(data, conn, TRUE); + Curl_disconnect(data, conn, TRUE); + } +- else if(!result && !data->conn) +- /* FILE: transfers already have the connection attached */ +- Curl_attach_connnection(data, conn); + + return result; + } +diff --git a/tests/data/test1554 b/tests/data/test1554 +index 06f1897..d3926d9 100644 +--- a/tests/data/test1554 ++++ b/tests/data/test1554 +@@ -29,6 +29,12 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock ++-> Mutex lock ++<- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +@@ -40,6 +46,10 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +@@ -51,6 +61,10 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +diff --git a/tests/unit/unit1620.c b/tests/unit/unit1620.c +index 6e572c6..b23e5b9 100644 +--- a/tests/unit/unit1620.c ++++ b/tests/unit/unit1620.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -73,10 +73,6 @@ UNITTEST_START + fail_unless(rc == CURLE_OK, + "Curl_parse_login_details() failed"); + +- rc = Curl_disconnect(empty, empty->conn, FALSE); +- fail_unless(rc == CURLE_OK, +- "Curl_disconnect() with dead_connection set FALSE failed"); +- + Curl_freeset(empty); + for(i = (enum dupstring)0; i < STRING_LAST; i++) { + fail_unless(empty->set.str[i] == NULL, +-- +2.25.4 + + +From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001 +From: Marc Aldorasi +Date: Thu, 30 Jul 2020 14:16:17 -0400 +Subject: [PATCH 2/3] multi_remove_handle: close unused connect-only + connections + +Previously any connect-only connections in a multi handle would be kept +alive until the multi handle was closed. Since these connections cannot +be re-used, they can be marked for closure when the associated easy +handle is removed from the multi handle. + +Closes #5749 + +Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599 +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 34 ++++++++++++++++++++++++++++++---- + tests/data/test1554 | 6 ++++++ + 2 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 249e360..f1371bd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -682,6 +682,26 @@ static CURLcode multi_done(struct Curl_easy *data, + return result; + } + ++static int close_connect_only(struct connectdata *conn, void *param) ++{ ++ struct Curl_easy *data = param; ++ ++ if(data->state.lastconnect != conn) ++ return 0; ++ ++ if(conn->data != data) ++ return 1; ++ conn->data = NULL; ++ ++ if(!conn->bits.connect_only) ++ return 1; ++ ++ connclose(conn, "Removing connect-only easy handle"); ++ conn->bits.connect_only = FALSE; ++ ++ return 1; ++} ++ + CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + struct Curl_easy *data) + { +@@ -765,10 +785,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + multi_done() as that may actually call Curl_expire that uses this */ + Curl_llist_destroy(&data->state.timeoutlist, NULL); + +- /* as this was using a shared connection cache we clear the pointer to that +- since we're not part of that multi handle anymore */ +- data->state.conn_cache = NULL; +- + /* change state without using multistate(), only to make singlesocket() do + what we want */ + data->mstate = CURLM_STATE_COMPLETED; +@@ -778,12 +794,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + /* Remove the association between the connection and the handle */ + Curl_detach_connnection(data); + ++ if(data->state.lastconnect) { ++ /* Mark any connect-only connection for closure */ ++ Curl_conncache_foreach(data, data->state.conn_cache, ++ data, &close_connect_only); ++ } ++ + #ifdef USE_LIBPSL + /* Remove the PSL association. */ + if(data->psl == &multi->psl) + data->psl = NULL; + #endif + ++ /* as this was using a shared connection cache we clear the pointer to that ++ since we're not part of that multi handle anymore */ ++ data->state.conn_cache = NULL; ++ + data->multi = NULL; /* clear the association to this multi handle */ + + /* make sure there's no pending message in the queue sent from this easy +diff --git a/tests/data/test1554 b/tests/data/test1554 +index d3926d9..fffa6ad 100644 +--- a/tests/data/test1554 ++++ b/tests/data/test1554 +@@ -50,6 +50,8 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +@@ -65,6 +67,8 