From 9df82eb12853a163ecab4fe9555022f5d223fd11 Mon Sep 17 00:00:00 2001 From: quanhongfei <2506045831@qq.com> Date: Mon, 28 Dec 2020 11:53:31 +0800 Subject: [PATCH] fix CVE-2020-8231 --- backport-CVE-2020-8231.patch | 137 +++++++++++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-8231.patch diff --git a/backport-CVE-2020-8231.patch b/backport-CVE-2020-8231.patch new file mode 100644 index 0000000..d549a1a --- /dev/null +++ b/backport-CVE-2020-8231.patch @@ -0,0 +1,137 @@ +From 3c9e021f86872baae412a427e807fbfa2f3e8a22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Aug 2020 11:34:35 +0200 +Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer + +CVE-2020-8231 + +Bug: https://curl.haxx.se/docs/CVE-2020-8231.html + +Reported-by: Marc Aldorasi +Closes #5824 +--- + lib/connect.c | 19 ++++++++++--------- + lib/easy.c | 3 +-- + lib/multi.c | 9 +++++---- + lib/url.c | 2 +- + lib/urldata.h | 2 +- + 5 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 313c23315dd..b000b1b2c2b 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ + } + + struct connfind { +- struct connectdata *tofind; +- bool found; ++ long id_tofind; ++ struct connectdata *found; + }; + + static int conn_is_conn(struct connectdata *conn, void *param) + { + struct connfind *f = (struct connfind *)param; +- if(conn == f->tofind) { +- f->found = TRUE; ++ if(conn->connection_id == f->id_tofind) { ++ f->found = conn; + return 1; + } + return 0; +@@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, + * - that is associated with a multi handle, and whose connection + * was detached with CURLOPT_CONNECT_ONLY + */ +- if(data->state.lastconnect && (data->multi_easy || data->multi)) { +- struct connectdata *c = data->state.lastconnect; ++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { ++ struct connectdata *c; + struct connfind find; +- find.tofind = data->state.lastconnect; +- find.found = FALSE; ++ find.id_tofind = data->state.lastconnect_id; ++ find.found = NULL; + + Curl_conncache_foreach(data, data->multi_easy? + &data->multi_easy->conn_cache: + &data->multi->conn_cache, &find, conn_is_conn); + + if(!find.found) { +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + return CURL_SOCKET_BAD; + } + ++ c = find.found; + if(connp) { + /* only store this if the caller cares for it */ + *connp = c; +diff --git a/lib/easy.c b/lib/easy.c +index 292cca7f6f0..a69eb9e5675 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -838,8 +838,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + + /* the connection cache is setup on demand */ + outcurl->state.conn_cache = NULL; +- +- outcurl->state.lastconnect = NULL; ++ outcurl->state.lastconnect_id = -1; + + outcurl->progress.flags = data->progress.flags; + outcurl->progress.callback = data->progress.callback; +diff --git a/lib/multi.c b/lib/multi.c +index b3a75e13748..3c7fb85ed83 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, + data->state.conn_cache = &data->share->conn_cache; + else + data->state.conn_cache = &multi->conn_cache; ++ data->state.lastconnect_id = -1; + + #ifdef USE_LIBPSL + /* Do the same for PSL. */ +@@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data, + CONNCACHE_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { + /* remember the most recently used connection */ +- data->state.lastconnect = conn; ++ data->state.lastconnect_id = conn->connection_id; + infof(data, "%s\n", buffer); + } + else +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + } + + Curl_safefree(data->state.buffer); +diff --git a/lib/url.c b/lib/url.c +index a98aab27f2b..150667aa97f 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -630,7 +630,7 @@ CURLcode Curl_open(struct Curl_easy **curl) + Curl_initinfo(data); + + /* most recent connection is not yet defined */ +- data->state.lastconnect = NULL; ++ data->state.lastconnect_id = -1; + + data->progress.flags |= PGRS_HIDE; + data->state.current_speed = -1; /* init to negative == impossible */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 8ddb580c896..0ae92692759 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1300,7 +1300,7 @@ struct UrlState { + /* buffers to store authentication data in, as parsed from input options */ + struct curltime keeps_speed; /* for the progress meter really */ + +- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ ++ long lastconnect_id; /* The last connection, -1 if undefined */ + struct dynbuf headerb; /* buffer to store headers in */ + + char *buffer; /* download buffer */ diff --git a/curl.spec b/curl.spec index ddde69f..1f5aab9 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.71.1 -Release: 1 +Release: 2 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -17,6 +17,7 @@ Patch102: 0102-curl-7.36.0-debug.patch Patch104: 0104-curl-7.19.7-localhost6.patch Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch Patch106: 0106-curl-fix-CVE-2019-15601.patch +Patch107: backport-CVE-2020-8231.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel @@ -157,6 +158,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Mon Dec 28 2020 quanhongfei - 7.71.1-2 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2020-8231 + * Fri Aug 28 2020 xiaoweiwei - 7.71.1-1 - Upgrade to 7.71.1 -- Gitee