Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification

2022-06-29 10:56:13 +02:00 · 2022-06-29 10:56:13 +02:00 · 424d9c193f
commit 424d9c193f
parent c637ed663b
2 changed files with 78 additions and 1 deletions
--- a/0010-curl-7.82.0-CVE-2022-32208.patch
+++ b/0010-curl-7.82.0-CVE-2022-32208.patch
@ -0,0 +1,70 @@
 From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 9 Jun 2022 09:27:24 +0200
 Subject: [PATCH] krb5: return error properly on decode errors
 Bug: https://curl.se/docs/CVE-2022-32208.html
 CVE-2022-32208
 Reported-by: Harry Sintonen
 Closes #9051
 Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/krb5.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)
 diff --git a/lib/krb5.c b/lib/krb5.c
 index 787137c..6f9e1f7 100644
 --- a/lib/krb5.c
 +++ b/lib/krb5.c
@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
   enc.value = buf;
   enc.length = len;
   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
 -  if(maj != GSS_S_COMPLETE) {
 -    if(len >= 4)
 -      strcpy(buf, "599 ");
 +  if(maj != GSS_S_COMPLETE)
     return -1;
 -  }
   memcpy(buf, dec.value, dec.length);
   len = curlx_uztosi(dec.length);
@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
 {
   int len;
   CURLcode result;
 +  int nread;
   result = socket_read(fd, &len, sizeof(len));
   if(result)
@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
   if(len) {
     /* only realloc if there was a length */
     len = ntohl(len);
 -    buf->data = Curl_saferealloc(buf->data, len);
 +    if(len > CURL_MAX_INPUT_LENGTH)
 +      len = 0;
 +    else
 +      buf->data = Curl_saferealloc(buf->data, len);
   }
   if(!len || !buf->data)
     return CURLE_OUT_OF_MEMORY;
@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
   result = socket_read(fd, buf->data, len);
   if(result)
     return result;
 -  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
 -                                 conn->data_prot, conn);
 +  nread = conn->mech->decode(conn->app_data, buf->data, len,
 +                             conn->data_prot, conn);
 +  if(nread < 0)
 +    return CURLE_RECV_ERROR;
 +  buf->size = (size_t)nread;
   buf->index = 0;
   return CURLE_OK;
 }
 -- 
 2.35.3
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.82.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -37,6 +37,9 @@ Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
 # fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
 Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
 # fix FTP-KRB bad message verification (CVE-2022-32208)
 Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -220,6 +223,7 @@ be installed.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 # Fedora patches
 %patch101 -p1
@ -447,6 +451,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
 * Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
 - fix FTP-KRB bad message verification (CVE-2022-32208)
 * Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
 - do not accept cookies for TLD with trailing dot (CVE-2022-27779)