From 712c55059625072bc25ca769126b5f01fc60faba Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 Jun 2015 15:48:15 +0200 Subject: [PATCH] new upstream release - 7.43.0 (fixes CVE-2015-3236 and CVE-2015-3237) --- 0001-curl-7.42.1-b47c17d6.patch | 150 -------------------------------- 0102-curl-7.36.0-debug.patch | 2 +- 0108-curl-7.32.0-utf8.patch | 25 ------ curl-7.42.1.tar.lzma.asc | 7 -- curl-7.43.0.tar.lzma.asc | 7 ++ curl.spec | 16 ++-- sources | 2 +- 7 files changed, 14 insertions(+), 195 deletions(-) delete mode 100644 0001-curl-7.42.1-b47c17d6.patch delete mode 100644 0108-curl-7.32.0-utf8.patch delete mode 100644 curl-7.42.1.tar.lzma.asc create mode 100644 curl-7.43.0.tar.lzma.asc diff --git a/0001-curl-7.42.1-b47c17d6.patch b/0001-curl-7.42.1-b47c17d6.patch deleted file mode 100644 index 7a43800..0000000 --- a/0001-curl-7.42.1-b47c17d6.patch +++ /dev/null @@ -1,150 +0,0 @@ -From e5b6de7f78806f82dee0c5359e18d904e56836c6 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 25 Mar 2015 13:48:41 +0100 -Subject: [PATCH] nss: implement public key pinning for NSS backend - -Bug: https://bugzilla.redhat.com/1195771 - -Upstream-commit: b47c17d67c9b5c9e985375b090f0140bf43cb146 -Signed-off-by: Kamil Dudka ---- - docs/curl.1 | 3 +- - docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 2 +- - lib/vtls/nss.c | 53 +++++++++++++++++++++++++++++ - src/tool_help.c | 2 +- - tests/runtests.pl | 1 + - 5 files changed, 58 insertions(+), 3 deletions(-) - -diff --git a/docs/curl.1 b/docs/curl.1 -index 908f648..0e56715 100644 ---- a/docs/curl.1 -+++ b/docs/curl.1 -@@ -548,7 +548,8 @@ indicating its identity. A public key is extracted from this certificate and - if it does not exactly match the public key provided to this option, curl will - abort the connection before sending or receiving any data. - --This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends. -+This is currently only implemented in the OpenSSL, GnuTLS, NSS and GSKit -+backends. - - If this option is used several times, the last one will be used. - (Added in 7.39.0) -diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 -index 2d86392..4cc68b1 100644 ---- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 -+++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 -@@ -52,7 +52,7 @@ if(curl) { - .fi - .SH AVAILABILITY - If built TLS enabled. This is currently only implemented in the OpenSSL, --GnuTLS and GSKit backends. -+GnuTLS, NSS and GSKit backends. - - Added in libcurl 7.39.0 - .SH RETURN VALUE -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index feb00ca..daf12a9 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -56,6 +56,7 @@ - #include - #include - #include -+#include /* for SECKEY_DestroyPublicKey() */ - - #define NSSVERNUM ((NSS_VMAJOR<<16)|(NSS_VMINOR<<8)|NSS_VPATCH) - -@@ -943,6 +944,53 @@ static SECStatus check_issuer_cert(PRFileDesc *sock, - return res; - } - -+static CURLcode cmp_peer_pubkey(struct ssl_connect_data *connssl, -+ const char *pinnedpubkey) -+{ -+ CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH; -+ struct SessionHandle *data = connssl->data; -+ CERTCertificate *cert; -+ -+ if(!pinnedpubkey) -+ /* no pinned public key specified */ -+ return CURLE_OK; -+ -+ /* get peer certificate */ -+ cert = SSL_PeerCertificate(connssl->handle); -+ if(cert) { -+ /* extract public key from peer certificate */ -+ SECKEYPublicKey *pubkey = CERT_ExtractPublicKey(cert); -+ if(pubkey) { -+ /* encode the public key as DER */ -+ SECItem *cert_der = PK11_DEREncodePublicKey(pubkey); -+ if(cert_der) { -+ /* compare the public key with the pinned public key */ -+ result = Curl_pin_peer_pubkey(pinnedpubkey, -+ cert_der->data, -+ cert_der->len); -+ SECITEM_FreeItem(cert_der, PR_TRUE); -+ } -+ SECKEY_DestroyPublicKey(pubkey); -+ } -+ CERT_DestroyCertificate(cert); -+ } -+ -+ /* report the resulting status */ -+ switch(result) { -+ case CURLE_OK: -+ infof(data, "pinned public key verified successfully!