diff --git a/backport-CVE-2022-27781.patch b/backport-CVE-2022-27781.patch new file mode 100644 index 0000000..42b7ec4 --- /dev/null +++ b/backport-CVE-2022-27781.patch @@ -0,0 +1,42 @@ +Backport of: + +From 625924941cbd684c2a6b10d18aa6920a27c31db3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 3 May 2022 09:24:56 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -949,6 +949,9 @@ static void display_cert_info(struct Cur + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -985,6 +988,11 @@ static CURLcode display_conn_info(struct + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(conn->data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/backport-CVE-2022-27782.patch b/backport-CVE-2022-27782.patch new file mode 100644 index 0000000..06acc69 --- /dev/null +++ b/backport-CVE-2022-27782.patch @@ -0,0 +1,476 @@ +Backport of: + +From 222b896a07ed1e183e7eacd6df10fc23264bd820 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 6 May 2022 10:48:58 +0200 +Subject: [PATCH 1/2] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 6 files changed, 83 insertions(+), 45 deletions(-) + +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2217,6 +2217,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2228,6 +2229,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2643,49 +2645,52 @@ CURLcode Curl_vsetopt(struct Curl_easy * + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + #ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + #endif + break; + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + #ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + #endif + break; + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +--- a/lib/url.c ++++ b/lib/url.c +@@ -524,7 +524,7 @@ CURLcode Curl_init_userdefined(struct Cu + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1046,6 +1046,12 @@ static void prune_dead_connections(struc + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1293,6 +1299,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +@@ -1696,11 +1707,17 @@ static struct connectdata *allocate_conn + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3697,7 +3714,8 @@ static CURLcode create_conn(struct Curl_ + data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; + data->set.proxy_ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; +@@ -3705,19 +3723,21 @@ static CURLcode create_conn(struct Curl_ + data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; + data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; + data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -228,8 +228,15 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -240,7 +247,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert; /* client certificate file name */ +@@ -248,11 +254,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -428,9 +428,10 @@ gtls_connect_step1(struct connectdata *c + } + + #ifdef USE_TLS_SRP +- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); ++ infof(data, "Using TLS-SRP username: %s\n", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -440,8 +441,8 @@ gtls_connect_step1(struct connectdata *c + } + + rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -497,19 +498,19 @@ gtls_connect_step1(struct connectdata *c + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(backend->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s\n", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -584,7 +585,7 @@ gtls_connect_step1(struct connectdata *c + #ifdef USE_TLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + size_t len = strlen(prioritylist); + + char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); +@@ -676,7 +677,7 @@ gtls_connect_step1(struct connectdata *c + + #ifdef USE_TLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -857,8 +858,8 @@ gtls_connect_step3(struct connectdata *c + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -916,7 +917,8 @@ gtls_connect_step3(struct connectdata *c + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +@@ -1520,8 +1522,8 @@ static int Curl_gtls_shutdown(struct con + gnutls_certificate_free_credentials(backend->cred); + + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2531,7 +2531,7 @@ static CURLcode ossl_connect_step1(struc + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_TLS_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(cert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob); +@@ -2539,7 +2539,7 @@ static CURLcode ossl_connect_step1(struc + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2858,15 +2858,15 @@ static CURLcode ossl_connect_step1(struc + #ifdef USE_TLS_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s\n", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -128,6 +128,7 @@ Curl_ssl_config_matches(struct ssl_prima + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -139,8 +140,14 @@ Curl_ssl_config_matches(struct ssl_prima + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -158,6 +165,10 @@ Curl_clone_primary_ssl_config(struct ssl + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(issuercert_blob); +@@ -171,6 +182,11 @@ Curl_clone_primary_ssl_config(struct ssl + CLONE_STRING(cipher_list); + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -189,6 +205,11 @@ void Curl_free_primary_ssl_config(struct + Curl_safefree(sslc->pinned_key); + Curl_safefree(sslc->cert_blob); + Curl_safefree(sslc->issuercert_blob); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -120,8 +120,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + sshstate state; /* always use ssh.c:state() to change state! */ + sshstate nextstate; /* the state to goto after stopping */ +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1964,13 +1964,13 @@ static CURLcode nss_setup_connect(struct + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(cert)) { +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 975094f4fa795..b60b9cac50d4f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(cert); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + #ifndef CURL_DISABLE_PROXY + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; diff --git a/backport-pre-CVE-2022-27782.patch b/backport-pre-CVE-2022-27782.patch new file mode 100644 index 0000000..ca21749 --- /dev/null +++ b/backport-pre-CVE-2022-27782.patch @@ -0,0 +1,32 @@ +From 093531556203decd92d92bccd431edbe5561781c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 9c3a68f0ac6b..0535011911d5 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -445,11 +445,11 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &backend->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); diff --git a/curl.spec b/curl.spec index f90fae0..5c11eda 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.71.1 -Release: 13 +Release: 14 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -39,6 +39,9 @@ Patch125: backport-CVE-2022-27776.patch Patch126: backport-pre-CVE-2022-27774.patch Patch127: backport-001-CVE-2022-27774.patch Patch128: backport-002-CVE-2022-27774.patch +Patch129: backport-CVE-2022-27781.patch +Patch130: backport-pre-CVE-2022-27782.patch +Patch131: backport-CVE-2022-27782.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -180,6 +183,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Tue May 17 2022 gaihuiying - 7.71.1-14 +- Type:cves +- CVE:CVE-2022-27781 CVE-2022-27782 +- SUG:NA +- DESC:fix CVE-2022-27781 CVE-2022-27782 + * Fri May 06 2022 gaihuiying - 7.71.1-13 - Type:cves - CVE:CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776