22599190 problem in LIBRARY/CURL
authoryiteng.zhang@oracle.com <yiteng.zhang@oracle.com>
Wed, 27 Jan 2016 20:55:37 -0800
changeset 5356 94c0413a88fc
parent 5355 5ccf97c2878d
child 5357 76a31ece4c74
22599190 problem in LIBRARY/CURL
components/curl/Makefile
components/curl/patches/001-CVE-2016-0755.patch
components/curl/test/results-32.master
components/curl/test/results-64.master
--- a/components/curl/Makefile	Wed Jan 27 17:18:04 2016 -0800
+++ b/components/curl/Makefile	Wed Jan 27 20:55:37 2016 -0800
@@ -84,6 +84,9 @@
 	'-e "s|^.*$(CC).*$$|XXX_CC_XXX|g" ' \
 	'-e "s|^.*source=.*libtool=no.*$$|XXX_CC_XXX|g" ' \
 	'-e "s|^.*DEPDIR=.deps.*$$|XXX_CC_XXX|g" ' \
+	'-e "s|^make.*: Leaving directory.*$$|XXX_CC_XXX|g" ' \
+	'-e "s|^make.*: Entering directory.*$$|XXX_CC_XXX|g" ' \
+	'-e "s|^make.*: Nothing to be done for.*$$|XXX_CC_XXX|g" ' \
 	'-e "/^XXX_CC_XXX$$/d" ' \
 	'-e "s|\(^/bin/bash ../../libtool\).*|\1|" ' \
 	'-e "s|\(^libtool: link:\).*|\1|" ' \
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/001-CVE-2016-0755.patch	Wed Jan 27 20:55:37 2016 -0800
@@ -0,0 +1,136 @@
+CVE-2016-0755: libcurl will reuse NTLM-authenticated proxy connections without
+properly making sure that the connection was authenticated with the same
+credentials as set for this transfer. 
+
+CVE webpage for this problem:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0755
+
+Relevant upstream patch:
+http://curl.haxx.se/CVE-2016-0755.patch
+
+--- lib/url.c.orig
++++ lib/url.c
[email protected]@ -3126,15 +3126,20 @@ ConnectionExists(struct SessionHandle *data,
+ {
+   struct connectdata *check;
+   struct connectdata *chosen = 0;
+   bool canPipeline = IsPipeliningPossible(data, needle);
++  struct connectbundle *bundle;
++
+ #ifdef USE_NTLM
+-  bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
+-                       (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
+-    (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
++  bool wantNTLMhttp = ((data->state.authhost.want &
++                      (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++                      (needle->handler->protocol & PROTO_FAMILY_HTTP));
++  bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
++                           ((data->state.authproxy.want &
++                           (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++                           (needle->handler->protocol & PROTO_FAMILY_HTTP)));
+ #endif
+-  struct connectbundle *bundle;
+ 
+   *force_reuse = FALSE;
+   *waitpipe = FALSE;
+ 
+   /* We can't pipe if the site is blacklisted */
[email protected]@ -3186,13 +3191,10 @@ ConnectionExists(struct SessionHandle *data,
+     }
+ 
+     curr = bundle->conn_list->head;
+     while(curr) {
+       bool match = FALSE;
+-#if defined(USE_NTLM)
+-      bool credentialsMatch = FALSE;
+-#endif
+       size_t pipeLen;
+ 
+       /*
+        * Note that if we use a HTTP proxy, we check connections to that
+        * proxy and not to the actual remote server.
