From d84b6499de5de316f27067f9b9bf9f84be645c7c Mon Sep 17 00:00:00 2001 From: hanzj0122_admin <961123325@gmail.com> Date: Tue, 4 Aug 2020 13:40:36 +0800 Subject: [PATCH] fix CVE-2020-8177 and CVE-2020-8169 --- ...ol_getparam-i-is-not-OK-if-J-is-used.patch | 65 +++++++++ ...ated-credentials-URL-encoded-in-the-.patch | 137 ++++++++++++++++++ curl.spec | 10 +- 3 files changed, 211 insertions(+), 1 deletion(-) create mode 100644 0001-tool_getparam-i-is-not-OK-if-J-is-used.patch create mode 100644 0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch diff --git a/0001-tool_getparam-i-is-not-OK-if-J-is-used.patch b/0001-tool_getparam-i-is-not-OK-if-J-is-used.patch new file mode 100644 index 0000000..112bebc --- /dev/null +++ b/0001-tool_getparam-i-is-not-OK-if-J-is-used.patch @@ -0,0 +1,65 @@ +From a923456e77edf732de8ad842ebe6e17d5d9e3a13 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 31 May 2020 23:09:59 +0200 +Subject: [PATCH 1/2] tool_getparam: -i is not OK if -J is used + +Reported-by: sn on hackerone +Bug: https://curl.haxx.se/docs/CVE-2020-8177.html +--- + src/tool_cb_hdr.c | 22 ++++------------------ + src/tool_getparam.c | 5 +++++ + 2 files changed, 9 insertions(+), 18 deletions(-) + +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index 3b10238..b80707f 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + filename = parse_filename(p, len); + if(filename) { + if(outs->stream) { +- int rc; +- /* already opened and possibly written to */ +- if(outs->fopened) +- fclose(outs->stream); +- outs->stream = NULL; +- +- /* rename the initial file name to the new file name */ +- rc = rename(outs->filename, filename); +- if(rc != 0) { +- warnf(per->config->global, "Failed to rename %s -> %s: %s\n", +- outs->filename, filename, strerror(errno)); +- } +- if(outs->alloc_filename) +- Curl_safefree(outs->filename); +- if(rc != 0) { +- free(filename); +- return failure; +- } ++ /* indication of problem, get out! */ ++ free(filename); ++ return failure; + } ++ + outs->is_cd_filename = TRUE; + outs->s_isreg = TRUE; + outs->fopened = FALSE; +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 764caa2..c5c7429 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case 'i': ++ if(config->content_disposition) { ++ warnf(global, ++ "--include and --remote-header-name cannot be combined.\n"); ++ return PARAM_BAD_USE; ++ } + config->show_headers = toggle; /* show the headers as well in the + general output stream */ + break; +-- +1.8.3.1 + diff --git a/0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch b/0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch new file mode 100644 index 0000000..b3162d9 --- /dev/null +++ b/0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch @@ -0,0 +1,137 @@ +From 0f3072ed6f40daa9d059b6c553979d42b6b566e2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 May 2020 14:37:12 +0200 +Subject: [PATCH 2/2] url: make the updated credentials URL-encoded in the URL + +Found-by: Gregory Jefferis +Reported-by: Jeroen Ooms +Added test 1168 to verify. Bug spotted when doing a redirect. +Bug: https://github.com/jeroen/curl/issues/224 +Closes #5400 +--- + lib/url.c | 6 ++-- + tests/data/Makefile.inc | 1 + + tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 83 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1168 + +diff --git a/lib/url.c b/lib/url.c +index 47fc66a..a826f8a 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Curl_easy *data, + + /* for updated strings, we update them in the URL */ + if(user_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } + if(passwd_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3d8565c..f9535a6 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -133,6 +133,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ + test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ + test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \ ++test1168 \ + \ + test1170 test1171 test1172 test1173 test1174 test1175 test1176 \ + \ +diff --git a/tests/data/test1168 b/tests/data/test1168 +new file mode 100644 +index 0000000..eb121ba +--- /dev/null ++++ b/tests/data/test1168 +@@ -0,0 +1,78 @@ ++ ++ ++ ++HTTP ++HTTP GET ++followlocation ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++This server reply is for testing a simple Location: following ++ ++ ++ ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++ ++ ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP redirect with credentials using # in user and password ++ ++ ++http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY" ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET /want/1168 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++GET /data/11680002.txt HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++ ++ ++ +-- +1.8.3.1 + diff --git a/curl.spec b/curl.spec index 30d60c6..ad40515 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.69.1 -Release: 1 +Release: 2 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -17,6 +17,8 @@ Patch6001: 0102-curl-7.36.0-debug.patch Patch6002: 0103-curl-7.59.0-python3.patch Patch6003: 0104-curl-7.19.7-localhost6.patch Patch6004: 0105-curl-7.63.0-lib1560-valgrind.patch +Patch6005: 0001-tool_getparam-i-is-not-OK-if-J-is-used.patch +Patch6006: 0002-url-make-the-updated-credentials-URL-encoded-in-the-.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel @@ -156,6 +158,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Tue Aug 4 2020 hanzhijun - 7.69.1-2 +- Type:cves +- ID:NA +- SUG:NA +- DESC:fix CVE-2020-8177 CVE-2020-8169 + * Fri Apr 17 2020 songnannan - 7.69.1-1 - Type:bugfix - ID:NA -- Gitee