Sync from SUSE:ALP:Source:Standard:1.0 curl revision 8a4f1ce967b13cdd614d591e7a8f95c7

2024-12-09 15:43:36 +01:00 · 2024-12-09 15:43:36 +01:00 · 608f33c742
commit 608f33c742
parent ff050be848
3 changed files with 105 additions and 0 deletions
--- a/curl-CVE-2024-9681.patch
+++ b/curl-CVE-2024-9681.patch
@ -0,0 +1,96 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+
+ - on load, only replace existing HSTS entries if there is a full host match
+ - on matching, prefer a full host match and secondary the longest tail subdomain match
+
+Closes #15210
+---
+ lib/hsts.c          | 14 ++++++++++----
+ tests/data/test1660 |  2 +-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+Index: curl-8.0.1/lib/hsts.c
+===================================================================
+--- curl-8.0.1.orig/lib/hsts.c
+++ curl-8.0.1/lib/hsts.c
+@@ -248,12 +248,14 @@ CURLcode Curl_hsts_parse(struct hsts *h,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+  struct stsentry *bestsub = NULL;
+   if(h) {
+     char buffer[MAX_HSTS_HOSTLEN + 1];
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
+    size_t blen = 0;
+ 
+     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+       return NULL;
+@@ -266,6 +268,7 @@ struct stsentry *Curl_hsts(struct hsts *
+ 
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
+      size_t ntail;
+       n = e->next;
+       if(sts->expires <= now) {
+         /* remove expired entries */
+@@ -273,20 +276,23 @@ struct stsentry *Curl_hsts(struct hsts *
+         hsts_free(sts);
+         continue;
+       }
+-      if(subdomain && sts->includeSubDomains) {
+-        size_t ntail = strlen(sts->host);
+-        if(ntail < hlen) {
+-          size_t offs = hlen - ntail;
+-          if((hostname[offs-1] == '.') &&
+-             strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
+      ntail = strlen(sts->host);
+      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+        size_t offs = hlen - ntail;
+        if((hostname[offs-1] == '.') &&
+           strncasecompare(&hostname[offs], sts->host, ntail) &&
+           (ntail > blen)) {
+          /* save the tail match with the longest tail */
+          bestsub = sts;
+          blen = ntail;
+         }
+       }
+-      if(strcasecompare(hostname, sts->host))
+      /* avoid strcasecompare because the host name is not null terminated */
+      if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
+  return bestsub;
+ }
+ 
+ /*
+@@ -438,7 +444,7 @@ static CURLcode hsts_add(struct hsts *h,
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
+    else if(strcasecompare(p, e->host)) {
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+Index: curl-8.0.1/tests/data/test1660
+===================================================================
+--- curl-8.0.1.orig/tests/data/test1660
+++ curl-8.0.1/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Oct 30 09:37:28 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1232528, CVE-2024-9681]
+  * HSTS subdomain overwrites parent cache entry
+  * Add curl-CVE-2024-9681.patch
+
 -------------------------------------------------------------------
 Tue Sep 17 10:15:48 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

--- a/curl.spec
+++ b/curl.spec
@ -53,6 +53,8 @@ Patch10:        curl-CVE-2024-7264.patch
 Patch11:        curl-CVE-2024-8096.patch
 #PATCH-FIX-UPSTREAM bsc#1230516 Make special characters in URL work with aws-sigv4
 Patch12:        curl-aws_sigv4-url-encode-the-canonical-path.patch
+#PATCH-FIX-UPSTREAM bsc#1232528 CVE-2024-9681 HSTS subdomain overwrites parent cache entry
+Patch13:        curl-CVE-2024-9681.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4 = %{version}