24409713 problem in LIBRARY/CURL
24409702 problem in LIBRARY/CURL
24409726 problem in LIBRARY/CURL
24409740 problem in LIBRARY/CURL
24832800 problem in LIBRARY/CURL
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/006-CVE-2016-3739.patch Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,87 @@
+From dcd8c2a476eeebc29b36171bf52d6db4fa255a66 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sun, 24 Apr 2016 17:52:18 +0200
+Subject: [PATCH] mbedtls/polarssl: set "hostname" unconditionally
+
+...as otherwise the TLS libs will skip the CN/SAN check and just allow
+connection to any server. curl previously skipped this function when SNI
+wasn't used or when connecting to an IP address specified host.
+
+CVE-2016-3739
+
+Bug: https://curl.haxx.se/docs/adv_20160518A.html
+Reported-by: Moti Avrahami
+---
+# This file is not delivered in 7.45.0, so comment it out.
+# lib/vtls/mbedtls.c | 13 ++++++-------
+# lib/vtls/polarssl.c | 15 +++++++--------
+# 2 files changed, 13 insertions(+), 15 deletions(-)
+#
+#--- lib/vtls/mbedtls.c
+#+++ lib/vtls/mbedtls.c
+#@@ -389,17 +389,16 @@ mbed_connect_step1(struct connectdata *conn,
+#
+# if(data->set.str[STRING_KEY]) {
+# mbedtls_ssl_conf_own_cert(&connssl->config,
+# &connssl->clicert, &connssl->pk);
+# }
+#- if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
+#-#ifdef ENABLE_IPV6
+#- !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
+#-#endif
+#- sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+#- infof(data, "WARNING: failed to configure "
+#- "server name indication (SNI) TLS extension\n");
+#+ if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+#+ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
+#+ the name to set in the SNI extension. So even if curl connects to a
+#+ host specified as an IP address, this function must be used. */
+#+ failf(data, "couldn't set hostname in mbedTLS");
+#+ return CURLE_SSL_CONNECT_ERROR;
+# }
+#
+# #ifdef HAS_ALPN
+# if(data->set.ssl_enable_alpn) {
+# const char **p = &connssl->protocols[0];
+--- lib/vtls/polarssl.c
++++ lib/vtls/polarssl.c
+@@ -3,11 +3,11 @@
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <[email protected]>
+- * Copyright (C) 2012 - 2015, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 2012 - 2016, Daniel Stenberg, <[email protected]>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+@@ -352,17 +352,16 @@ polarssl_connect_step1(struct connectdata *conn,
+ conn->host.name);
+
+ ssl_set_own_cert_rsa(&connssl->ssl,
+ &connssl->clicert, &connssl->rsa);
+
+- if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
+-#ifdef ENABLE_IPV6
+- !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
+-#endif
+- sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+- infof(data, "WARNING: failed to configure "
+- "server name indication (SNI) TLS extension\n");
++ if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
++ /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
++ to set in the SNI extension. So even if curl connects to a host
++ specified as an IP address, this function must be used. */
++ failf(data, "couldn't set hostname in PolarSSL");
++ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ #ifdef HAS_ALPN
+ if(data->set.ssl_enable_alpn) {
+ static const char* protocols[3];
+--
+2.8.1
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/007-CVE-2016-5419.patch Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,79 @@
+From 416ad90afc50d9cbcb50ba4ab28f88d260774f6d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Fri, 1 Jul 2016 13:32:31 +0200
+Subject: [PATCH] TLS: switch off SSL session id when client cert is used
+
+CVE-2016-5419
+Bug: https://curl.haxx.se/docs/adv_20160803A.html
+Reported-by: Bru Rom
+Contributions-by: Eric Rescorla and Ray Satiro
+---
+ lib/url.c | 1 +
+ lib/urldata.h | 1 +
+ lib/vtls/vtls.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+)
+
+--- lib/url.c
++++ lib/url.c
+@@ -6121,10 +6121,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+ data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+ data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+ data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
++ data->set.ssl.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #endif
+
+--- lib/urldata.h
++++ lib/urldata.h
+@@ -349,10 +349,11 @@ struct ssl_config_data {
+ bool verifystatus; /* set TRUE if certificate status must be checked */
+ char *CApath; /* certificate dir (doesn't work on windows) */
+ char *CAfile; /* certificate to verify peer against */
+ const char *CRLfile; /* CRL to check certificate revocation */
+ const char *issuercert;/* optional issuer certificate filename */
++ char *clientcert;
+ char *random_file; /* path to file containing "random" data */
+ char *egdsocket; /* path to file containing the EGD daemon socket */
+ char *cipher_list; /* list of ciphers to use */
+ size_t max_ssl_sessions; /* SSL session id cache size */
+ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+--- lib/vtls/vtls.c
++++ lib/vtls/vtls.c
+@@ -154,20 +154,30 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
+ return FALSE;
+ }
+ else
+ dest->random_file = NULL;
+
++ if(source->clientcert) {
++ dest->clientcert = strdup(source->clientcert);
++ if(!dest->clientcert)
++ return FALSE;
++ dest->sessionid = FALSE;
++ }
++ else
++ dest->clientcert = NULL;
++
+ return TRUE;
+ }
+
+ void Curl_free_ssl_config(struct ssl_config_data* sslc)
+ {
+ Curl_safefree(sslc->CAfile);
+ Curl_safefree(sslc->CApath);
+ Curl_safefree(sslc->cipher_list);
+ Curl_safefree(sslc->egdsocket);
+ Curl_safefree(sslc->random_file);
++ Curl_safefree(sslc->clientcert);
+ }
+
+
+ /*
+ * Curl_rand() returns a random unsigned integer, 32bit.
