fix CVE-2020-8177 and CVE-2020-8169

2020-08-04 13:40:36 +08:00 · 2020-08-04 13:40:36 +08:00 · d84b6499de
commit d84b6499de
parent 8da27392a6
3 changed files with 211 additions and 1 deletions
--- a/0001-tool_getparam-i-is-not-OK-if-J-is-used.patch
+++ b/0001-tool_getparam-i-is-not-OK-if-J-is-used.patch
@ -0,0 +1,65 @@
+From a923456e77edf732de8ad842ebe6e17d5d9e3a13 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH 1/2] tool_getparam: -i is not OK if -J is used
+
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+---
+ src/tool_cb_hdr.c   | 22 ++++------------------
+ src/tool_getparam.c |  5 +++++
+ 2 files changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3b10238..b80707f 100644
+--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
+@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+       filename = parse_filename(p, len);
+       if(filename) {
+         if(outs->stream) {
+-          int rc;
+-          /* already opened and possibly written to */
+-          if(outs->fopened)
+-            fclose(outs->stream);
+-          outs->stream = NULL;
+-
+-          /* rename the initial file name to the new file name */
+-          rc = rename(outs->filename, filename);
+-          if(rc != 0) {
+-            warnf(per->config->global, "Failed to rename %s -> %s: %s\n",
+-                  outs->filename, filename, strerror(errno));
+-          }
+-          if(outs->alloc_filename)
+-            Curl_safefree(outs->filename);
+-          if(rc != 0) {
+-            free(filename);
+-            return failure;
+-          }
+          /* indication of problem, get out! */
+          free(filename);
+          return failure;
+         }
+
+         outs->is_cd_filename = TRUE;
+         outs->s_isreg = TRUE;
+         outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 764caa2..c5c7429 100644
+--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
+@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+       }
+       break;
+     case 'i':
+      if(config->content_disposition) {
+        warnf(global,
+              "--include and --remote-header-name cannot be combined.\n");
+        return PARAM_BAD_USE;
+      }
+       config->show_headers = toggle; /* show the headers as well in the
+                                         general output stream */
+       break;
+-- 
+1.8.3.1
+
--- a/0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch
+++ b/0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch
@ -0,0 +1,137 @@
+From 0f3072ed6f40daa9d059b6c553979d42b6b566e2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 May 2020 14:37:12 +0200
+Subject: [PATCH 2/2] url: make the updated credentials URL-encoded in the URL
+
+Found-by: Gregory Jefferis
+Reported-by: Jeroen Ooms
+Added test 1168 to verify. Bug spotted when doing a redirect.
+Bug: https://github.com/jeroen/curl/issues/224
+Closes #5400
+---
+ lib/url.c               |  6 ++--
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1168     | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 83 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1168
+
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66a..a826f8a 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Curl_easy *data,
+ 
+   /* for updated strings, we update them in the URL */
+   if(user_changed) {
+-    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
+    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
+                      CURLU_URLENCODE);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+   }
+   if(passwd_changed) {
+-    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
+    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
+                      CURLU_URLENCODE);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+   }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3d8565c..f9535a6 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -133,6 +133,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
+ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
+ test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \
+test1168 \
+ \
+ test1170 test1171 test1172 test1173 test1174 test1175 test1176 \
+ \
+diff --git a/tests/data/test1168 b/tests/data/test1168
+new file mode 100644
+index 0000000..eb121ba
+--- /dev/null
+++ b/tests/data/test1168
+@@ -0,0 +1,78 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+</info>
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+This server reply is for testing a simple Location: following
+
+</data>
+<data2>
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</data2>
+<datacheck>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP redirect with credentials using # in user and password
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /want/1168 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+GET /data/11680002.txt HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
+-- 
+1.8.3.1
+
--- a/curl.spec
+++ b/curl.spec
@ -6,7 +6,7 @@

 Name:           curl
 Version:        7.69.1
-Release:        1
+Release:        2
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@ -17,6 +17,8 @@ Patch6001:      0102-curl-7.36.0-debug.patch
 Patch6002:      0103-curl-7.59.0-python3.patch
 Patch6003:      0104-curl-7.19.7-localhost6.patch
 Patch6004:      0105-curl-7.63.0-lib1560-valgrind.patch
+Patch6005:      0001-tool_getparam-i-is-not-OK-if-J-is-used.patch 
+Patch6006:      0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch 

 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel
@ -156,6 +158,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*

 %changelog
+* Tue Aug 4 2020 hanzhijun <hanzhijun12@huawei.com> - 7.69.1-2
+- Type:cves
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2020-8177 CVE-2020-8169
+
 * Fri Apr 17 2020 songnannan <songnannan2@huawei.com> - 7.69.1-1
 - Type:bugfix
 - ID:NA