[email protected]@ -3298,25 +3300,18 @@ ConnectionExists(struct SessionHandle *data,
+            !needle->localdev ||
+            strcmp(check->localdev, needle->localdev))
+           continue;
+       }
+ 
+-      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
+-#ifdef USE_NTLM
+-         || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
+-#endif
+-        ) {
+-        /* This protocol requires credentials per connection or is HTTP+NTLM,
++      if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
++        /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+           /* one of them was different */
+           continue;
+         }
+-#if defined(USE_NTLM)
+-        credentialsMatch = TRUE;
+-#endif
+       }
+ 
+       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+          (needle->bits.httpproxy && check->bits.httpproxy &&
+           needle->bits.tunnel_proxy && check->bits.tunnel_proxy &&
[email protected]@ -3372,24 +3367,47 @@ ConnectionExists(struct SessionHandle *data,
+            already authenticating with the right credentials. If not, keep
+            looking so that we can reuse NTLM connections if
+            possible. (Especially we must not reuse the same connection if
+            partway through a handshake!) */
+         if(wantNTLMhttp) {
+-          if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
+-            chosen = check;
++          if(!strequal(needle->user, check->user) ||
++             !strequal(needle->passwd, check->passwd))
++            continue;
++        }
++        else if(check->ntlm.state != NTLMSTATE_NONE) {
++          /* Connection is using NTLM auth but we don't want NTLM */
++          continue;
++        }
++
++        /* Same for Proxy NTLM authentication */
++        if(wantProxyNTLMhttp) {
++          if(!strequal(needle->proxyuser, check->proxyuser) ||
++             !strequal(needle->proxypasswd, check->proxypasswd))
++            continue;
++        }
++        else if(check->proxyntlm.state != NTLMSTATE_NONE) {
++          /* Proxy connection is using NTLM auth but we don't want NTLM */
++          continue;
++        }
++
++        if(wantNTLMhttp || wantProxyNTLMhttp) {
++          /* Credentials are already checked, we can use this connection */
++          chosen = check;
+ 
++          if((wantNTLMhttp &&
++             (check->ntlm.state != NTLMSTATE_NONE)) ||
++              (wantProxyNTLMhttp &&
++               (check->proxyntlm.state != NTLMSTATE_NONE))) {
+             /* We must use this connection, no other */
+             *force_reuse = TRUE;
+             break;
+           }
+-          else if(credentialsMatch)
+-            /* this is a backup choice */
+-            chosen = check;
++
++          /* Continue look up for a better connection */
+           continue;
+         }
+ #endif
+-
+         if(canPipeline) {
+           /* We can pipeline if we want to. Let's continue looking for
+              the optimal connection to use, i.e the shortest pipe that is not
+              blacklisted. */
+ 
+-- 
+2.7.0.rc3
+
--- a/components/curl/test/results-32.master	Wed Jan 27 17:18:04 2016 -0800
+++ b/components/curl/test/results-32.master	Wed Jan 27 20:55:37 2016 -0800
@@ -1,59 +1,20 @@
-make[1]: Entering directory `$(@D)'
 Making check in lib
-make[2]: Entering directory `$(@D)/lib'
-make[2]: Leaving directory `$(@D)/lib'
 Making check in src
-make[2]: Entering directory `$(@D)/src'
 /usr/gnu/bin/make  check-am
-make[3]: Entering directory `$(@D)/src'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/src'
-make[2]: Leaving directory `$(@D)/src'
 Making check in include
-make[2]: Entering directory `$(@D)/include'
 Making check in curl
-make[3]: Entering directory `$(@D)/include/curl'
-make[4]: Entering directory `$(@D)/include/curl'
 touch stamp-h2
-make[4]: Leaving directory `$(@D)/include/curl'
-make[3]: Leaving directory `$(@D)/include/curl'
-make[3]: Entering directory `$(@D)/include'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/include'
-make[2]: Leaving directory `$(@D)/include'
-make[2]: Entering directory `$(@D)'
-make[2]: Nothing to be done for `check-am'.
-make[2]: Leaving directory `$(@D)'
-make[2]: Entering directory `$(@D)/tests'
 Making all in certs
-make[3]: Entering directory `$(@D)/tests/certs'
 Making all in scripts
-make[4]: Entering directory `$(@D)/tests/certs/scripts'
-make[4]: Nothing to be done for `all'.
-make[4]: Leaving directory `$(@D)/tests/certs/scripts'
-make[4]: Entering directory `$(@D)/tests/certs'
-make[4]: Nothing to be done for `all-am'.
-make[4]: Leaving directory `$(@D)/tests/certs'
-make[3]: Leaving directory `$(@D)/tests/certs'
 Making all in data
-make[3]: Entering directory `$(@D)/tests/data'
-make[3]: Nothing to be done for `all'.
-make[3]: Leaving directory `$(@D)/tests/data'
 Making all in server
-make[3]: Entering directory `$(@D)/tests/server'
-make[3]: Leaving directory `$(@D)/tests/server'
 Making all in libtest
-make[3]: Entering directory `$(@D)/tests/libtest'
 source='sethostname.c' object='libhostname_la-sethostname.lo' libtool=yes \
 libtool: link:
-make[3]: Leaving directory `$(@D)/tests/libtest'
-make[3]: Entering directory `$(@D)/tests'
-make[3]: Nothing to be done for `all-am'.
