From 8cc82f17a1e8fc2ddb061b2986316d7b82adb4c8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Nov 2016 16:36:30 +0100 Subject: [PATCH] Resolves: CVE-2016-8624 - urlparse: accept '#' as end of host name --- 0013-curl-7.47.1-CVE-2016-8624.patch | 162 +++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 167 insertions(+) create mode 100644 0013-curl-7.47.1-CVE-2016-8624.patch diff --git a/0013-curl-7.47.1-CVE-2016-8624.patch b/0013-curl-7.47.1-CVE-2016-8624.patch new file mode 100644 index 0000000..f34dc0a --- /dev/null +++ b/0013-curl-7.47.1-CVE-2016-8624.patch @@ -0,0 +1,162 @@ +From 0eefde2bae1576ec5a4eca30bd1abbe0fc1be3ea Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 11 Oct 2016 00:48:35 +0200 +Subject: [PATCH 1/2] urlparse: accept '#' as end of host name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +'http://example.com#@127.0.0.1/x.txt' equals a request to example.com +for the '/' document with the rest of the URL being a fragment. + +CVE-2016-8624 + +Bug: https://curl.haxx.se/docs/adv_20161102J.html +Reported-by: Fernando Muñoz + +Upstream-commit: 3bb273db7e40ebc284cff45f3ce3f0475c8339c2 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index ff99c58..ff14dad 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4086,7 +4086,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, + path[0]=0; + + if(2 > sscanf(data->change.url, +- "%15[^\n:]://%[^\n/?]%[^\n]", ++ "%15[^\n:]://%[^\n/?#]%[^\n]", + protobuf, + conn->host.name, path)) { + +@@ -4094,7 +4094,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, + * The URL was badly formatted, let's try the browser-style _without_ + * protocol specified like 'http://'. + */ +- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); ++ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); + if(1 > rc) { + /* + * We couldn't even get this format. +@@ -4184,10 +4184,10 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, + } + + /* If the URL is malformatted (missing a '/' after hostname before path) we +- * insert a slash here. The only letter except '/' we accept to start a path +- * is '?'. ++ * insert a slash here. The only letters except '/' that can start a path is ++ * '?' and '#' - as controlled by the two sscanf() patterns above. + */ +- if(path[0] == '?') { ++ if(path[0] != '/') { + /* We need this function to deal with overlapping memory areas. We know + that the memory area 'path' points to is 'urllen' bytes big and that + is bigger than the path. Use +1 to move the zero byte too. */ +-- +2.7.4 + + +From c0304cbed088744f3c72a93b29bb58c8bc92d48a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 11 Oct 2016 00:54:51 +0200 +Subject: [PATCH 2/2] test1246: verify URL parsing with host name ending with + '#' + +Upstream-commit: 42b650b9ea5f26b2f5347af3072eaf690658ed62 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test1246 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test1246 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 7321ad5..b4bec03 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -126,7 +126,7 @@ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ + test1216 test1217 test1218 test1219 \ + test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ + test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ +-test1236 test1237 test1238 test1239 test1240 test1241 \ ++test1236 test1237 test1238 test1239 test1240 test1241 test1246 \ + \ + test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ + test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ +diff --git a/tests/data/test1246 b/tests/data/test1246 +new file mode 100644 +index 0000000..6565929 +--- /dev/null ++++ b/tests/data/test1246 +@@ -0,0 +1,64 @@ ++ ++ ++# verify URL with hostname ending in pound sign ++ ++HTTP ++HTTP GET ++HTTP proxy ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Connection: close ++ ++-foo- ++ ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 7 ++Connection: close ++ ++-cool- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++URL with '#' at end of host name instead of '/' ++ ++ ++--proxy http://%HOSTIP:%HTTPPORT http://test.remote.haxx.se.1246:%HTTPPORT#@127.0.0.1/tricked.html no-scheme-url.com.1246:%HTTPPORT#@127.127.127.127/again.html ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://test.remote.haxx.se.1246:%HTTPPORT/ HTTP/1.1 ++Host: test.remote.haxx.se.1246:%HTTPPORT ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://no-scheme-url.com.1246:%HTTPPORT/ HTTP/1.1 ++Host: no-scheme-url.com.1246:%HTTPPORT ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index 814b067..2f11a26 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch11: 0011-curl-7.47.1-find-slot-race.patch # reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167) Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch +# urlparse: accept '#' as end of host name (CVE-2016-8624) +Patch13: 0013-curl-7.47.1-CVE-2016-8624.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -148,6 +151,7 @@ documentation of the library, too. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Fedora patches %patch101 -p1 @@ -264,6 +268,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Nov 02 2016 Kamil Dudka 7.47.1-9 +- urlparse: accept '#' as end of host name (CVE-2016-8624) - run autoreconf in %%prep to avoid patching Makefile.in files from now on * Wed Sep 14 2016 Kamil Dudka 7.47.1-8