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + run 1: foobar and so on fun! + -> Mutex lock + <- Mutex unlock +@@ -74,6 +78,8 @@ run 1: foobar and so on fun! + <- Mutex unlock + -> Mutex lock + <- Mutex unlock ++-> Mutex lock ++<- Mutex unlock + + + +-- +2.25.4 + + +From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Aug 2020 11:34:35 +0200 +Subject: [PATCH 3/3] Curl_easy: remember last connection by id, not by pointer + +CVE-2020-8231 + +Bug: https://curl.haxx.se/docs/CVE-2020-8231.html + +Reported-by: Marc Aldorasi +Closes #5824 + +Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22 +Signed-off-by: Kamil Dudka +--- + lib/connect.c | 19 ++++++++++--------- + lib/easy.c | 3 +-- + lib/multi.c | 9 +++++---- + lib/url.c | 2 +- + lib/urldata.h | 2 +- + 5 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 29293f0..e1c5662 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ + } + + struct connfind { +- struct connectdata *tofind; +- bool found; ++ long id_tofind; ++ struct connectdata *found; + }; + + static int conn_is_conn(struct connectdata *conn, void *param) + { + struct connfind *f = (struct connfind *)param; +- if(conn == f->tofind) { +- f->found = TRUE; ++ if(conn->connection_id == f->id_tofind) { ++ f->found = conn; + return 1; + } + return 0; +@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, + * - that is associated with a multi handle, and whose connection + * was detached with CURLOPT_CONNECT_ONLY + */ +- if(data->state.lastconnect && (data->multi_easy || data->multi)) { +- struct connectdata *c = data->state.lastconnect; ++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { ++ struct connectdata *c; + struct connfind find; +- find.tofind = data->state.lastconnect; +- find.found = FALSE; ++ find.id_tofind = data->state.lastconnect_id; ++ find.found = NULL; + + Curl_conncache_foreach(data, data->multi_easy? + &data->multi_easy->conn_cache: + &data->multi->conn_cache, &find, conn_is_conn); + + if(!find.found) { +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + return CURL_SOCKET_BAD; + } + ++ c = find.found; + if(connp) { + /* only store this if the caller cares for it */ + *connp = c; +diff --git a/lib/easy.c b/lib/easy.c +index 292cca7..a69eb9e 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + + /* the connection cache is setup on demand */ + outcurl->state.conn_cache = NULL; +- +- outcurl->state.lastconnect = NULL; ++ outcurl->state.lastconnect_id = -1; + + outcurl->progress.flags = data->progress.flags; + outcurl->progress.callback = data->progress.callback; +diff --git a/lib/multi.c b/lib/multi.c +index f1371bd..778c537 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -453,6 +453,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->state.conn_cache = &data->share->conn_cache; + else + data->state.conn_cache = &multi->conn_cache; ++ data->state.lastconnect_id = -1; + + #ifdef USE_LIBPSL + /* Do the same for PSL. */ +@@ -671,11 +672,11 @@ static CURLcode multi_done(struct Curl_easy *data, + CONNCACHE_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ +- data->state.lastconnect = conn; ++ data->state.lastconnect_id = conn->connection_id; + infof(data, "%s\n", buffer); + } + else +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + } + + Curl_free_request_state(data); +@@ -686,7 +687,7 @@ static int close_connect_only(struct connectdata *conn, void *param) + { + struct Curl_easy *data = param; + +- if(data->state.lastconnect != conn) ++ if(data->state.lastconnect_id != conn->connection_id) + return 0; + + if(conn->data != data) +@@ -794,7 +795,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + /* Remove the association between the connection and the handle */ + Curl_detach_connnection(data); + +- if(data->state.lastconnect) { ++ if(data->state.lastconnect_id != -1) { + /* Mark any connect-only connection for closure */ + Curl_conncache_foreach(data, data->state.conn_cache, + data, &close_connect_only); +diff --git a/lib/url.c b/lib/url.c +index a1a6b69..2919a3d 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -617,7 +617,7 @@ CURLcode Curl_open(struct Curl_easy **curl) + Curl_initinfo(data); + + /* most