Resolves: CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names
This commit is contained in:
parent
f35a1d48bb
commit
d8e56f956c
273
0007-curl-7.82.0-CVE-2022-30115.patch
Normal file
273
0007-curl-7.82.0-CVE-2022-30115.patch
Normal file
@ -0,0 +1,273 @@
|
||||
From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 9 May 2022 08:13:54 +0200
|
||||
Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots
|
||||
|
||||
Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
tests/data/Makefile.inc | 2 ++
|
||||
tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 146 insertions(+)
|
||||
create mode 100644 tests/data/test440
|
||||
create mode 100644 tests/data/test441
|
||||
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index 175fc43..a5b8dc2 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -72,6 +72,8 @@ test409 test410 \
|
||||
\
|
||||
test430 test431 test432 test433 test434 test435 test436 \
|
||||
\
|
||||
+test440 test441 \
|
||||
+\
|
||||
test490 test491 test492 test493 test494 \
|
||||
\
|
||||
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
|
||||
diff --git a/tests/data/test440 b/tests/data/test440
|
||||
new file mode 100644
|
||||
index 0000000..c640b02
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test440
|
||||
@@ -0,0 +1,72 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HSTS
|
||||
+trailing-dot
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+<reply>
|
||||
+
|
||||
+# we use this as response to a CONNECT
|
||||
+<connect nocheck="yes">
|
||||
+HTTP/1.1 403 not OK at all
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+-foo-
|
||||
+</connect>
|
||||
+</reply>
|
||||
+
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+<features>
|
||||
+HSTS
|
||||
+proxy
|
||||
+https
|
||||
+</features>
|
||||
+
|
||||
+# no trailing dot in the file only in the URL
|
||||
+<file name="log/input%TESTNUMBER">
|
||||
+this.hsts.example "99991001 04:47:41"
|
||||
+</file>
|
||||
+
|
||||
+<name>
|
||||
+HSTS with trailing-dot host name in URL but none in hsts file
|
||||
+</name>
|
||||
+<command>
|
||||
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+<verify>
|
||||
+# we let it CONNECT to the server to confirm HSTS but deny from there
|
||||
+<protocol>
|
||||
+CONNECT this.hsts.example.:443 HTTP/1.1
|
||||
+Host: this.hsts.example.:443
|
||||
+User-Agent: curl/%VERSION
|
||||
+Proxy-Connection: Keep-Alive
|
||||
+
|
||||
+</protocol>
|
||||
+<stdout>
|
||||
+HTTP/1.1 403 not OK at all
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+https://this.hsts.example./%TESTNUMBER
|
||||
+</stdout>
|
||||
+# Proxy CONNECT aborted
|
||||
+<errorcode>
|
||||
+56
|
||||
+</errorcode>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test441 b/tests/data/test441
|
||||
new file mode 100644
|
||||
index 0000000..7f5245b
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test441
|
||||
@@ -0,0 +1,72 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HSTS
|
||||
+trailing-dot
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+<reply>
|
||||
+
|
||||
+# we use this as response to a CONNECT
|
||||
+<connect nocheck="yes">
|
||||
+HTTP/1.1 403 not OK at all
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+-foo-
|
||||
+</connect>
|
||||
+</reply>
|
||||
+
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+<features>
|
||||
+HSTS
|
||||
+proxy
|
||||
+https
|
||||
+</features>
|
||||
+
|
||||
+# no trailing dot in the file only in the URL
|
||||
+<file name="log/input%TESTNUMBER">
|
||||
+this.hsts.example. "99991001 04:47:41"
|
||||
+</file>
|
||||
+
|
||||
+<name>
|
||||
+HSTS with no t-dot host name in URL but t-dot in file
|
||||
+</name>
|
||||
+<command>
|
||||
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+<verify>
|
||||