-make[3]: Leaving directory `$(@D)/tests'
 srcdir=$(SOURCE_DIR)/tests /usr/bin/perl -I$(SOURCE_DIR)/tests $(SOURCE_DIR)/tests/runtests.pl -a -s
 ********* System characteristics ******** 
 * curl 7.45.0
-* libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
+* libcurl/7.45.0 OpenSSL/1.0.2e zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
 * Features: IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 
 * Host:
 * System: SunOS
@@ -441,10 +402,6 @@
 === Start of file log/sftp_server.log
 No credentials cache file found
 
-mech_dh: No secret key
-
-mech_dh: No secret key
-
 Connection reset by 127.0.0.1
 Connection closed
 === End of file log/sftp_server.log
@@ -1029,26 +986,14 @@
 test 2045...OK (984 out of 984, remaining: xx:xx)
 TESTDONE: 802 tests out of 802 reported OK: 100%
 TESTDONE: 994 tests were considered during
-make[2]: Leaving directory `$(@D)/tests'
-make[2]: Entering directory `$(@D)/docs/examples'
 /usr/gnu/bin/make  10-at-a-time anyauthput cookie_interface debug fileupload fopen ftpget ftpgetresp ftpupload getinfo getinmemory http-post httpput https multi-app multi-debugcallback multi-double multi-post multi-single persistant post-callback postit2 sepheaders simple simplepost simplessl sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list imap-lsub imap-fetch imap-store imap-append imap-examine imap-search imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file sftpget ftpsget postinmemory http2-download http2-upload http2-serverpush
-make[3]: Entering directory `$(@D)/docs/examples'
 "$(SOURCE_DIR)/docs/examples/pop3-multi.c", line 96: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/imap-multi.c", line 96: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/http2-download.c", line 226: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/http2-upload.c", line 290: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/http2-serverpush.c", line 236: warning: implicit function declaration: memset
-make[3]: Leaving directory `$(@D)/docs/examples'
-make[2]: Leaving directory `$(@D)/docs/examples'
-make[2]: Entering directory `$(@D)/docs/libcurl'
 Making check in opts
-make[3]: Entering directory `$(@D)/docs/libcurl/opts'
-make[3]: Nothing to be done for `check'.
-make[3]: Leaving directory `$(@D)/docs/libcurl/opts'
-make[3]: Entering directory `$(@D)/docs/libcurl'
 /usr/gnu/bin/make  check-TESTS
-make[4]: Entering directory `$(@D)/docs/libcurl'
-make[5]: Entering directory `$(@D)/docs/libcurl'
 OPTS="$(ls $(SOURCE_DIR)/docs/libcurl/opts/CURLOPT*.3 | /usr/bin/sed -e 's,^.*/,,' -e 's,\.3$,,')" && \
 for opt in $OPTS; do grep "^\.IP $opt$" $(SOURCE_DIR)/docs/libcurl/curl_easy_setopt.3 >/dev/null || echo Missing $opt; done > check-easy
 PASS: check-easy
@@ -1066,8 +1011,3 @@
 # XPASS: 0
 # ERROR: 0
 ============================================================================
-make[5]: Leaving directory `$(@D)/docs/libcurl'
-make[4]: Leaving directory `$(@D)/docs/libcurl'
-make[3]: Leaving directory `$(@D)/docs/libcurl'
-make[2]: Leaving directory `$(@D)/docs/libcurl'
-make[1]: Leaving directory `$(@D)'
--- a/components/curl/test/results-64.master	Wed Jan 27 17:18:04 2016 -0800
+++ b/components/curl/test/results-64.master	Wed Jan 27 20:55:37 2016 -0800
@@ -1,59 +1,20 @@
-make[1]: Entering directory `$(@D)'
 Making check in lib
-make[2]: Entering directory `$(@D)/lib'
-make[2]: Leaving directory `$(@D)/lib'
 Making check in src
-make[2]: Entering directory `$(@D)/src'
 /usr/gnu/bin/make  check-am
-make[3]: Entering directory `$(@D)/src'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/src'
-make[2]: Leaving directory `$(@D)/src'
 Making check in include
-make[2]: Entering directory `$(@D)/include'
 Making check in curl
-make[3]: Entering directory `$(@D)/include/curl'
-make[4]: Entering directory `$(@D)/include/curl'
 touch stamp-h2
-make[4]: Leaving directory `$(@D)/include/curl'
-make[3]: Leaving directory `$(@D)/include/curl'
-make[3]: Entering directory `$(@D)/include'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/include'
-make[2]: Leaving directory `$(@D)/include'
-make[2]: Entering directory `$(@D)'
-make[2]: Nothing to be done for `check-am'.
