From 2518e5b91e617bbfeab3c2a163102482843df5b8 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Thu, 12 Aug 2021 10:05:43 +0800 Subject: [PATCH] fix CVE-2021-22925 CVE-2021-22926 --- backport-CVE-2021-22925.patch | 41 ++++++++++++++++++++ backport-CVE-2021-22926.patch | 70 +++++++++++++++++++++++++++++++++++ curl.spec | 10 ++++- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-22925.patch create mode 100644 backport-CVE-2021-22926.patch diff --git a/backport-CVE-2021-22925.patch b/backport-CVE-2021-22925.patch new file mode 100644 index 0000000..f05caaa --- /dev/null +++ b/backport-CVE-2021-22925.patch @@ -0,0 +1,41 @@ +From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVS-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1d3024ec4d3e..a81bb81c3675 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, diff --git a/backport-CVE-2021-22926.patch b/backport-CVE-2021-22926.patch new file mode 100644 index 0000000..69dae75 --- /dev/null +++ b/backport-CVE-2021-22926.patch @@ -0,0 +1,70 @@ +From fd9b40bf8dfd43edcbc0d254d613d95a11061c05 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 21 Jun 2021 10:35:09 +0200 +Subject: [PATCH] sectransp: check for client certs by name first, then file + +CVE-2021-22926 + +Bug: https://curl.se/docs/CVE-2021-22926.html + +Assisted-by: Daniel Gustafsson +Reported-by: Harry Sintonen +--- + lib/vtls/sectransp.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 21ca0824bdf6..26b833dd2ac7 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -32,6 +32,7 @@ + #include "curl_base64.h" + #include "strtok.h" + #include "multiif.h" ++#include "strcase.h" + + #ifdef USE_SECTRANSP + +@@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); + SecIdentityRef cert_and_key = NULL; + +- /* User wants to authenticate with a client cert. Look for it: +- If we detect that this is a file on disk, then let's load it. +- Otherwise, assume that the user wants to use an identity loaded +- from the Keychain. */ +- if(is_cert_file || is_cert_data) { ++ /* User wants to authenticate with a client cert. Look for it. Assume that ++ the user wants to use an identity loaded from the Keychain. If not, try ++ it as a file on disk */ ++ ++ if(!is_cert_data) ++ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); ++ else ++ err = !noErr; ++ if((err != noErr) && (is_cert_file || is_cert_data)) { + if(!SSL_SET_OPTION(cert_type)) +- infof(data, "WARNING: SSL: Certificate type not set, assuming " +- "PKCS#12 format.\n"); +- else if(strncmp(SSL_SET_OPTION(cert_type), "P12", +- strlen(SSL_SET_OPTION(cert_type))) != 0) +- infof(data, "WARNING: SSL: The Security framework only supports " +- "loading identities that are in PKCS#12 format.\n"); ++ infof(data, "SSL: Certificate type not set, assuming " ++ "PKCS#12 format."); ++ else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { ++ failf(data, "SSL: The Security framework only supports " ++ "loading identities that are in PKCS#12 format."); ++ return CURLE_SSL_CERTPROBLEM; ++ } + + err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, +- SSL_SET_OPTION(key_passwd), &cert_and_key); ++ SSL_SET_OPTION(key_passwd), ++ &cert_and_key); + } +- else +- err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); + + if(err == noErr && cert_and_key) { + SecCertificateRef cert = NULL; diff --git a/curl.spec b/curl.spec index bc57bab..a8716e2 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.71.1 -Release: 9 +Release: 10 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -27,6 +27,8 @@ Patch113: backport-CVE-2021-22890.patch Patch114: backport-CVE-2021-22897.patch Patch115: backport-CVE-2021-22898.patch Patch116: backport-CVE-2021-22924.patch +Patch117: backport-CVE-2021-22925.patch +Patch118: backport-CVE-2021-22926.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel @@ -168,6 +170,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Thu Aug 12 2021 gaihuiying - 7.71.1-10 +- Type:CVE +- CVE:CVE-2021-22925 CVE-2021-22926 +- SUG:NA +- DESC:fix CVE-2021-22925 CVE-2021-22926 + * Wed Jul 28 2021 quanhongfei - 7.71.1-9 - Type:CVE - CVE:CVE-2021-22924 -- Gitee