ALP-pool/curl
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 curl revision 371eb015288d2514d7714fccf7b9d161

Browse Source
This commit is contained in:
Adrian Schröter 2025-01-06 11:05:03 +01:00
parent 608f33c742
commit 0396dadbd3
3 changed files with 159 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
curl-CVE-2024-11053.patch Normal file
View File

@ -0,0 +1,148 @@
From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 15 Nov 2024 11:06:36 +0100
Subject: [PATCH] netrc: address several netrc parser flaws
- make sure that a match that returns a username also returns a
password, that should be blank if no password is found
- fix handling of multiple logins for same host where the password/login
order might be reversed.
- reject credentials provided in the .netrc if they contain ASCII control
codes - if the used protocol does not support such (like HTTP and WS do)
Reported-by: Harry Sintonen
Add test 478, 479 and 480 to verify. Updated unit 1304.
Closes #15586
---
lib/netrc.c | 113 +++++++++++++++++++++++------------------
lib/url.c | 60 +++++++++++++++-------
tests/data/Makefile.am | 2 +-
tests/data/test478 | 73 ++++++++++++++++++++++++++
tests/data/test479 | 107 ++++++++++++++++++++++++++++++++++++++
tests/data/test480 | 38 ++++++++++++++
tests/unit/unit1304.c | 75 ++++++++-------------------
7 files changed, 345 insertions(+), 123 deletions(-)
create mode 100644 tests/data/test478
create mode 100644 tests/data/test479
create mode 100644 tests/data/test480
Index: curl-8.6.0/lib/netrc.c
===================================================================
--- curl-8.6.0.orig/lib/netrc.c
+++ curl-8.6.0/lib/netrc.c
@@ -238,6 +238,16 @@ static int parsenetrc(const char *host,
state = HOSTFOUND;
state_our_login = FALSE;
}
+ else if(strcasecompare("default", tok)) {
+ state = HOSTVALID;
+ retcode = NETRC_SUCCESS; /* we did find our host */
+ Curl_safefree(password);
+ if(!specific_login)
+ if(login_alloc) {
+ free(login);
+ login_alloc = FALSE;
+ }
+ }
break;
} /* switch (state) */
tok = ++tok_end;
@@ -245,6 +255,12 @@ static int parsenetrc(const char *host,
} /* while Curl_get_line() */
out:
+ if(!retcode && !password && state_our_login) {
+ /* success without a password, set a blank one */
+ password = strdup("");
+ if(!password)
+ retcode = 1; /* out of memory */
+ }
if(!retcode) {
/* success */
if(login_alloc) {
Index: curl-8.6.0/lib/url.c
===================================================================
--- curl-8.6.0.orig/lib/url.c
+++ curl-8.6.0/lib/url.c
@@ -2725,6 +2725,17 @@ static CURLcode parse_remote_port(struct
return CURLE_OK;
}
+static bool str_has_ctrl(const char *input)
+{
+ const unsigned char *str = (const unsigned char *)input;
+ while(*str) {
+ if(*str < 0x20)
+ return TRUE;
+ str++;
+ }
+ return FALSE;
+}
+
/*
* Override the login details from the URL with that in the CURLOPT_USERPWD
* option or a .netrc file, if applicable.
@@ -2755,29 +2766,40 @@ static CURLcode override_login(struct Cu
bool url_provided = FALSE;
if(data->state.aptr.user) {
- /* there was a user name in the URL. Use the URL decoded version */
+ /* there was a username with a length in the URL. Use the URL decoded
+ version */
userp = &data->state.aptr.user;
url_provided = TRUE;
}
- ret = Curl_parsenetrc(conn->host.name,
- userp, passwdp,
- data->set.str[STRING_NETRC_FILE]);
- if(ret > 0) {
- infof(data, "Couldn't find host %s in the %s file; using defaults",
- conn->host.name,
- (data->set.str[STRING_NETRC_FILE] ?
- data->set.str[STRING_NETRC_FILE] : ".netrc"));
- }
- else if(ret < 0) {
- failf(data, ".netrc parser error");
- return CURLE_READ_ERROR;
- }
- else {
- /* set bits.netrc TRUE to remember that we got the name from a .netrc
- file, so that it is safe to use even if we followed a Location: to a
- different host or similar. */
- conn->bits.netrc = TRUE;
+ if(!*passwdp) {
+ ret = Curl_parsenetrc(conn->host.name,
+ userp, passwdp,
+ data->set.str[STRING_NETRC_FILE]);
+ if(ret > 0) {
+ infof(data, "Couldn't find host %s in the %s file; using defaults",
+ conn->host.name,
+ (data->set.str[STRING_NETRC_FILE] ?
+ data->set.str[STRING_NETRC_FILE] : ".netrc"));
+ }
+ else if(ret < 0) {
+ failf(data, ".netrc parser error");
+ return CURLE_READ_ERROR;
+ }
+ else {
+ if(!(conn->handler->flags&PROTOPT_USERPWDCTRL)) {
+ /* if the protocol can't handle control codes in credentials, make
+ sure there are none */
+ if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {
+ failf(data, "control code detected in .netrc credentials");
+ return CURLE_READ_ERROR;
+ }
+ }
+ /* set bits.netrc TRUE to remember that we got the name from a .netrc
+ file, so that it is safe to use even if we followed a Location: to a
+ different host or similar. */
+ conn->bits.netrc = TRUE;
+ }
}
if(url_provided) {
Curl_safefree(conn->user);

9
curl.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue Dec 3 10:26:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1234068, CVE-2024-11053]
* curl could leak the password used for the first host to the
followed-to host under certain circumstances.
* netrc: address several netrc parser flaws
* Add curl-CVE-2024-11053.patch
-------------------------------------------------------------------
Wed Oct 30 09:37:28 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

2
curl.spec
View File

@ -55,6 +55,8 @@ Patch11: curl-CVE-2024-8096.patch
Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch
#PATCH-FIX-UPSTREAM bsc#1232528 CVE-2024-9681 HSTS subdomain overwrites parent cache entry
Patch13: curl-CVE-2024-9681.patch
#PATCH-FIX-UPSTREAM bsc#1234068 CVE-2024-11053 netrc and redirect credential leak
Patch14: curl-CVE-2024-11053.patch
BuildRequires: libtool
BuildRequires: pkgconfig
Requires: libcurl4 = %{version}