From 7c39b71b78ffc64a456872769b341cfc662e747d Mon Sep 17 00:00:00 2001 From: Trevor Gamblin Date: Tue, 1 Jun 2021 11:09:28 -0400 Subject: curl: fix CVE-2021-22876 Backport and modify the patch for CVE-2021-22876 from curl 7.76 to make it apply cleanly on 7.75. CVE: CVE-2021-22876 Signed-off-by: Trevor Gamblin Signed-off-by: Richard Purdie --- ...rip-credentials-from-the-auto-referer-hea.patch | 152 +++++++++++++++++++++ meta/recipes-support/curl/curl_7.75.0.bb | 1 + 2 files changed, 153 insertions(+) create mode 100644 meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch (limited to 'meta') diff --git a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch new file mode 100644 index 0000000000..6c4f6f2f48 --- /dev/null +++ b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch @@ -0,0 +1,152 @@ +From 21f6cf63939111d8d76d3a4c07f2cd2fe6cb78f8 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin +Date: Tue, 1 Jun 2021 09:59:20 -0400 +Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Signed-off-by: Trevor Gamblin +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +diff --git a/lib/transfer.c b/lib/transfer.c +index 2f29b29d8..c641a1d47 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1565,6 +1565,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1574,9 +1577,27 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 5ebf049b8..e08cfc7ee 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -223,7 +223,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081\ + test2100 \ + \ + test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ +diff --git a/tests/data/test2081 b/tests/data/test2081 +new file mode 100644 +index 000000000..7e74f5766 +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++ ++ ++ ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++This server reply is for testing a simple Location: following ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++Automatic referrer credential and anchor stripping check ++ ++ ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++52 ++ ++ ++GET /we/want/our/%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++ ++ +-- +2.31.1 + diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index 428b8cd9e3..7c7b363ae3 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ + file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" -- cgit 1.2.3-korg