ALP-pool/curl
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 curl revision 8a4f1ce967b13cdd614d591e7a8f95c7

Browse Source
This commit is contained in:
Adrian Schröter 2024-12-09 15:43:36 +01:00
parent ff050be848
commit 608f33c742
3 changed files with 105 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
curl-CVE-2024-9681.patch Normal file
View File

@ -0,0 +1,96 @@
From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 9 Oct 2024 10:04:35 +0200
Subject: [PATCH] hsts: improve subdomain handling
- on load, only replace existing HSTS entries if there is a full host match
- on matching, prefer a full host match and secondary the longest tail subdomain match
Closes #15210
---
lib/hsts.c | 14 ++++++++++----
tests/data/test1660 | 2 +-
2 files changed, 11 insertions(+), 5 deletions(-)
Index: curl-8.0.1/lib/hsts.c
===================================================================
--- curl-8.0.1.orig/lib/hsts.c
+++ curl-8.0.1/lib/hsts.c
@@ -248,12 +248,14 @@ CURLcode Curl_hsts_parse(struct hsts *h,
struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
bool subdomain)
{
+ struct stsentry *bestsub = NULL;
if(h) {
char buffer[MAX_HSTS_HOSTLEN + 1];
time_t now = time(NULL);
size_t hlen = strlen(hostname);
struct Curl_llist_element *e;
struct Curl_llist_element *n;
+ size_t blen = 0;
if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
return NULL;
@@ -266,6 +268,7 @@ struct stsentry *Curl_hsts(struct hsts *
for(e = h->list.head; e; e = n) {
struct stsentry *sts = e->ptr;
+ size_t ntail;
n = e->next;
if(sts->expires <= now) {
/* remove expired entries */
@@ -273,20 +276,23 @@ struct stsentry *Curl_hsts(struct hsts *
hsts_free(sts);
continue;
}
- if(subdomain && sts->includeSubDomains) {
- size_t ntail = strlen(sts->host);
- if(ntail < hlen) {
- size_t offs = hlen - ntail;
- if((hostname[offs-1] == '.') &&
- strncasecompare(&hostname[offs], sts->host, ntail))
- return sts;
+ ntail = strlen(sts->host);
+ if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+ size_t offs = hlen - ntail;
+ if((hostname[offs-1] == '.') &&
+ strncasecompare(&hostname[offs], sts->host, ntail) &&
+ (ntail > blen)) {
+ /* save the tail match with the longest tail */
+ bestsub = sts;
+ blen = ntail;
}
}
- if(strcasecompare(hostname, sts->host))
+ /* avoid strcasecompare because the host name is not null terminated */
+ if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
return sts;
}
}
- return NULL; /* no match */
+ return bestsub;
}
/*
@@ -438,7 +444,7 @@ static CURLcode hsts_add(struct hsts *h,
e = Curl_hsts(h, p, subdomain);
if(!e)
result = hsts_create(h, p, subdomain, expires);
- else {
+ else if(strcasecompare(p, e->host)) {
/* the same host name, use the largest expire time */
if(expires > e->expires)
e->expires = expires;
Index: curl-8.0.1/tests/data/test1660
===================================================================
--- curl-8.0.1.orig/tests/data/test1660
+++ curl-8.0.1/tests/data/test1660
@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
Input 12: error 43
Input 13: error 43
Input 14: error 43
-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
3.example.com [example.com]: 1569905261 includeSubDomains
foo.example.com [example.com]: 1569905261 includeSubDomains
'foo.xample.com' is not HSTS

7
curl.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Oct 30 09:37:28 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1232528, CVE-2024-9681]
* HSTS subdomain overwrites parent cache entry
* Add curl-CVE-2024-9681.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 17 10:15:48 UTC 2024 - Pedro Monreal <pmonreal@suse.com> Tue Sep 17 10:15:48 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

2
curl.spec
View File

@ -53,6 +53,8 @@ Patch10: curl-CVE-2024-7264.patch
Patch11: curl-CVE-2024-8096.patch Patch11: curl-CVE-2024-8096.patch
#PATCH-FIX-UPSTREAM bsc#1230516 Make special characters in URL work with aws-sigv4 #PATCH-FIX-UPSTREAM bsc#1230516 Make special characters in URL work with aws-sigv4
Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch
#PATCH-FIX-UPSTREAM bsc#1232528 CVE-2024-9681 HSTS subdomain overwrites parent cache entry
Patch13: curl-CVE-2024-9681.patch
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
Requires: libcurl4 = %{version} Requires: libcurl4 = %{version}