Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification
This commit is contained in:
parent
c637ed663b
commit
424d9c193f
70
0010-curl-7.82.0-CVE-2022-32208.patch
Normal file
70
0010-curl-7.82.0-CVE-2022-32208.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 9 Jun 2022 09:27:24 +0200
|
||||
Subject: [PATCH] krb5: return error properly on decode errors
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2022-32208.html
|
||||
CVE-2022-32208
|
||||
Reported-by: Harry Sintonen
|
||||
Closes #9051
|
||||
|
||||
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/krb5.c | 18 +++++++++++-------
|
||||
1 file changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/lib/krb5.c b/lib/krb5.c
|
||||
index 787137c..6f9e1f7 100644
|
||||
--- a/lib/krb5.c
|
||||
+++ b/lib/krb5.c
|
||||
@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
|
||||
enc.value = buf;
|
||||
enc.length = len;
|
||||
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
|
||||
- if(maj != GSS_S_COMPLETE) {
|
||||
- if(len >= 4)
|
||||
- strcpy(buf, "599 ");
|
||||
+ if(maj != GSS_S_COMPLETE)
|
||||
return -1;
|
||||
- }
|
||||
|
||||
memcpy(buf, dec.value, dec.length);
|
||||
len = curlx_uztosi(dec.length);
|
||||
@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
{
|
||||
int len;
|
||||
CURLcode result;
|
||||
+ int nread;
|
||||
|
||||
result = socket_read(fd, &len, sizeof(len));
|
||||
if(result)
|
||||
@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
if(len) {
|
||||
/* only realloc if there was a length */
|
||||
len = ntohl(len);
|
||||
- buf->data = Curl_saferealloc(buf->data, len);
|
||||
+ if(len > CURL_MAX_INPUT_LENGTH)
|
||||
+ len = 0;
|
||||
+ else
|
||||
+ buf->data = Curl_saferealloc(buf->data, len);
|
||||
}
|
||||
if(!len || !buf->data)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||
result = socket_read(fd, buf->data, len);
|
||||
if(result)
|
||||
return result;
|
||||
- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
|
||||
- conn->data_prot, conn);
|
||||
+ nread = conn->mech->decode(conn->app_data, buf->data, len,
|
||||
+ conn->data_prot, conn);
|
||||
+ if(nread < 0)
|
||||
+ return CURLE_RECV_ERROR;
|
||||
+ buf->size = (size_t)nread;
|
||||
buf->index = 0;
|
||||
return CURLE_OK;
|
||||
}
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.82.0
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: MIT
|
||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||
@ -37,6 +37,9 @@ Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
|
||||
# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
|
||||
Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
|
||||
|
||||
# fix FTP-KRB bad message verification (CVE-2022-32208)
|
||||
Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -220,6 +223,7 @@ be installed.
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -447,6 +451,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
|
||||
- fix FTP-KRB bad message verification (CVE-2022-32208)
|
||||
|
||||
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
||||
- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
|
||||
- do not accept cookies for TLD with trailing dot (CVE-2022-27779)
|
||||
|
Loading…
Reference in New Issue
Block a user