24409713 problem in LIBRARY/CURL s11u3-sru
authorYiteng Zhang <yiteng.zhang@oracle.com>
Tue, 25 Oct 2016 14:43:21 -0700
branchs11u3-sru
changeset 7255 c7815ed3b336
parent 7236 e13b4d43a8f9
child 7256 c523ba6bf5f1
24409713 problem in LIBRARY/CURL 24409702 problem in LIBRARY/CURL 24409726 problem in LIBRARY/CURL 24409740 problem in LIBRARY/CURL 24832800 problem in LIBRARY/CURL
components/curl/patches/006-CVE-2016-3739.patch
components/curl/patches/007-CVE-2016-5419.patch
components/curl/patches/008-CVE-2016-5420.patch
components/curl/patches/011-CVE-2016-5421.patch
components/curl/patches/012-CVE-2016-7167.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/006-CVE-2016-3739.patch	Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,87 @@
+From dcd8c2a476eeebc29b36171bf52d6db4fa255a66 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sun, 24 Apr 2016 17:52:18 +0200
+Subject: [PATCH] mbedtls/polarssl: set "hostname" unconditionally
+
+...as otherwise the TLS libs will skip the CN/SAN check and just allow
+connection to any server. curl previously skipped this function when SNI
+wasn't used or when connecting to an IP address specified host.
+
+CVE-2016-3739
+
+Bug: https://curl.haxx.se/docs/adv_20160518A.html
+Reported-by: Moti Avrahami
+---
+# This file is not delivered in 7.45.0, so comment it out.
+# lib/vtls/mbedtls.c  | 13 ++++++-------
+# lib/vtls/polarssl.c | 15 +++++++--------
+# 2 files changed, 13 insertions(+), 15 deletions(-)
+#
+#--- lib/vtls/mbedtls.c
+#+++ lib/vtls/mbedtls.c
+#@@ -389,17 +389,16 @@ mbed_connect_step1(struct connectdata *conn,
+# 
+#   if(data->set.str[STRING_KEY]) {
+#     mbedtls_ssl_conf_own_cert(&connssl->config,
+#                               &connssl->clicert, &connssl->pk);
+#   }
+#-  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
+#-#ifdef ENABLE_IPV6
+#-     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
+#-#endif
+#-     sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+#-    infof(data, "WARNING: failed to configure "
+#-          "server name indication (SNI) TLS extension\n");
+#+  if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+#+    /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
+#+       the name to set in the SNI extension. So even if curl connects to a
+#+       host specified as an IP address, this function must be used. */
+#+    failf(data, "couldn't set hostname in mbedTLS");
+#+    return CURLE_SSL_CONNECT_ERROR;
+#   }
+# 
+# #ifdef HAS_ALPN
+#   if(data->set.ssl_enable_alpn) {
+#     const char **p = &connssl->protocols[0];
+--- lib/vtls/polarssl.c
++++ lib/vtls/polarssl.c
[email protected]@ -3,11 +3,11 @@
+  *  Project                     ___| | | |  _ \| |
+  *                             / __| | | | |_) | |
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+  * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <[email protected]>
+- * Copyright (C) 2012 - 2015, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 2012 - 2016, Daniel Stenberg, <[email protected]>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at http://curl.haxx.se/docs/copyright.html.
[email protected]@ -352,17 +352,16 @@ polarssl_connect_step1(struct connectdata *conn,
+                    conn->host.name);
+ 
+   ssl_set_own_cert_rsa(&connssl->ssl,
+                        &connssl->clicert, &connssl->rsa);
+ 
+-  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
+-#ifdef ENABLE_IPV6
+-     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
+-#endif
+-     sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+-     infof(data, "WARNING: failed to configure "
+-                 "server name indication (SNI) TLS extension\n");
++  if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
++    /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
++       to set in the SNI extension. So even if curl connects to a host
++       specified as an IP address, this function must be used. */
++    failf(data, "couldn't set hostname in PolarSSL");
++    return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+ #ifdef HAS_ALPN
+   if(data->set.ssl_enable_alpn) {
+     static const char* protocols[3];
+-- 
+2.8.1
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/007-CVE-2016-5419.patch	Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,79 @@
+From 416ad90afc50d9cbcb50ba4ab28f88d260774f6d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Fri, 1 Jul 2016 13:32:31 +0200
+Subject: [PATCH] TLS: switch off SSL session id when client cert is used
+
+CVE-2016-5419
+Bug: https://curl.haxx.se/docs/adv_20160803A.html
+Reported-by: Bru Rom
+Contributions-by: Eric Rescorla and Ray Satiro
+---
+ lib/url.c       |  1 +
+ lib/urldata.h   |  1 +
+ lib/vtls/vtls.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+)
+
+--- lib/url.c
++++ lib/url.c
[email protected]@ -6121,10 +6121,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+   data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+   data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
++  data->set.ssl.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+   data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+   data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #endif
+ 
+--- lib/urldata.h
++++ lib/urldata.h
[email protected]@ -349,10 +349,11 @@ struct ssl_config_data {
+   bool verifystatus;     /* set TRUE if certificate status must be checked */
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
+   const char *CRLfile;   /* CRL to check certificate revocation */
+   const char *issuercert;/* optional issuer certificate filename */
++  char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
+   size_t max_ssl_sessions; /* SSL session id cache size */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+--- lib/vtls/vtls.c
++++ lib/vtls/vtls.c
[email protected]@ -154,20 +154,30 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
+       return FALSE;
+   }
+   else
+     dest->random_file = NULL;
+ 
++  if(source->clientcert) {
++    dest->clientcert = strdup(source->clientcert);
++    if(!dest->clientcert)
++      return FALSE;
++    dest->sessionid = FALSE;
++  }
++  else
++    dest->clientcert = NULL;
++
+   return TRUE;
+ }
+ 
+ void Curl_free_ssl_config(struct ssl_config_data* sslc)
+ {
+   Curl_safefree(sslc->CAfile);
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->cipher_list);
+   Curl_safefree(sslc->egdsocket);
+   Curl_safefree(sslc->random_file);
++  Curl_safefree(sslc->clientcert);
+ }
+ 
+ 
+ /*
+  * Curl_rand() returns a random unsigned integer, 32bit.