recent connection is not yet defined */ +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + + data->progress.flags |= PGRS_HIDE; + data->state.current_speed = -1; /* init to negative == impossible */ +diff --git a/lib/urldata.h b/lib/urldata.h +index f80a02d..6d8eb69 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1332,7 +1332,7 @@ struct UrlState { + /* buffers to store authentication data in, as parsed from input options */ + struct curltime keeps_speed; /* for the progress meter really */ + +- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ ++ long lastconnect_id; /* The last connection, -1 if undefined */ + + char *headerbuff; /* allocated buffer to store headers in */ + size_t headersize; /* size of the allocation */ +-- +2.25.4 + diff --git a/0005-curl-7.71.1-CVE-2020-8284.patch b/0005-curl-7.71.1-CVE-2020-8284.patch new file mode 100644 index 0000000..2d80677 --- /dev/null +++ b/0005-curl-7.71.1-CVE-2020-8284.patch @@ -0,0 +1,208 @@ +From c7cc15980d50a51857de66b701b7762789139b46 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 24 Nov 2020 14:56:57 +0100 +Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default + +The command line tool also independently sets --ftp-skip-pasv-ip by +default. + +Ten test cases updated to adapt the modified --libcurl output. + +Bug: https://curl.se/docs/CVE-2020-8284.html +CVE-2020-8284 + +Reported-by: Varnavas Papaioannou + +Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++ + docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- + lib/url.c | 1 + + src/tool_cfgable.c | 1 + + tests/data/test1400 | 1 + + tests/data/test1401 | 1 + + tests/data/test1402 | 1 + + tests/data/test1403 | 1 + + tests/data/test1404 | 1 + + tests/data/test1405 | 1 + + tests/data/test1406 | 1 + + tests/data/test1407 | 1 + + tests/data/test1420 | 1 + + 13 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d +index da6ab11..4be8b43 100644 +--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d ++++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d +@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl + will re-use the same IP address it already uses for the control + connection. + ++Since curl 7.74.0 this option is enabled by default. ++ + This option has no effect if PORT, EPRT or EPSV is used instead of PASV. +diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 +index e68d2e7..29bc672 100644 +--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 ++++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port + number from the 227-response. + + This option thus allows libcurl to work around broken server installations +-that due to NATs, firewalls or incompetence report the wrong IP address back. ++that due to NATs, firewalls or incompetence report the wrong IP address ++back. Setting the option also reduces the risk for various sorts of client ++abuse by malicious servers. + + This option has no effect if PORT, EPRT or EPSV is used instead of PASV. + .SH DEFAULT +-0 ++1 since 7.74.0, was 0 before then. + .SH PROTOCOLS + FTP + .SH EXAMPLE +diff --git a/lib/url.c b/lib/url.c +index 2919a3d..41029d6 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -455,6 +455,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ + set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ + set->ftp_filemethod = FTPFILE_MULTICWD; ++ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ + #endif + set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ + +diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c +index 63bdeaa..22770c4 100644 +--- a/src/tool_cfgable.c ++++ b/src/tool_cfgable.c +@@ -44,6 +44,7 @@ void config_init(struct OperationConfig* config) + config->tcp_nodelay = TRUE; /* enabled by default */ + config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; + config->http09_allowed = FALSE; ++ config->ftp_skip_ip = TRUE; + } + + static void free_config_fields(struct OperationConfig *config) +diff --git a/tests/data/test1400 b/tests/data/test1400 +index c0d409b..ade50d4 100644 +--- a/tests/data/test1400 ++++ b/tests/data/test1400 +@@ -76,6 +76,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1401 