From e2f62cca90135eece1b0533e76a6e45912bed0f5 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Tue, 20 Apr 2021 09:41:09 +0800 Subject: [PATCH] fix CVE-2021-22876 CVE-2021-22890 --- backport-CVE-2021-22876.patch | 150 +++++++++++ backport-CVE-2021-22890.patch | 455 ++++++++++++++++++++++++++++++++++ curl.spec | 10 +- 3 files changed, 614 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-22876.patch create mode 100644 backport-CVE-2021-22890.patch diff --git a/backport-CVE-2021-22876.patch b/backport-CVE-2021-22876.patch new file mode 100644 index 0000000..e4f0be7 --- /dev/null +++ b/backport-CVE-2021-22876.patch @@ -0,0 +1,150 @@ +From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1976bc033..a68c021c8 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1591,9 +1594,27 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 2c7a0ca89..ea52683d2 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -221,7 +221,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081 \ + test2100 \ + \ + test3000 test3001 \ +diff --git a/tests/data/test2081 b/tests/data/test2081 +new file mode 100644 +index 000000000..a6733e737 +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++ ++ ++ ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++This server reply is for testing a simple Location: following ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++Automatic referrer credential and anchor stripping check ++ ++ ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++52 ++ ++ ++GET /we/want/our/%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++ ++ +-- +2.23.0 + diff --git a/backport-CVE-2021-22890.patch b/backport-CVE-2021-22890.patch new file mode 100644 index 0000000..7525f09 --- /dev/null +++ b/backport-CVE-2021-22890.patch @@ -0,0 +1,455 @@ +Backport of: + +From e9c835dbd51f482f5d572e6fb33a0e8ef60c846b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Mar 2021 12:38:49 +0100 +Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE-2021-22890 +--- + lib/vtls/bearssl.c | 8 +++++-- + lib/vtls/gtls.c | 12 ++++++---- + lib/vtls/mbedtls.c | 12 ++++++---- + lib/vtls/mesalink.c | 14 ++++++++---- + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- + lib/vtls/schannel.c | 10 ++++---- + lib/vtls/sectransp.c | 10 ++++---- + lib/vtls/vtls.c | 12 +++++++--- + lib/vtls/vtls.h | 2 ++ + lib/vtls/wolfssl.c | 13 +++++++---- + 10 files changed, 103 insertions(+), 44 deletions(-) + +--- a/lib/vtls/bearssl.c ++++ b/lib/vtls/bearssl.c +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(st + void *session; + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &session, NULL, sockindex)) { + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); + infof(data, "BearSSL: re-using session ID\n"); + } +@@ -569,10 +570,12 @@ static CURLcode bearssl_connect_step3(st + return CURLE_OUT_OF_MEMORY; + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); ++ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &oldsession, NULL, sockindex)); + if(incache) + Curl_ssl_delsessionid(conn, oldsession); +- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); ++ ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ session, 0, sockindex); + Curl_ssl_sessionid_unlock(conn); + if(ret) { + free(session); +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -732,7 +732,8 @@ gtls_connect_step1(struct connectdata *c + size_t ssl_idsize; + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, &ssl_idsize, sockindex)) { + /* we got a session id, use it! */ + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); + +@@ -1291,7 +1292,8 @@ gtls_connect_step3(struct connectdata *c + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); + + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, ++ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, + sockindex)); + if(incache) { + /* there was one before in the cache, so instead of risking that the +@@ -1300,7 +1302,8 @@ gtls_connect_step3(struct connectdata *c + } + + /* store this session id */ +- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, ++ result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ connect_sessionid, connect_idsize, + sockindex); + Curl_ssl_sessionid_unlock(conn); + if(result) { +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -464,7 +464,8 @@ mbed_connect_step1(struct connectdata *c + void *old_session = NULL; + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &old_session, NULL, sockindex)) { + ret = mbedtls_ssl_set_session(&backend->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(conn); +@@ -727,6 +728,7 @@ mbed_connect_step3(struct connectdata *c + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) +@@ -745,10 +747,10 @@ mbed_connect_step3(struct connectdata *c + + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) ++ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex)) + Curl_ssl_delsessionid(conn, old_ssl_sessionid); + +- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); ++ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex); + Curl_ssl_sessionid_unlock(conn); + if(retcode) { + mbedtls_ssl_session_free(our_ssl_sessionid); +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -261,7 +261,8 @@ mesalink_connect_step1(struct connectdat + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(conn); +@@ -345,12 +346,14 @@ mesalink_connect_step3(struct connectdat + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; ++ bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + our_ssl_sessionid = SSL_get_session(BACKEND->handle); + + Curl_ssl_sessionid_lock(conn); + incache = +- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); ++ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, ++ NULL, sockindex)); + if(incache) { + if(old_ssl_sessionid != our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -361,7 +364,7 @@ mesalink_connect_step3(struct connectdat + + if(!incache) { + result = Curl_ssl_addsessionid( +- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); ++ conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex); + if(result) { + Curl_ssl_sessionid_unlock(conn); + failf(data, "failed to store ssl session"); +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -379,12 +379,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index = -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, +- NULL); ++ static int sockindex_index = -1; ++ if(sockindex_index < 0) { ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index = -1; ++ if(proxy_index < 0) { ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } + + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1161,7 +1172,8 @@ static int Curl_ossl_init(void) + Curl_tls_keylog_open(); + + /* Initialize the extra data indexes */ +- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) ++ if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || ++ ossl_get_proxy_index() < 0) + return 0; + + return 1; +@@ -2445,8 +2457,10 @@ static int ossl_new_session_cb(SSL *ssl, + curl_socket_t *sockindex_ptr; + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ bool isproxy; + +- if(connectdata_idx < 0 || sockindex_idx < 0) ++ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) + return 0; + + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2459,13 +2473,18 @@ static int ossl_new_session_cb(SSL *ssl, + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex = (int)(sockindex_ptr - conn->sock); + ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, +- sockindex)); ++ if(isproxy) ++ incache = FALSE; ++ else ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); + if(incache) { + if(old_ssl_sessionid != ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2475,7 +2494,7 @@ static int ossl_new_session_cb(SSL *ssl, + } + + if(!incache) { +- if(!Curl_ssl_addsessionid(conn, ssl_sessionid, ++ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, + 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res = 1; +@@ -3189,16 +3208,24 @@ static CURLcode ossl_connect_step1(struc + void *ssl_sessionid = NULL; + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); + +- if(connectdata_idx >= 0 && sockindex_idx >= 0) { ++ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, connectdata_idx, conn); + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif + } + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(conn); +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -494,7 +494,8 @@ schannel_connect_step1(struct connectdat + /* check for an existing re-usable credential handle */ + if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ (void **)&old_cred, NULL, sockindex)) { + BACKEND->cred = old_cred; + DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); + +@@ -1334,8 +1335,9 @@ schannel_connect_step3(struct connectdat + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + SECURITY_STATUS sspi_status = SEC_E_OK; + CERT_CONTEXT *ccert_context = NULL; ++ bool isproxy = SSL_IS_PROXY(); + #ifdef DEBUGBUILD +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : + conn->host.name; + #endif + #ifdef HAS_ALPN +@@ -1411,7 +1413,7 @@ schannel_connect_step3(struct connectdat + struct curl_schannel_cred *old_cred = NULL; + + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL, + sockindex)); + if(incache) { + if(old_cred != BACKEND->cred) { +@@ -1423,7 +1425,7 @@ schannel_connect_step3(struct connectdat + } + } + if(!incache) { +- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, ++ result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred, + sizeof(struct curl_schannel_cred), + sockindex); + if(result) { +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -1400,7 +1400,8 @@ static CURLcode sectransp_connect_step1( + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + char * const ssl_cert = SSL_SET_OPTION(cert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob); +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : ++ bool isproxy = SSL_IS_PROXY(); ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; + #ifdef ENABLE_IPV6 +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1( + + #ifdef USE_NGHTTP2 + if(data->set.httpversion >= CURL_HTTP_VERSION_2 && +- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { ++ (!isproxy || !conn->bits.tunnel_proxy) { + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); + infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); + } +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1( + size_t ssl_sessionid_len; + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, ++ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, + &ssl_sessionid_len, sockindex)) { + /* we got a session id, use it! */ + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1( + return CURLE_SSL_CONNECT_ERROR; + } + +- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, ++ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len, + sockindex); + Curl_ssl_sessionid_unlock(conn); + if(result) { +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -361,6 +361,7 @@ void Curl_ssl_sessionid_unlock(struct co + * there's one suitable, it is provided. Returns TRUE when no entry matched. + */ + bool Curl_ssl_getsessionid(struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -372,7 +373,6 @@ bool Curl_ssl_getsessionid(struct connec + bool no_match = TRUE; + + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -384,10 +384,15 @@ bool Curl_ssl_getsessionid(struct connec + struct ssl_primary_config * const ssl_config = &conn->ssl_config; + const char * const name = conn->host.name; + int port = conn->remote_port; +- (void)sockindex; + #endif ++ (void)sockindex; + *ssl_sessionid = NULL; + ++#ifdef CURL_DISABLE_PROXY ++ if(isProxy) ++ return TRUE; ++#endif ++ + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + if(!SSL_SET_OPTION(primary.sessionid)) +@@ -475,6 +480,7 @@ void Curl_ssl_delsessionid(struct connec + * later on. + */ + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -488,7 +494,6 @@ CURLcode Curl_ssl_addsessionid(struct co + int conn_to_port; + long *general_age; + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -501,6 +506,7 @@ CURLcode Curl_ssl_addsessionid(struct co + const char *hostname = conn->host.name; + (void)sockindex; + #endif ++ (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + clone_host = strdup(hostname); +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -217,6 +217,7 @@ void Curl_ssl_sessionid_unlock(struct co + * under sessionid mutex). + */ + bool Curl_ssl_getsessionid(struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -226,6 +227,7 @@ bool Curl_ssl_getsessionid(struct connec + * object with cache (e.g. incrementing refcount on success) + */ + CURLcode Curl_ssl_addsessionid(struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -505,7 +505,8 @@ wolfssl_connect_step1(struct connectdata + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(conn); +- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; +@@ -765,9 +766,10 @@ wolfssl_connect_step3(struct connectdata + void *old_ssl_sessionid = NULL; + + our_ssl_sessionid = SSL_get_session(backend->handle); ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + Curl_ssl_sessionid_lock(conn); +- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, ++ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, + sockindex)); + if(incache) { + if(old_ssl_sessionid != our_ssl_sessionid) { +@@ -778,7 +780,7 @@ wolfssl_connect_step3(struct connectdata + } + + if(!incache) { +- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, ++ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, + 0 /* unknown size */, sockindex); + if(result) { + Curl_ssl_sessionid_unlock(conn); diff --git a/curl.spec b/curl.spec index b8599c1..56a6ead 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.71.1 -Release: 5 +Release: 6 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -22,6 +22,8 @@ Patch108: 0108-curl-fix-CVE-2020-8231.patch Patch109: backport-CVE-2020-8284.patch Patch110: backport-CVE-2020-8285.patch Patch111: backport-CVE-2020-8286.patch +Patch112: backport-CVE-2021-22876.patch +Patch113: backport-CVE-2021-22890.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel @@ -163,6 +165,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Tue Apr 20 2021 gaihuiying - 7.71.1-6 +- Type:CVE +- CVE:CVE-2021-22876 CVE-2021-22890 +- SUG:NA +- DESC:fix CVE-2021-22876 CVE-2021-22890 + * Mon Feb 1 2021 wangxiaopeng - 7.71.1-5 - Type:CVE - CVE:CVE-2020-8285 CVE-2020-8286 -- Gitee