+--
+2.8.1
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/008-CVE-2016-5420.patch Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,28 @@
+From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sun, 31 Jul 2016 00:51:48 +0200
+Subject: [PATCH] TLS: only reuse connections with the same client cert
+
+CVE-2016-5420
+Bug: https://curl.haxx.se/docs/adv_20160803B.html
+---
+ lib/vtls/vtls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- lib/vtls/vtls.c
++++ lib/vtls/vtls.c
+@@ -97,10 +97,11 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
+ if((data->version == needle->version) &&
+ (data->verifypeer == needle->verifypeer) &&
+ (data->verifyhost == needle->verifyhost) &&
+ safe_strequal(data->CApath, needle->CApath) &&
+ safe_strequal(data->CAfile, needle->CAfile) &&
++ safe_strequal(data->clientcert, needle->clientcert) &&
+ safe_strequal(data->random_file, needle->random_file) &&
+ safe_strequal(data->egdsocket, needle->egdsocket) &&
+ safe_strequal(data->cipher_list, needle->cipher_list))
+ return TRUE;
+
+--
+2.8.1
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-CVE-2016-5421.patch Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,33 @@
+From ccb7d79b62c8b15a6be446f9c9fd3767c01eb5b6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-5421
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- lib/multi.c
++++ lib/multi.c
+@@ -2155,10 +2155,12 @@ static void close_all_connections(struct Curl_multi *multi)
+ while(conn) {
+ SIGPIPE_VARIABLE(pipe_st);
+ conn->data = multi->closure_handle;
+
+ sigpipe_ignore(conn->data, &pipe_st);
++ conn->data->easy_conn = NULL; /* clear the easy handle's connection
++ pointer */
+ /* This will remove the connection from the cache */
+ (void)Curl_disconnect(conn, FALSE);
+ sigpipe_restore(&pipe_st);
+
+ conn = Curl_conncache_find_first_connection(&multi->conn_cache);
+--
+2.8.1
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2016-7167.patch Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,71 @@
+From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Thu, 8 Sep 2016 22:59:54 +0200
+Subject: [PATCH] CVE-2016-7167: deny negative string length inputs
+
+Bug: https://curl.haxx.se/docs/adv_20160914.html
+---
+ lib/escape.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- lib/escape.c
++++ lib/escape.c
+@@ -76,18 +76,24 @@ char *curl_unescape(const char *string, int length)
+ }
+
+ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+ {
+- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
++ size_t alloc;
+ char *ns;
+ char *testing_ptr = NULL;
+ unsigned char in; /* we need to treat the characters unsigned */
+- size_t newlen = alloc;
++ size_t newlen;
+ size_t strindex=0;
+ size_t length;
+ CURLcode result;
+
++ if(inlength < 0)
++ return NULL;
++
++ alloc = (inlength?(size_t)inlength:strlen(string))+1;
++ newlen = alloc;
++
+ ns = malloc(alloc);
+ if(!ns)
+ return NULL;
+
+ length = alloc-1;
+@@ -209,18 +215,20 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
+ */
+ char *curl_easy_unescape(CURL *handle, const char *string, int length,
+ int *olen)
+ {
+ char *str = NULL;
+- size_t inputlen = length;
+- size_t outputlen;
+- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
+- FALSE);
+- if(res)
+- return NULL;
+- if(olen)
+- *olen = curlx_uztosi(outputlen);
++ if(length >= 0) {
++ size_t inputlen = length;
++ size_t outputlen;
++ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
++ FALSE);
++ if(res)
++ return NULL;
++ if(olen)
++ *olen = curlx_uztosi(outputlen);
++ }
+ return str;
+ }
+
+ /* For operating systems/environments that use different malloc/free
+ systems for the app and for this library, we provide a free that uses
+--
+2.9.3
+