Resolves: CVE-2016-8616 - compare user/passwd case-sensitively while reusing connections

2016-11-02 17:58:28 +01:00 · 2016-11-02 17:58:28 +01:00 · b9022e2512
parent aab38786d3
commit b9022e2512
2 changed files with 62 additions and 0 deletions
--- a/0021-curl-7.47.1-CVE-2016-8616.patch
+++ b/0021-curl-7.47.1-CVE-2016-8616.patch
@ -0,0 +1,57 @@
+From 5bc491031e5fb48a3d09762c1cebd690b8aa4d46 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Sep 2016 18:01:53 +0200
+Subject: [PATCH] connectionexists: use case sensitive user/password
+ comparisons
+
+CVE-2016-8616
+
+Bug: https://curl.haxx.se/docs/adv_20161102B.html
+Reported-by: Cure53
+
+Upstream-commit: b3ee26c5df75d97f6895e6ec4538894ebaf76e48
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index a88903c..b6ad5a6 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -3305,8 +3305,8 @@ ConnectionExists(struct SessionHandle *data,
+       if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+-        if(!strequal(needle->user, check->user) ||
+-           !strequal(needle->passwd, check->passwd)) {
+        if(strcmp(needle->user, check->user) ||
+           strcmp(needle->passwd, check->passwd)) {
+           /* one of them was different */
+           continue;
+         }
+@@ -3369,8 +3369,8 @@ ConnectionExists(struct SessionHandle *data,
+            possible. (Especially we must not reuse the same connection if
+            partway through a handshake!) */
+         if(wantNTLMhttp) {
+-          if(!strequal(needle->user, check->user) ||
+-             !strequal(needle->passwd, check->passwd))
+          if(strcmp(needle->user, check->user) ||
+             strcmp(needle->passwd, check->passwd))
+             continue;
+         }
+         else if(check->ntlm.state != NTLMSTATE_NONE) {
+@@ -3380,8 +3380,8 @@ ConnectionExists(struct SessionHandle *data,
+ 
+         /* Same for Proxy NTLM authentication */
+         if(wantProxyNTLMhttp) {
+-          if(!strequal(needle->proxyuser, check->proxyuser) ||
+-             !strequal(needle->proxypasswd, check->proxypasswd))
+          if(strcmp(needle->proxyuser, check->proxyuser) ||
+             strcmp(needle->proxypasswd, check->proxypasswd))
+             continue;
+         }
+         else if(check->proxyntlm.state != NTLMSTATE_NONE) {
+-- 
+2.7.4
+
--- a/curl.spec
+++ b/curl.spec
@ -52,6 +52,9 @@ Patch19:  0019-curl-7.47.1-CVE-2016-8619.patch
 # base64: check for integer overflow on large input (CVE-2016-8617)
 Patch20:  0020-curl-7.47.1-CVE-2016-8617.patch

+# compare user/passwd case-sensitively while reusing connections (CVE-2016-8616)
+Patch21:  0021-curl-7.47.1-CVE-2016-8616.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -180,6 +183,7 @@ documentation of the library, too.
 %patch18 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1

 # Fedora patches
 %patch101 -p1
@ -296,6 +300,7 @@ rm -rf $RPM_BUILD_ROOT

 %changelog
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
+- compare user/passwd case-sensitively while reusing connections (CVE-2016-8616)
 - base64: check for integer overflow on large input (CVE-2016-8617)
 - fix double-free in krb5 code (CVE-2016-8619)
 - fix double-free in curl_maprintf() (CVE-2016-8618)