b/tests/data/test1401 +index ec3b25c..a2e9ef2 100644 +--- a/tests/data/test1401 ++++ b/tests/data/test1401 +@@ -90,6 +90,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | + (long)CURLPROTO_FTP | +diff --git a/tests/data/test1402 b/tests/data/test1402 +index bf7eb7b..99d4b70 100644 +--- a/tests/data/test1402 ++++ b/tests/data/test1402 +@@ -81,6 +81,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1403 b/tests/data/test1403 +index 731d274..90f9b4e 100644 +--- a/tests/data/test1403 ++++ b/tests/data/test1403 +@@ -76,6 +76,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1404 b/tests/data/test1404 +index d3c66a9..d351c3e 100644 +--- a/tests/data/test1404 ++++ b/tests/data/test1404 +@@ -147,6 +147,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1405 b/tests/data/test1405 +index dcc8f80..d1ebb7c 100644 +--- a/tests/data/test1405 ++++ b/tests/data/test1405 +@@ -89,6 +89,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); + curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1406 b/tests/data/test1406 +index 8803c84..31db82a 100644 +--- a/tests/data/test1406 ++++ b/tests/data/test1406 +@@ -79,6 +79,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406"); + curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); + curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); +diff --git a/tests/data/test1407 b/tests/data/test1407 +index 917a5de..d329509 100644 +--- a/tests/data/test1407 ++++ b/tests/data/test1407 +@@ -62,6 +62,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); + curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +diff --git a/tests/data/test1420 b/tests/data/test1420 +index 03c4584..c1ba190 100644 +--- a/tests/data/test1420 ++++ b/tests/data/test1420 +@@ -67,6 +67,7 @@ int main(int argc, char *argv[]) + curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1"); + curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); ++ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); + curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); + + /* Here is a list of options the curl code used that cannot get generated +-- +2.26.2 + diff --git a/0006-curl-7.69.1-CVE-2020-8285.patch b/0006-curl-7.69.1-CVE-2020-8285.patch new file mode 100644 index 0000000..caec9e5 --- /dev/null +++ b/0006-curl-7.69.1-CVE-2020-8285.patch @@ -0,0 +1,256 @@ +From 6fda045b19a9066701b5e09cfa657a13a3accbf3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 28 Nov 2020 00:27:21 +0100 +Subject: [PATCH] ftp: make wc_statemach loop instead of recurse + +CVE-2020-8285 + +Fixes #6255 +Bug: https://curl.se/docs/CVE-2020-8285.html +Reported-by: xnynx on github + +Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 202 +++++++++++++++++++++++++++--------------------------- + 1 file changed, 102 insertions(+), 100 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 57b22ad..3382772 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3763,129 +3763,131 @@ static CURLcode init_wc_data(struct connectdata *conn) + return result; + } + +-/* This is called recursively */ + static CURLcode wc_statemach(struct connectdata *conn) + { + struct WildcardData * const wildcard = &(conn->data->wildcard); + CURLcode result = CURLE_OK; + +- switch(wildcard->state) { +- case CURLWC_INIT: +- result = init_wc_data(conn); +- if(wildcard->state == CURLWC_CLEAN) +- /* only listing! */ +- break; +- wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; +- break; ++ for(;;) { ++ switch(wildcard->state) { ++ case CURLWC_INIT: ++ result = init_wc_data(conn); ++ if(wildcard->state == CURLWC_CLEAN) ++ /* only listing! */ ++ return result; ++ wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; ++ return result; + +- case CURLWC_MATCHING: { +- /* In this state is LIST response successfully parsed, so lets restore +- previous WRITEFUNCTION callback and WRITEDATA pointer */ +- struct ftp_wc *ftpwc = wildcard->protdata; +- conn->data->set.fwrite_func = ftpwc->backup.write_function; +- conn->data->set.out = ftpwc->backup.file_descriptor; +- ftpwc->backup.write_function = ZERO_NULL; +- ftpwc->backup.file_descriptor = NULL; +- wildcard->state = CURLWC_DOWNLOADING; +- +- if(Curl_ftp_parselist_geterror(ftpwc->parser)) { +- /* error found in LIST parsing */ +- wildcard->state = CURLWC_CLEAN; +- return wc_statemach(conn); +- } +- if(wildcard->filelist.size == 0) { +- /* no corresponding file */ +- wildcard->state = CURLWC_CLEAN; +- return CURLE_REMOTE_FILE_NOT_FOUND; ++ case CURLWC_MATCHING: { ++ /* In this state is LIST response successfully parsed, so lets restore ++ previous WRITEFUNCTION callback and WRITEDATA pointer */ ++ struct ftp_wc *ftpwc = wildcard->protdata; ++ conn->data->set.fwrite_func = ftpwc->backup.write_function; ++ conn->data->set.out = ftpwc->backup.file_descriptor; ++ ftpwc->backup.write_function = ZERO_NULL; ++ ftpwc->backup.file_descriptor = NULL; ++ wildcard->state = CURLWC_DOWNLOADING; ++ ++ if(Curl_ftp_parselist_geterror(ftpwc->parser)) { ++ /* error found in LIST parsing */ ++ wildcard->state = CURLWC_CLEAN; ++ continue; ++ } ++ if(wildcard->filelist.size == 0) { ++ /* no corresponding file */ ++ wildcard->state = CURLWC_CLEAN; ++ return CURLE_REMOTE_FILE_NOT_FOUND; ++ } ++ continue; + } +- return wc_statemach(conn); +- } + +- case CURLWC_DOWNLOADING: { +- /* filelist has at least one file, lets get first one */ +- struct ftp_conn *ftpc = &conn->proto.ftpc; +- struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; +- struct FTP *ftp = conn->data->req.protop; ++ case CURLWC_DOWNLOADING: { ++ /* filelist has at least one file, lets get first one */ ++ struct ftp_conn *ftpc = &conn->proto.ftpc; ++ struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; ++ struct FTP *ftp = conn->data->req.protop; + +- char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); +- if(!tmp_path) +- return CURLE_OUT_OF_MEMORY; ++ char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); ++ if(!tmp_path) ++ return CURLE_OUT_OF_MEMORY; + +- /* switch default ftp->path and tmp_path */ +- free(ftp->pathalloc); +- ftp->pathalloc = ftp->path = tmp_path; +- +- infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); +- if(conn->data->set.chunk_bgn) { +- long userresponse; +- Curl_set_in_callback(conn->data, true); +- userresponse = conn->data->set.chunk_bgn( +- finfo, wildcard->customptr, (int)wildcard->filelist.size); +- Curl_set_in_callback(conn->data, false); +- switch(userresponse) { +- case CURL_CHUNK_BGN_FUNC_SKIP: +- infof(conn->data, "Wildcard - \"%s\" skipped by user\n", +- finfo->filename); +- wildcard->state = CURLWC_SKIP; +- return wc_statemach(conn); +- case CURL_CHUNK_BGN_FUNC_FAIL: +- return CURLE_CHUNK_FAILED; ++ /* switch default ftp->path and tmp_path */ ++ free(ftp->pathalloc); ++ ftp->pathalloc = ftp->path = tmp_path; ++ ++ infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); ++ if(conn->data->set.chunk_bgn) { ++ long userresponse; ++ Curl_set_in_callback(conn->data, true); ++ userresponse = conn->data->set.chunk_bgn( ++ finfo, wildcard->customptr, (int)wildcard->filelist.size); ++ Curl_set_in_callback(conn->data, false); ++ switch(userresponse) { ++ case CURL_CHUNK_BGN_FUNC_SKIP: ++ infof(conn->data, "Wildcard - \"%s\" skipped by user\n", ++ finfo->filename); ++ wildcard->state = CURLWC_SKIP; ++ continue; ++ case CURL_CHUNK_BGN_FUNC_FAIL: ++ return CURLE_CHUNK_FAILED; ++ } + } +- } + +- if(finfo->filetype != CURLFILETYPE_FILE) { +- wildcard->state = CURLWC_SKIP; +- return wc_statemach(conn); +- } ++ if(finfo->filetype != CURLFILETYPE_FILE) { ++ wildcard->state = CURLWC_SKIP; ++ continue; ++ } + +- if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) +- ftpc->known_filesize = finfo->size; ++ if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) ++ ftpc->known_filesize = finfo->size; + +- result = ftp_parse_url_path(conn); +- if(result) +- return result; ++ result = ftp_parse_url_path(conn); ++ if(result) ++ return result; + +- /* we don't need the Curl_fileinfo of first file anymore */ +- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); ++ /* we don't need the Curl_fileinfo of first file anymore */ ++ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); + +- if(wildcard->filelist.size == 0) { /* remains only one file to down. */ +- wildcard->state = CURLWC_CLEAN; +- /* after