+-- 
+2.8.1
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/008-CVE-2016-5420.patch	Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,28 @@
+From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sun, 31 Jul 2016 00:51:48 +0200
+Subject: [PATCH] TLS: only reuse connections with the same client cert
+
+CVE-2016-5420
+Bug: https://curl.haxx.se/docs/adv_20160803B.html
+---
+ lib/vtls/vtls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- lib/vtls/vtls.c
++++ lib/vtls/vtls.c
[email protected]@ -97,10 +97,11 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
+   if((data->version == needle->version) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      safe_strequal(data->CApath, needle->CApath) &&
+      safe_strequal(data->CAfile, needle->CAfile) &&
++     safe_strequal(data->clientcert, needle->clientcert) &&
+      safe_strequal(data->random_file, needle->random_file) &&
+      safe_strequal(data->egdsocket, needle->egdsocket) &&
+      safe_strequal(data->cipher_list, needle->cipher_list))
+     return TRUE;
+ 
+-- 
+2.8.1
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-CVE-2016-5421.patch	Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,33 @@
+From ccb7d79b62c8b15a6be446f9c9fd3767c01eb5b6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-5421
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- lib/multi.c
++++ lib/multi.c
[email protected]@ -2155,10 +2155,12 @@ static void close_all_connections(struct Curl_multi *multi)
+   while(conn) {
+     SIGPIPE_VARIABLE(pipe_st);
+     conn->data = multi->closure_handle;
+ 
+     sigpipe_ignore(conn->data, &pipe_st);
++    conn->data->easy_conn = NULL; /* clear the easy handle's connection
++                                     pointer */
+     /* This will remove the connection from the cache */
+     (void)Curl_disconnect(conn, FALSE);
+     sigpipe_restore(&pipe_st);
+ 
+     conn = Curl_conncache_find_first_connection(&multi->conn_cache);
+-- 
+2.8.1
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2016-7167.patch	Tue Oct 25 14:43:21 2016 -0700
@@ -0,0 +1,71 @@
+From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Thu, 8 Sep 2016 22:59:54 +0200
+Subject: [PATCH] CVE-2016-7167: deny negative string length inputs
+
+Bug: https://curl.haxx.se/docs/adv_20160914.html
+---
+ lib/escape.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- lib/escape.c
++++ lib/escape.c
[email protected]@ -76,18 +76,24 @@ char *curl_unescape(const char *string, int length)
+ }
+ 
+ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
+ {
+-  size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
++  size_t alloc;
+   char *ns;
+   char *testing_ptr = NULL;
+   unsigned char in; /* we need to treat the characters unsigned */
+-  size_t newlen = alloc;
++  size_t newlen;
+   size_t strindex=0;
+   size_t length;
+   CURLcode result;
+ 
++  if(inlength < 0)
++    return NULL;
++
++  alloc = (inlength?(size_t)inlength:strlen(string))+1;
++  newlen = alloc;
++
+   ns = malloc(alloc);
+   if(!ns)
+     return NULL;
+ 
+   length = alloc-1;
[email protected]@ -209,18 +215,20 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
+  */
+ char *curl_easy_unescape(CURL *handle, const char *string, int length,
+                          int *olen)
+ {
+   char *str = NULL;
+-  size_t inputlen = length;
+-  size_t outputlen;
+-  CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
+-                                FALSE);
+-  if(res)
+-    return NULL;
+-  if(olen)
+-    *olen = curlx_uztosi(outputlen);
++  if(length >= 0) {
++    size_t inputlen = length;
++    size_t outputlen;
++    CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
++                                  FALSE);
++    if(res)
++      return NULL;
++    if(olen)
++      *olen = curlx_uztosi(outputlen);
++  }
+   return str;
+ }
+ 
+ /* For operating systems/environments that use different malloc/free
+    systems for the app and for this library, we provide a free that uses
+-- 
+2.9.3
+