-make[2]: Leaving directory `$(@D)'
-make[2]: Entering directory `$(@D)/tests'
 Making all in certs
-make[3]: Entering directory `$(@D)/tests/certs'
 Making all in scripts
-make[4]: Entering directory `$(@D)/tests/certs/scripts'
-make[4]: Nothing to be done for `all'.
-make[4]: Leaving directory `$(@D)/tests/certs/scripts'
-make[4]: Entering directory `$(@D)/tests/certs'
-make[4]: Nothing to be done for `all-am'.
-make[4]: Leaving directory `$(@D)/tests/certs'
-make[3]: Leaving directory `$(@D)/tests/certs'
 Making all in data
-make[3]: Entering directory `$(@D)/tests/data'
-make[3]: Nothing to be done for `all'.
-make[3]: Leaving directory `$(@D)/tests/data'
 Making all in server
-make[3]: Entering directory `$(@D)/tests/server'
-make[3]: Leaving directory `$(@D)/tests/server'
 Making all in libtest
-make[3]: Entering directory `$(@D)/tests/libtest'
 source='sethostname.c' object='libhostname_la-sethostname.lo' libtool=yes \
 libtool: link:
-make[3]: Leaving directory `$(@D)/tests/libtest'
-make[3]: Entering directory `$(@D)/tests'
-make[3]: Nothing to be done for `all-am'.
-make[3]: Leaving directory `$(@D)/tests'
 srcdir=$(SOURCE_DIR)/tests /usr/bin/perl -I$(SOURCE_DIR)/tests $(SOURCE_DIR)/tests/runtests.pl -a -s
 ********* System characteristics ******** 
 * curl 7.45.0
-* libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
+* libcurl/7.45.0 OpenSSL/1.0.2e zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
 * Features: IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 
 * Host:
 * System: SunOS
@@ -882,26 +843,14 @@
 test 2045...OK (984 out of 984, remaining: xx:xx)
 TESTDONE: 803 tests out of 803 reported OK: 100%
 TESTDONE: 994 tests were considered during
-make[2]: Leaving directory `$(@D)/tests'
-make[2]: Entering directory `$(@D)/docs/examples'
 /usr/gnu/bin/make  10-at-a-time anyauthput cookie_interface debug fileupload fopen ftpget ftpgetresp ftpupload getinfo getinmemory http-post httpput https multi-app multi-debugcallback multi-double multi-post multi-single persistant post-callback postit2 sepheaders simple simplepost simplessl sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list imap-lsub imap-fetch imap-store imap-append imap-examine imap-search imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file sftpget ftpsget postinmemory http2-download http2-upload http2-serverpush
-make[3]: Entering directory `$(@D)/docs/examples'
 "$(SOURCE_DIR)/docs/examples/pop3-multi.c", line 96: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/imap-multi.c", line 96: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/http2-download.c", line 226: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/http2-upload.c", line 290: warning: implicit function declaration: memset
 "$(SOURCE_DIR)/docs/examples/http2-serverpush.c", line 236: warning: implicit function declaration: memset
-make[3]: Leaving directory `$(@D)/docs/examples'
-make[2]: Leaving directory `$(@D)/docs/examples'
-make[2]: Entering directory `$(@D)/docs/libcurl'
 Making check in opts
-make[3]: Entering directory `$(@D)/docs/libcurl/opts'
-make[3]: Nothing to be done for `check'.
-make[3]: Leaving directory `$(@D)/docs/libcurl/opts'
-make[3]: Entering directory `$(@D)/docs/libcurl'
 /usr/gnu/bin/make  check-TESTS
-make[4]: Entering directory `$(@D)/docs/libcurl'
-make[5]: Entering directory `$(@D)/docs/libcurl'
 OPTS="$(ls $(SOURCE_DIR)/docs/libcurl/opts/CURLOPT*.3 | /usr/bin/sed -e 's,^.*/,,' -e 's,\.3$,,')" && \
 for opt in $OPTS; do grep "^\.IP $opt$" $(SOURCE_DIR)/docs/libcurl/curl_easy_setopt.3 >/dev/null || echo Missing $opt; done > check-easy
 PASS: check-easy
@@ -919,8 +868,3 @@
 # XPASS: 0
 # ERROR: 0
 ============================================================================
-make[5]: Leaving directory `$(@D)/docs/libcurl'
-make[4]: Leaving directory `$(@D)/docs/libcurl'
-make[3]: Leaving directory `$(@D)/docs/libcurl'
-make[2]: Leaving directory `$(@D)/docs/libcurl'
-make[1]: Leaving directory `$(@D)'