that will be ftp_do called once again and no transfer +- will be done because of CURLWC_CLEAN state */ +- return CURLE_OK; ++ if(wildcard->filelist.size == 0) { /* remains only one file to down. */ ++ wildcard->state = CURLWC_CLEAN; ++ /* after that will be ftp_do called once again and no transfer ++ will be done because of CURLWC_CLEAN state */ ++ return CURLE_OK; ++ } ++ return result; + } +- } break; + +- case CURLWC_SKIP: { +- if(conn->data->set.chunk_end) { +- Curl_set_in_callback(conn->data, true); +- conn->data->set.chunk_end(conn->data->wildcard.customptr); +- Curl_set_in_callback(conn->data, false); ++ case CURLWC_SKIP: { ++ if(conn->data->set.chunk_end) { ++ Curl_set_in_callback(conn->data, true); ++ conn->data->set.chunk_end(conn->data->wildcard.customptr); ++ Curl_set_in_callback(conn->data, false); ++ } ++ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); ++ wildcard->state = (wildcard->filelist.size == 0) ? ++ CURLWC_CLEAN : CURLWC_DOWNLOADING; ++ continue; + } +- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); +- wildcard->state = (wildcard->filelist.size == 0) ? +- CURLWC_CLEAN : CURLWC_DOWNLOADING; +- return wc_statemach(conn); +- } + +- case CURLWC_CLEAN: { +- struct ftp_wc *ftpwc = wildcard->protdata; +- result = CURLE_OK; +- if(ftpwc) +- result = Curl_ftp_parselist_geterror(ftpwc->parser); ++ case CURLWC_CLEAN: { ++ struct ftp_wc *ftpwc = wildcard->protdata; ++ result = CURLE_OK; ++ if(ftpwc) ++ result = Curl_ftp_parselist_geterror(ftpwc->parser); + +- wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; +- } break; ++ wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; ++ return result; ++ } + +- case CURLWC_DONE: +- case CURLWC_ERROR: +- case CURLWC_CLEAR: +- if(wildcard->dtor) +- wildcard->dtor(wildcard->protdata); +- break; ++ case CURLWC_DONE: ++ case CURLWC_ERROR: ++ case CURLWC_CLEAR: ++ if(wildcard->dtor) ++ wildcard->dtor(wildcard->protdata); ++ return result; ++ } + } +- +- return result; ++ /* UNREACHABLE */ + } + + /*********************************************************************** +-- +2.26.2 + diff --git a/0007-curl-7.71.1-CVE-2020-8286.patch b/0007-curl-7.71.1-CVE-2020-8286.patch new file mode 100644 index 0000000..d7055f9 --- /dev/null +++ b/0007-curl-7.71.1-CVE-2020-8286.patch @@ -0,0 +1,129 @@ +From 43d1163b3730f715704240f7f6d31af289246873 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Dec 2020 23:01:11 +0100 +Subject: [PATCH] openssl: make the OCSP verification verify the certificate id + +CVE-2020-8286 + +Reported by anonymous + +Bug: https://curl.se/docs/CVE-2020-8286.html + +Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 29 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 1d09cad..bcfd83b 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1717,6 +1717,11 @@ static CURLcode verifystatus(struct connectdata *conn, + OCSP_BASICRESP *br = NULL; + X509_STORE *st = NULL; + STACK_OF(X509) *ch = NULL; ++ X509 *cert; ++ OCSP_CERTID *id = NULL; ++ int cert_status, crl_reason; ++ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; ++ int ret; + + long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status); + +@@ -1785,43 +1790,63 @@ static CURLcode verifystatus(struct connectdata *conn, + goto end; + } + +- for(i = 0; i < OCSP_resp_count(br); i++) { +- int cert_status, crl_reason; +- OCSP_SINGLERESP *single = NULL; +- +- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; ++ /* Compute the certificate's ID */ ++ cert = SSL_get_peer_certificate(BACKEND->handle); ++ if(!cert) { ++ failf(data, "Error getting peer certficate"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- single = OCSP_resp_get0(br, i); +- if(!single) +- continue; ++ for(i = 0; i < sk_X509_num(ch); i++) { ++ X509 *issuer = sk_X509_value(ch, i); ++ if(X509_check_issued(issuer, cert) == X509_V_OK) { ++ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer); ++ break; ++ } ++ } ++ X509_free(cert); + +- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, +- &thisupd, &nextupd); ++ if(!id) { ++ failf(data, "Error computing OCSP ID"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { +- failf(data, "OCSP