diff --git a/0009-curl-7.82.0-CVE-2022-27782.patch b/0009-curl-7.82.0-CVE-2022-27782.patch index 0c9d21c..b6b55d2 100644 --- a/0009-curl-7.82.0-CVE-2022-27782.patch +++ b/0009-curl-7.82.0-CVE-2022-27782.patch @@ -1,7 +1,131 @@ +From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Thu, 17 Mar 2022 15:31:10 -0400 +Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP + +Prior to this change if, at build time, the GnuTLS backend was found to +have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl +via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. + +Bug: https://curl.se/mail/lib-2022-03/0046.html +Reported-by: Robert Brose + +Closes https://github.com/curl/curl/pull/8604 + +Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a +Signed-off-by: Kamil Dudka +--- + lib/vtls/gtls.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..bc8ef68 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -55,6 +55,14 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++#ifdef HAVE_GNUTLS_SRP ++/* the function exists */ ++#ifdef USE_TLS_SRP ++/* the functionality is not disabled */ ++#define USE_GNUTLS_SRP ++#endif ++#endif ++ + /* Enable GnuTLS debugging by defining GTLSDEBUG */ + /*#define GTLSDEBUG */ + +@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE; + struct ssl_backend_data { + gnutls_session_t session; + gnutls_certificate_credentials_t cred; +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + gnutls_srp_client_credentials_t srp_client_cred; + #endif + }; +@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data, + return CURLE_SSL_CONNECT_ERROR; + } + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data, + if(result) + return result; + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data, + #endif + infof(data, "GnuTLS ciphers: %s", prioritylist); + rc = gnutls_priority_set_direct(session, prioritylist, &err); +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + } + #endif + +@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data, + } + } + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + /* put the credentials to the current session */ + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, +@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL + && !SSL_CONN_CONFIG(verifypeer) +@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + failf(data, "failed to get server cert"); + *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND; + return CURLE_PEER_FAILED_VERIFICATION; +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + } + #endif + } +@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl) + gnutls_certificate_free_credentials(backend->cred); + backend->cred = NULL; + } +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(backend->srp_client_cred) { + gnutls_srp_free_client_credentials(backend->srp_client_cred); + backend->srp_client_cred = NULL; +@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + } + gnutls_certificate_free_credentials(backend->cred); + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); +-- +2.35.3 + + From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 1/2] tls: check more TLS details for connection reuse +Subject: [PATCH 2/3] tls: check more TLS details for connection reuse CVE-2022-27782 @@ -15,12 +139,12 @@ Signed-off-by: Kamil Dudka lib/setopt.c | 29 +++++++++++++++++------------ lib/url.c | 23 ++++++++++++++++------- lib/urldata.h | 13 +++++++------ - lib/vtls/gtls.c | 19 ++++++++++--------- + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- lib/vtls/mbedtls.c | 2 +- lib/vtls/nss.c | 6 +++--- lib/vtls/openssl.c | 10 +++++----- lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 8 files changed, 80 insertions(+), 43 deletions(-) + 8 files changed, 87 insertions(+), 49 deletions(-) diff --git a/lib/setopt.c b/lib/setopt.c index 8e1bf12..7aa6fdb 100644 @@ -220,7 +344,19 @@ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5749376..ec6be16 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c -@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { ++ infof(data, "Using TLS-SRP username: %s", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials( + &backend->srp_client_cred); +@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data, } rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, @@ -231,7 +367,7 @@ index 5749376..ec6be16 100644 if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); -@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data, } #endif @@ -255,8 +391,8 @@ index 5749376..ec6be16 100644 } /* Initialize TLS session as a client */ -@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP +@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { @@ -264,16 +400,27 @@ index 5749376..ec6be16 100644 size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); -@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP + #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { -@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, +@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, failf(data, "server certificate verification failed. CAfile: %s " "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", @@ -283,6 +430,17 @@ index 5749376..ec6be16 100644 return CURLE_PEER_FAILED_VERIFICATION; } else +@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + gnutls_certificate_free_credentials(backend->cred); + + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index b9fd26a..bd4ad8f 100644 --- a/lib/vtls/mbedtls.c @@ -428,7 +586,7 @@ index a40ac06..e2d3438 100644 From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 2/2] url: check SSH config match on connection reuse +Subject: [PATCH 3/3] url: check SSH config match on connection reuse CVE-2022-27782 diff --git a/curl.spec b/curl.spec index 38436c2..4af70aa 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -463,6 +463,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jul 18 2022 Kamil Dudka - 7.82.0-7 +- fix build failure with gnutls backend enabled + * Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 - fix unpreserved file permissions (CVE-2022-32207) - fix Set-Cookie denial of service (CVE-2022-32205)