Resolves: CVE-2022-27780 - reject percent-encoded path separator in URL host
This commit is contained in:
parent
43690cb3af
commit
f35a1d48bb
69
0006-curl-7.82.0-CVE-2022-27780.patch
Normal file
69
0006-curl-7.82.0-CVE-2022-27780.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 9 May 2022 08:19:38 +0200
|
||||
Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator
|
||||
bytes
|
||||
|
||||
CVE-2022-27780
|
||||
|
||||
Reported-by: Axel Chong
|
||||
Bug: https://curl.se/docs/CVE-2022-27780.html
|
||||
Closes #8826
|
||||
|
||||
Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/urlapi.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/urlapi.c b/lib/urlapi.c
|
||||
index ff00ee4..00222fc 100644
|
||||
--- a/lib/urlapi.c
|
||||
+++ b/lib/urlapi.c
|
||||
@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
|
||||
#endif
|
||||
}
|
||||
else {
|
||||
- /* letters from the second string is not ok */
|
||||
- len = strcspn(hostname, " \r\n");
|
||||
+ /* letters from the second string are not ok */
|
||||
+ len = strcspn(hostname, " \r\n\t/:#?!@");
|
||||
if(hlen != len)
|
||||
/* hostname with bad content */
|
||||
return CURLUE_BAD_HOSTNAME;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 9 May 2022 08:19:38 +0200
|
||||
Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix
|
||||
|
||||
Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
tests/libtest/lib1560.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
|
||||
index 7614849..84ee933 100644
|
||||
--- a/tests/libtest/lib1560.c
|
||||
+++ b/tests/libtest/lib1560.c
|
||||
@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={
|
||||
|
||||
static const struct urltestcase get_url_list[] = {
|
||||
/* percent encoded host names */
|
||||
+ {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
+ {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
+ {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
+ {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
+ {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
+ {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
+ {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||
{"https://%this", "https://%25this/", 0, 0, CURLUE_OK},
|
||||
{"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK},
|
||||
{"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK},
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.82.0
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: MIT
|
||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||
@ -25,6 +25,9 @@ Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch
|
||||
# fix credential leak on redirect (CVE-2022-27774)
|
||||
Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch
|
||||
|
||||
# reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||
Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -204,6 +207,7 @@ be installed.
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -431,6 +435,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
||||
- reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||
|
||||
* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-4
|
||||
- fix leak of SRP credentials in redirects (CVE-2022-27774)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user