response has expired"); +- result = CURLE_SSL_INVALIDCERTSTATUS; +- goto end; +- } ++ /* Find the single OCSP response corresponding to the certificate ID */ ++ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev, ++ &thisupd, &nextupd); ++ OCSP_CERTID_free(id); ++ if(ret != 1) { ++ failf(data, "Could not find certificate ID in OCSP response"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- infof(data, "SSL certificate status: %s (%d)\n", +- OCSP_cert_status_str(cert_status), cert_status); ++ /* Validate the corresponding single OCSP response */ ++ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { ++ failf(data, "OCSP response has expired"); ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; ++ } + +- switch(cert_status) { +- case V_OCSP_CERTSTATUS_GOOD: +- break; ++ infof(data, "SSL certificate status: %s (%d)\n", ++ OCSP_cert_status_str(cert_status), cert_status); + +- case V_OCSP_CERTSTATUS_REVOKED: +- result = CURLE_SSL_INVALIDCERTSTATUS; ++ switch(cert_status) { ++ case V_OCSP_CERTSTATUS_GOOD: ++ break; + +- failf(data, "SSL certificate revocation reason: %s (%d)", +- OCSP_crl_reason_str(crl_reason), crl_reason); +- goto end; ++ case V_OCSP_CERTSTATUS_REVOKED: ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ failf(data, "SSL certificate revocation reason: %s (%d)", ++ OCSP_crl_reason_str(crl_reason), crl_reason); ++ goto end; + +- case V_OCSP_CERTSTATUS_UNKNOWN: +- result = CURLE_SSL_INVALIDCERTSTATUS; +- goto end; +- } ++ case V_OCSP_CERTSTATUS_UNKNOWN: ++ default: ++ result = CURLE_SSL_INVALIDCERTSTATUS; ++ goto end; + } + + end: +-- +2.26.2 + diff --git a/0008-curl-7.71.1-CVE-2021-22876.patch b/0008-curl-7.71.1-CVE-2021-22876.patch new file mode 100644 index 0000000..6af96ac --- /dev/null +++ b/0008-curl-7.71.1-CVE-2021-22876.patch @@ -0,0 +1,64 @@ +From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 44104ab..3325a0e 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1579,9 +1582,26 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +-- +2.26.3 + diff --git a/0009-curl-7.71.1-CVE-2021-22890.patch b/0009-curl-7.71.1-CVE-2021-22890.patch new file mode 100644 index 0000000..80ce40b --- /dev/null +++ b/0009-curl-7.71.1-CVE-2021-22890.patch @@ -0,0 +1,192 @@ +From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Mar 2021 12:38:49 +0100 +Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE-2021-22890 + +Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++----------- + lib/vtls/vtls.c | 4 ++-- + lib/vtls/vtls.h | 2 ++ + 3 files changed, 44 insertions(+), 14 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 5803fd1..16276f3 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index = -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, +- NULL); ++ static int sockindex_index = -1; ++ if(sockindex_index < 0) { ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index = -1; ++ if(proxy_index < 0) { ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } + + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void) + #endif + + /* Initialize the extra data indexes */ +- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) ++ if(ossl_get_ssl_conn_index() < 0 || ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) + return 0; + + return 1; +@@ -2366,8 +2378,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + curl_socket_t *sockindex_ptr; + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ bool isproxy; + +- if(connectdata_idx < 0 || sockindex_idx < 0) ++ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) + return 0; + + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2380,13 +2394,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex = (int)(sockindex_ptr - conn->sock); + ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, +- sockindex)); ++ if(isproxy) ++ incache = FALSE; ++ else ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); + if(incache) { + if(old_ssl_sessionid != ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2396,7 +2415,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + } + + if(!incache) { +- if(!Curl_ssl_addsessionid(conn, ssl_sessionid, ++ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res = 1; +@@ -2893,16 +2912,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + void *ssl_sessionid = NULL; + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); + +- if(connectdata_idx >= 0 && sockindex_idx >= 0) { ++ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn); + SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL); ++#endif ++ + } + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(conn); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index c3a55fb..e50fdd2 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) + * there's one suitable, it is provided. Returns TRUE when no entry matched. + */ + bool Curl_ssl_getsessionid(struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, + long *general_age; + bool no_match = TRUE; + +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -411,6 +411,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) + * later on. + */ + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -423,7 +424,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + char *clone_conn_to_host; + int conn_to_port; + long *general_age; +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index bcc8444..343cad0 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); + * under sessionid mutex). + */ + bool Curl_ssl_getsessionid(struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, + * object with cache (e.g. incrementing refcount on success) + */ + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +-- +2.26.3 + diff --git a/curl.spec b/curl.spec index 6b1e006..edaa54f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,37 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.69.1 -Release: 3%{?dist} +Release: 8%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # SSH: use new ECDSA key types to check known hosts (#1824926) Patch1: 0001-curl-7.69.1-ssh-ecdsa-keys.patch +# fix partial password leak over DNS on HTTP redirect (CVE-2020-8169) +Patch2: 0002-curl-7.69.1-CVE-2020-8169.patch + +# avoid overwriting a local file with -J (CVE-2020-8177) +Patch3: 0003-curl-7.69.1-CVE-2020-8177.patch + +# libcurl: wrong connect-only connection (CVE-2020-8231) +Patch4: 0004-curl-7.69.1-CVE-2020-8231.patch + +# curl: trusting FTP PASV responses (CVE-2020-8284) +Patch5: 0005-curl-7.71.1-CVE-2020-8284.patch + +# libcurl: FTP wildcard stack overflow (CVE-2020-8285) +Patch6: 0006-curl-7.69.1-CVE-2020-8285.patch + +# curl: Inferior OCSP verification (CVE-2020-8286) +Patch7: 0007-curl-7.71.1-CVE-2020-8286.patch + +# prevent automatic referer from leaking credentials (CVE-2021-22876) +Patch8: 0008-curl-7.71.1-CVE-2021-22876.patch + +# fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) +Patch9: 0009-curl-7.71.1-CVE-2021-22890.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -159,7 +183,7 @@ Summary: Conservatively configured build of libcurl for minimal installations Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} -Conflicts: libcurl +Conflicts: libcurl%{?_isa} RemovePathPostfixes: .minimal # needed for RemovePathPostfixes to work with shared libraries %undefine __brp_ldconfig @@ -172,9 +196,17 @@ be installed. %prep %setup -q -%patch1 -p1 # upstream patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +382,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 31 2021 Kamil Dudka - 7.69.1-8 +- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) +- prevent automatic referer from leaking credentials (CVE-2021-22876) + +* Wed Dec 09 2020 Kamil Dudka - 7.69.1-7 +- curl: Inferior OCSP verification (CVE-2020-8286) +- libcurl: FTP wildcard stack overflow (CVE-2020-8285) +- curl: trusting FTP PASV responses (CVE-2020-8284) + +* Thu Sep 10 2020 Jinoh Kang - 7.69.1-6 +- fix multiarch conflicts in libcurl-minimal (#1877671) + +* Wed Aug 19 2020 Kamil Dudka - 7.69.1-5 +- libcurl: wrong connect-only connection (CVE-2020-8231) + +* Wed Jun 24 2020 Kamil Dudka - 7.69.1-4 +- avoid overwriting a local file with -J (CVE-2020-8177) +- fix partial password leak over DNS on HTTP redirect (CVE-2020-8169) + * Mon Apr 20 2020 Kamil Dudka - 7.69.1-3 - SSH: use new ECDSA key types to check known hosts (#1824926)