\n"); -+ break; -+ case CURLE_SSL_PINNEDPUBKEYNOTMATCH: -+ failf(data, "failed to verify pinned public key"); -+ break; -+ default: -+ /* OOM, etc. */ -+ break; -+ } -+ -+ return result; -+} -+ - /** - * - * Callback to pick the SSL client certificate. -@@ -1806,6 +1854,11 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) - } - } - -+ result = cmp_peer_pubkey(connssl, data->set.str[STRING_SSL_PINNEDPUBLICKEY]); -+ if(result) -+ /* status already printed */ -+ goto error; -+ - return CURLE_OK; - - error: -diff --git a/src/tool_help.c b/src/tool_help.c -index bb7aa7c..27638ef 100644 ---- a/src/tool_help.c -+++ b/src/tool_help.c -@@ -156,7 +156,7 @@ static const char *const helptext[] = { - " --pass PASS Pass phrase for the private key (SSL/SSH)", - " --path-as-is Do not squash .. sequences in URL path", - " --pinnedpubkey FILE Public key (PEM/DER) to verify peer against " -- "(OpenSSL/GnuTLS/GSKit only)", -+ "(OpenSSL/GnuTLS/NSS/GSKit only)", - " --post301 " - "Do not switch to GET after following a 301 redirect (H)", - " --post302 " -diff --git a/tests/runtests.pl b/tests/runtests.pl -index ef9d3c8..b64c423 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -2346,6 +2346,7 @@ sub checksystem { - } - elsif ($libcurl =~ /nss/i) { - $has_nss=1; -+ $has_sslpinning=1; - $ssllib="NSS"; - } - elsif ($libcurl =~ /(yassl|wolfssl)/i) { --- -2.3.5 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 9527166..7232a68 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16068,18 +16068,11 @@ $as_echo "yes" >&6; } +@@ -16075,18 +16075,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0108-curl-7.32.0-utf8.patch b/0108-curl-7.32.0-utf8.patch deleted file mode 100644 index c6d0cc7..0000000 --- a/0108-curl-7.32.0-utf8.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c6246783cf347652f70d95c0562dd411747e9d53 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 31 Oct 2012 11:40:30 +0100 -Subject: [PATCH] Fix character encoding of docs - -..., which are of mixed encoding originally so a simple iconv can't -fix them. ---- - README | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/README b/README -index 2ffacc3..cfd6760 100644 ---- a/README -+++ b/README -@@ -45,5 +45,5 @@ GIT - NOTICE - - Curl contains pieces of source code that is Copyright (c) 1998, 1999 -- Kungliga Tekniska Högskolan. This notice is included here to comply with the -+ Kungliga Tekniska Högskolan. This notice is included here to comply with the - distribution terms. --- -1.7.1 - diff --git a/curl-7.42.1.tar.lzma.asc b/curl-7.42.1.tar.lzma.asc deleted file mode 100644 index 760fdd9..0000000 --- a/curl-7.42.1.tar.lzma.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlVAdY8ACgkQeOEcayedXJEnugCeKbbLQ/LtJLXKFY4RI1pxERMo -9dIAnRheh6V5PzOCo1CuzaAfyVM+5Xfj -=kzMD ------END PGP SIGNATURE----- diff --git a/curl-7.43.0.tar.lzma.asc b/curl-7.43.0.tar.lzma.asc new file mode 100644 index 0000000..0898e26 --- /dev/null +++ b/curl-7.43.0.tar.lzma.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlWBDEMACgkQeOEcayedXJEmEACfRhRhpQINTGbbdK2u/p97qMzq +EBsAn1SxVVYoOudPZ0SOZ+10cau0b0sC +=Zuc9 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index ee07d15..c825a4c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,15 +1,12 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.42.1 -Release: 3%{?dist} +Version: 7.43.0 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h -# implement public key pinning for NSS backend (#1195771) -Patch1: 0001-curl-7.42.1-b47c17d6.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -22,10 +19,6 @@ Patch104: 0104-curl-7.19.7-localhost6.patch # work around valgrind bug (#678518) Patch107: 0107-curl-7.21.4-libidn-valgrind.patch -# Fix character encoding of docs, which are of mixed encoding originally so -# a simple iconv can't fix them -Patch108: 0108-curl-7.32.0-utf8.patch - Provides: webclient URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) @@ -118,14 +111,12 @@ documentation of the library, too. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 %patch102 -p1 %patch104 -p1 %patch107 -p1 -%patch108 -p1 # replace hard wired port numbers in the test suite (this only boosts test # coverage by enabling tests that would otherwise be disabled due to using @@ -237,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Jun 17 2015 Kamil Dudka 7.43.0-1 +- new upstream release (fixes CVE-2015-3236 and CVE-2015-3237) + * Wed Jun 17 2015 Fedora Release Engineering - 7.42.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild diff --git a/sources b/sources index 1860cf8..cd9c54c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f1e460020a99da039b153e4bf0cd8600 curl-7.42.1.tar.lzma +95df6d1ce9c970289d2997e603d6fd79 curl-7.43.0.tar.lzma