+# we let it CONNECT to the server to confirm HSTS but deny from there
|
||||
+<protocol>
|
||||
+CONNECT this.hsts.example:443 HTTP/1.1
|
||||
+Host: this.hsts.example:443
|
||||
+User-Agent: curl/%VERSION
|
||||
+Proxy-Connection: Keep-Alive
|
||||
+
|
||||
+</protocol>
|
||||
+<stdout>
|
||||
+HTTP/1.1 403 not OK at all
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
+https://this.hsts.example/%TESTNUMBER
|
||||
+</stdout>
|
||||
+# Proxy CONNECT aborted
|
||||
+<errorcode>
|
||||
+56
|
||||
+</errorcode>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 9 May 2022 08:13:55 +0200
|
||||
Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names
|
||||
|
||||
CVE-2022-30115
|
||||
|
||||
Reported-by: Axel Chong
|
||||
Bug: https://curl.se/docs/CVE-2022-30115.html
|
||||
Closes #8821
|
||||
|
||||
Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/hsts.c | 30 +++++++++++++++++++++++++-----
|
||||
1 file changed, 25 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/hsts.c b/lib/hsts.c
|
||||
index 03fcc9e..b9fa6f7 100644
|
||||
--- a/lib/hsts.c
|
||||
+++ b/lib/hsts.c
|
||||
@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
|
||||
curl_off_t expires)
|
||||
{
|
||||
struct stsentry *sts = hsts_entry();
|
||||
+ char *duphost;
|
||||
+ size_t hlen;
|
||||
if(!sts)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
- sts->expires = expires;
|
||||
- sts->includeSubDomains = subdomains;
|
||||
- sts->host = strdup(hostname);
|
||||
- if(!sts->host) {
|
||||
+ duphost = strdup(hostname);
|
||||
+ if(!duphost) {
|
||||
free(sts);
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
+
|
||||
+ hlen = strlen(duphost);
|
||||
+ if(duphost[hlen - 1] == '.')
|
||||
+ /* strip off trailing any dot */
|
||||
+ duphost[--hlen] = 0;
|
||||
+
|
||||
+ sts->host = duphost;
|
||||
+ sts->expires = expires;
|
||||
+ sts->includeSubDomains = subdomains;
|
||||
Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
|
||||
return CURLE_OK;
|
||||
}
|
||||
@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
|
||||
bool subdomain)
|
||||
{
|
||||
if(h) {
|
||||
+ char buffer[MAX_HSTS_HOSTLEN + 1];
|
||||
time_t now = time(NULL);
|
||||
size_t hlen = strlen(hostname);
|
||||
struct Curl_llist_element *e;
|
||||
struct Curl_llist_element *n;
|
||||
+
|
||||
+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
|
||||
+ return NULL;
|
||||
+ memcpy(buffer, hostname, hlen);
|
||||
+ if(hostname[hlen-1] == '.')
|
||||
+ /* remove the trailing dot */
|
||||
+ --hlen;
|
||||
+ buffer[hlen] = 0;
|
||||
+ hostname = buffer;
|
||||
+
|
||||
for(e = h->list.head; e; e = n) {
|
||||
struct stsentry *sts = e->ptr;
|
||||
n = e->next;
|
||||
@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
|
||||
CURLSTScode sc;
|
||||
DEBUGASSERT(h);
|
||||
do {
|
||||
- char buffer[257];
|
||||
+ char buffer[MAX_HSTS_HOSTLEN + 1];
|
||||
struct curl_hstsentry e;
|
||||
e.name = buffer;
|
||||
e.namelen = sizeof(buffer)-1;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -28,6 +28,9 @@ Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch
|
||||
# reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||
Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
|
||||
|
||||
# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
|
||||
Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -208,6 +211,7 @@ be installed.
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -436,6 +440,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
|
||||
%changelog
|
||||
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
||||
- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
|
||||
- reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||
|
||||
* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-4
|
||||
|
Loading…
Reference in New Issue
Block a user