Sync from SUSE:ALP:Source:Standard:1.0 curl revision 371eb015288d2514d7714fccf7b9d161
This commit is contained in:
parent
608f33c742
commit
0396dadbd3
148
curl-CVE-2024-11053.patch
Normal file
148
curl-CVE-2024-11053.patch
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 15 Nov 2024 11:06:36 +0100
|
||||||
|
Subject: [PATCH] netrc: address several netrc parser flaws
|
||||||
|
|
||||||
|
- make sure that a match that returns a username also returns a
|
||||||
|
password, that should be blank if no password is found
|
||||||
|
|
||||||
|
- fix handling of multiple logins for same host where the password/login
|
||||||
|
order might be reversed.
|
||||||
|
|
||||||
|
- reject credentials provided in the .netrc if they contain ASCII control
|
||||||
|
codes - if the used protocol does not support such (like HTTP and WS do)
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
|
||||||
|
Add test 478, 479 and 480 to verify. Updated unit 1304.
|
||||||
|
|
||||||
|
Closes #15586
|
||||||
|
---
|
||||||
|
lib/netrc.c | 113 +++++++++++++++++++++++------------------
|
||||||
|
lib/url.c | 60 +++++++++++++++-------
|
||||||
|
tests/data/Makefile.am | 2 +-
|
||||||
|
tests/data/test478 | 73 ++++++++++++++++++++++++++
|
||||||
|
tests/data/test479 | 107 ++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test480 | 38 ++++++++++++++
|
||||||
|
tests/unit/unit1304.c | 75 ++++++++-------------------
|
||||||
|
7 files changed, 345 insertions(+), 123 deletions(-)
|
||||||
|
create mode 100644 tests/data/test478
|
||||||
|
create mode 100644 tests/data/test479
|
||||||
|
create mode 100644 tests/data/test480
|
||||||
|
|
||||||
|
Index: curl-8.6.0/lib/netrc.c
|
||||||
|
===================================================================
|
||||||
|
--- curl-8.6.0.orig/lib/netrc.c
|
||||||
|
+++ curl-8.6.0/lib/netrc.c
|
||||||
|
@@ -238,6 +238,16 @@ static int parsenetrc(const char *host,
|
||||||
|
state = HOSTFOUND;
|
||||||
|
state_our_login = FALSE;
|
||||||
|
}
|
||||||
|
+ else if(strcasecompare("default", tok)) {
|
||||||
|
+ state = HOSTVALID;
|
||||||
|
+ retcode = NETRC_SUCCESS; /* we did find our host */
|
||||||
|
+ Curl_safefree(password);
|
||||||
|
+ if(!specific_login)
|
||||||
|
+ if(login_alloc) {
|
||||||
|
+ free(login);
|
||||||
|
+ login_alloc = FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
} /* switch (state) */
|
||||||
|
tok = ++tok_end;
|
||||||
|
@@ -245,6 +255,12 @@ static int parsenetrc(const char *host,
|
||||||
|
} /* while Curl_get_line() */
|
||||||
|
|
||||||
|
out:
|
||||||
|
+ if(!retcode && !password && state_our_login) {
|
||||||
|
+ /* success without a password, set a blank one */
|
||||||
|
+ password = strdup("");
|
||||||
|
+ if(!password)
|
||||||
|
+ retcode = 1; /* out of memory */
|
||||||
|
+ }
|
||||||
|
if(!retcode) {
|
||||||
|
/* success */
|
||||||
|
if(login_alloc) {
|
||||||
|
Index: curl-8.6.0/lib/url.c
|
||||||
|
===================================================================
|
||||||
|
--- curl-8.6.0.orig/lib/url.c
|
||||||
|
+++ curl-8.6.0/lib/url.c
|
||||||
|
@@ -2725,6 +2725,17 @@ static CURLcode parse_remote_port(struct
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool str_has_ctrl(const char *input)
|
||||||
|
+{
|
||||||
|
+ const unsigned char *str = (const unsigned char *)input;
|
||||||
|
+ while(*str) {
|
||||||
|
+ if(*str < 0x20)
|
||||||
|
+ return TRUE;
|
||||||
|
+ str++;
|
||||||
|
+ }
|
||||||
|
+ return FALSE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Override the login details from the URL with that in the CURLOPT_USERPWD
|
||||||
|
* option or a .netrc file, if applicable.
