Resolves: CVE-2016-5419 - fix TLS session resumption client cert bypass

2016-08-03 16:47:36 +02:00 · 2016-08-03 16:47:36 +02:00 · 1c9b12b033
commit 1c9b12b033
parent a91699a8d3
2 changed files with 78 additions and 0 deletions
--- a/0009-curl-7.47.1-CVE-2016-5419.patch
+++ b/0009-curl-7.47.1-CVE-2016-5419.patch
@ -0,0 +1,73 @@
+From 419fc844f483eefd4843a4c1ca30e8187923454a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 1 Jul 2016 13:32:31 +0200
+Subject: [PATCH] TLS: switch off SSL session id when client cert is used
+
+CVE-2016-5419
+Bug: https://curl.haxx.se/docs/adv_20160803A.html
+Reported-by: Bru Rom
+Contributions-by: Eric Rescorla and Ray Satiro
+
+Upstream-commit: 247d890da88f9ee817079e246c59f3d7d12fde5f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c       |  1 +
+ lib/urldata.h   |  1 +
+ lib/vtls/vtls.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index f32c8cf..be9cbea 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -5691,6 +5691,7 @@ static CURLcode create_conn(struct SessionHandle *data,
+   data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
+  data->set.ssl.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+   data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+   data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 05bda79..3abece7 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -346,6 +346,7 @@ struct ssl_config_data {
+   char *CAfile;          /* certificate to verify peer against */
+   const char *CRLfile;   /* CRL to check certificate revocation */
+   const char *issuercert;/* optional issuer certificate filename */
+  char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 42a2b58..879918b 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -156,6 +156,15 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
+   else
+     dest->random_file = NULL;
+ 
+  if(source->clientcert) {
+    dest->clientcert = strdup(source->clientcert);
+    if(!dest->clientcert)
+      return FALSE;
+    dest->sessionid = FALSE;
+  }
+  else
+    dest->clientcert = NULL;
+
+   return TRUE;
+ }
+ 
+@@ -166,6 +175,7 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc)
+   Curl_safefree(sslc->cipher_list);
+   Curl_safefree(sslc->egdsocket);
+   Curl_safefree(sslc->random_file);
+  Curl_safefree(sslc->clientcert);
+ }
+ 
+ 
+-- 
+2.5.5
+
--- a/curl.spec
+++ b/curl.spec
@ -31,6 +31,9 @@ Patch7:   0007-curl-7.49.1-urlglob.patch
 # fix use of connection struct after free (CVE-2016-5421)
 Patch8:   0008-curl-7.47.1-CVE-2016-5421.patch

+# fix TLS session resumption client cert bypass (CVE-2016-5419)
+Patch9:   0009-curl-7.47.1-CVE-2016-5419.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -149,6 +152,7 @@ documentation of the library, too.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1

 # Fedora patches
 %patch101 -p1
@ -269,6 +273,7 @@ rm -rf $RPM_BUILD_ROOT

 %changelog
 * Wed Aug 03 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-8
+- fix TLS session resumption client cert bypass (CVE-2016-5419)
 - fix use of connection struct after free (CVE-2016-5421)

 * Fri Jun 03 2016 Kamil Dudka <kdudka@redhat.com> 7.43.0-7