Resolves: CVE-2022-32206 - fix HTTP compression denial of service
This commit is contained in:
parent
424d9c193f
commit
c76b2a1a9f
144
0011-curl-7.82.0-CVE-2022-32206.patch
Normal file
144
0011-curl-7.82.0-CVE-2022-32206.patch
Normal file
@ -0,0 +1,144 @@
|
|||||||
|
From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 16 May 2022 16:28:13 +0200
|
||||||
|
Subject: [PATCH 1/2] content_encoding: return error on too many compression
|
||||||
|
steps
|
||||||
|
|
||||||
|
The max allowed steps is arbitrarily set to 5.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-32206.html
|
||||||
|
CVE-2022-32206
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #9049
|
||||||
|
|
||||||
|
Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/content_encoding.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
||||||
|
index c03637a..6f994b3 100644
|
||||||
|
--- a/lib/content_encoding.c
|
||||||
|
+++ b/lib/content_encoding.c
|
||||||
|
@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* allow no more than 5 "chained" compression steps */
|
||||||
|
+#define MAX_ENCODE_STACK 5
|
||||||
|
+
|
||||||
|
/* Set-up the unencoding stack from the Content-Encoding header value.
|
||||||
|
* See RFC 7231 section 3.1.2.2. */
|
||||||
|
CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
||||||
|
const char *enclist, int maybechunked)
|
||||||
|
{
|
||||||
|
struct SingleRequest *k = &data->req;
|
||||||
|
+ int counter = 0;
|
||||||
|
|
||||||
|
do {
|
||||||
|
const char *name;
|
||||||
|
@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
||||||
|
if(!encoding)
|
||||||
|
encoding = &error_encoding; /* Defer error at stack use. */
|
||||||
|
|
||||||
|
+ if(++counter >= MAX_ENCODE_STACK) {
|
||||||
|
+ failf(data, "Reject response due to %u content encodings",
|
||||||
|
+ counter);
|
||||||
|
+ return CURLE_BAD_CONTENT_ENCODING;
|
||||||
|
+ }
|
||||||
|
/* Stack the unencoding stage. */
|
||||||
|
writer = new_unencoding_writer(data, encoding, k->writer_stack);
|
||||||
|
if(!writer)
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 16 May 2022 16:29:07 +0200
|
||||||
|
Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
|
||||||
|
|
||||||
|
Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 54 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test387
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 98d5516..9b5f4fb 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -63,7 +63,7 @@ test352 test353 test354 test355 test356 test357 test358 test359 test360 \
|
||||||
|
test361 test362 test363 test364 test365 test366 test367 test368 test369 \
|
||||||
|
test370 test371 test372 test373 test374 \
|
||||||
|
\
|
||||||
|
-test380 test381 test383 test384 test385 test386 \
|
||||||
|
+test380 test381 test383 test384 test385 test386 test387 \
|
||||||
|
\
|
||||||
|
test392 test393 test394 test395 test396 test397 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test387 b/tests/data/test387
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..015ec25
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test387
|
||||||
|
@@ -0,0 +1,53 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+gzip
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data nocheck="yes">
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
|
||||||
|
+
|
||||||
|
+-foo-
|
||||||
|
+</data>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+Response with overly long compression chain
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+
|
||||||
|
+# CURLE_BAD_CONTENT_ENCODING is 61
|
||||||
|
+<errorcode>
|
||||||
|
+61
|
||||||
|
+</errorcode>
|
||||||
|
+<stderr mode="text">
|
||||||
|
+curl: (61) Reject response due to 5 content encodings
|
||||||
|
+</stderr>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -40,6 +40,9 @@ Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
|
|||||||
# fix FTP-KRB bad message verification (CVE-2022-32208)
|
# fix FTP-KRB bad message verification (CVE-2022-32208)
|
||||||
Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
|
Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
|
||||||
|
|
||||||
|
# fix HTTP compression denial of service (CVE-2022-32206)
|
||||||
|
Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -224,6 +227,7 @@ be installed.
|
|||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -452,6 +456,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
|
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
|
||||||
|
- fix HTTP compression denial of service (CVE-2022-32206)
|
||||||
- fix FTP-KRB bad message verification (CVE-2022-32208)
|
- fix FTP-KRB bad message verification (CVE-2022-32208)
|
||||||
|
|
||||||
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
||||||
|
Loading…
Reference in New Issue
Block a user