|
||||||
|
@@ -2755,29 +2766,40 @@ static CURLcode override_login(struct Cu
|
||||||
|
bool url_provided = FALSE;
|
||||||
|
|
||||||
|
if(data->state.aptr.user) {
|
||||||
|
- /* there was a user name in the URL. Use the URL decoded version */
|
||||||
|
+ /* there was a username with a length in the URL. Use the URL decoded
|
||||||
|
+ version */
|
||||||
|
userp = &data->state.aptr.user;
|
||||||
|
url_provided = TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = Curl_parsenetrc(conn->host.name,
|
||||||
|
- userp, passwdp,
|
||||||
|
- data->set.str[STRING_NETRC_FILE]);
|
||||||
|
- if(ret > 0) {
|
||||||
|
- infof(data, "Couldn't find host %s in the %s file; using defaults",
|
||||||
|
- conn->host.name,
|
||||||
|
- (data->set.str[STRING_NETRC_FILE] ?
|
||||||
|
- data->set.str[STRING_NETRC_FILE] : ".netrc"));
|
||||||
|
- }
|
||||||
|
- else if(ret < 0) {
|
||||||
|
- failf(data, ".netrc parser error");
|
||||||
|
- return CURLE_READ_ERROR;
|
||||||
|
- }
|
||||||
|
- else {
|
||||||
|
- /* set bits.netrc TRUE to remember that we got the name from a .netrc
|
||||||
|
- file, so that it is safe to use even if we followed a Location: to a
|
||||||
|
- different host or similar. */
|
||||||
|
- conn->bits.netrc = TRUE;
|
||||||
|
+ if(!*passwdp) {
|
||||||
|
+ ret = Curl_parsenetrc(conn->host.name,
|
||||||
|
+ userp, passwdp,
|
||||||
|
+ data->set.str[STRING_NETRC_FILE]);
|
||||||
|
+ if(ret > 0) {
|
||||||
|
+ infof(data, "Couldn't find host %s in the %s file; using defaults",
|
||||||
|
+ conn->host.name,
|
||||||
|
+ (data->set.str[STRING_NETRC_FILE] ?
|
||||||
|
+ data->set.str[STRING_NETRC_FILE] : ".netrc"));
|
||||||
|
+ }
|
||||||
|
+ else if(ret < 0) {
|
||||||
|
+ failf(data, ".netrc parser error");
|
||||||
|
+ return CURLE_READ_ERROR;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ if(!(conn->handler->flags&PROTOPT_USERPWDCTRL)) {
|
||||||
|
+ /* if the protocol can't handle control codes in credentials, make
|
||||||
|
+ sure there are none */
|
||||||
|
+ if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {
|
||||||
|
+ failf(data, "control code detected in .netrc credentials");
|
||||||
|
+ return CURLE_READ_ERROR;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ /* set bits.netrc TRUE to remember that we got the name from a .netrc
|
||||||
|
+ file, so that it is safe to use even if we followed a Location: to a
|
||||||
|
+ different host or similar. */
|
||||||
|
+ conn->bits.netrc = TRUE;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if(url_provided) {
|
||||||
|
Curl_safefree(conn->user);
|
||||||
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 3 10:26:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Security fix: [bsc#1234068, CVE-2024-11053]
|
||||||
|
* curl could leak the password used for the first host to the
|
||||||
|
followed-to host under certain circumstances.
|
||||||
|
* netrc: address several netrc parser flaws
|
||||||
|
* Add curl-CVE-2024-11053.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 30 09:37:28 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
Wed Oct 30 09:37:28 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -55,6 +55,8 @@ Patch11: curl-CVE-2024-8096.patch
|
|||||||
Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch
|
Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch
|
||||||
#PATCH-FIX-UPSTREAM bsc#1232528 CVE-2024-9681 HSTS subdomain overwrites parent cache entry
|
#PATCH-FIX-UPSTREAM bsc#1232528 CVE-2024-9681 HSTS subdomain overwrites parent cache entry
|
||||||
Patch13: curl-CVE-2024-9681.patch
|
Patch13: curl-CVE-2024-9681.patch
|
||||||
|
#PATCH-FIX-UPSTREAM bsc#1234068 CVE-2024-11053 netrc and redirect credential leak
|
||||||
|
Patch14: curl-CVE-2024-11053.patch
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
Requires: libcurl4 = %{version}
|
Requires: libcurl4 = %{version}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user