From 1c9b12b033f1e612ff6c7ee422243f93fa840a57 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 3 Aug 2016 16:47:36 +0200 Subject: [PATCH] Resolves: CVE-2016-5419 - fix TLS session resumption client cert bypass --- 0009-curl-7.47.1-CVE-2016-5419.patch | 73 ++++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 78 insertions(+) create mode 100644 0009-curl-7.47.1-CVE-2016-5419.patch diff --git a/0009-curl-7.47.1-CVE-2016-5419.patch b/0009-curl-7.47.1-CVE-2016-5419.patch new file mode 100644 index 0000000..54df965 --- /dev/null +++ b/0009-curl-7.47.1-CVE-2016-5419.patch @@ -0,0 +1,73 @@ +From 419fc844f483eefd4843a4c1ca30e8187923454a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 1 Jul 2016 13:32:31 +0200 +Subject: [PATCH] TLS: switch off SSL session id when client cert is used + +CVE-2016-5419 +Bug: https://curl.haxx.se/docs/adv_20160803A.html +Reported-by: Bru Rom +Contributions-by: Eric Rescorla and Ray Satiro + +Upstream-commit: 247d890da88f9ee817079e246c59f3d7d12fde5f +Signed-off-by: Kamil Dudka +--- + lib/url.c | 1 + + lib/urldata.h | 1 + + lib/vtls/vtls.c | 10 ++++++++++ + 3 files changed, 12 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index f32c8cf..be9cbea 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -5691,6 +5691,7 @@ static CURLcode create_conn(struct SessionHandle *data, + data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; ++ data->set.ssl.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP + data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 05bda79..3abece7 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -346,6 +346,7 @@ struct ssl_config_data { + char *CAfile; /* certificate to verify peer against */ + const char *CRLfile; /* CRL to check certificate revocation */ + const char *issuercert;/* optional issuer certificate filename */ ++ char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ + char *cipher_list; /* list of ciphers to use */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 42a2b58..879918b 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -156,6 +156,15 @@ Curl_clone_ssl_config(struct ssl_config_data *source, + else + dest->random_file = NULL; + ++ if(source->clientcert) { ++ dest->clientcert = strdup(source->clientcert); ++ if(!dest->clientcert) ++ return FALSE; ++ dest->sessionid = FALSE; ++ } ++ else ++ dest->clientcert = NULL; ++ + return TRUE; + } + +@@ -166,6 +175,7 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->egdsocket); + Curl_safefree(sslc->random_file); ++ Curl_safefree(sslc->clientcert); + } + + +-- +2.5.5 + diff --git a/curl.spec b/curl.spec index 0d76942..4358627 100644 --- a/curl.spec +++ b/curl.spec @@ -31,6 +31,9 @@ Patch7: 0007-curl-7.49.1-urlglob.patch # fix use of connection struct after free (CVE-2016-5421) Patch8: 0008-curl-7.47.1-CVE-2016-5421.patch +# fix TLS session resumption client cert bypass (CVE-2016-5419) +Patch9: 0009-curl-7.47.1-CVE-2016-5419.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -149,6 +152,7 @@ documentation of the library, too. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -269,6 +273,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Aug 03 2016 Kamil Dudka 7.43.0-8 +- fix TLS session resumption client cert bypass (CVE-2016-5419) - fix use of connection struct after free (CVE-2016-5421) * Fri Jun 03 2016 Kamil Dudka 7.43.0-7