From 9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Fri, 10 Aug 2018 21:39:06 +0200 Subject: curl: fix some security problems This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens --- .../utils/curl/patches/110-CVE-2018-1000007.patch | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 package/network/utils/curl/patches/110-CVE-2018-1000007.patch (limited to 'package/network/utils/curl/patches/110-CVE-2018-1000007.patch') diff --git a/package/network/utils/curl/patches/110-CVE-2018-1000007.patch b/package/network/utils/curl/patches/110-CVE-2018-1000007.patch new file mode 100644 index 0000000000..5387a5966b --- /dev/null +++ b/package/network/utils/curl/patches/110-CVE-2018-1000007.patch @@ -0,0 +1,102 @@ +From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Jan 2018 13:19:25 +0100 +Subject: [PATCH] http: prevent custom Authorization headers in redirects + +... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how +curl already handles Authorization headers created internally. + +Note: this changes behavior slightly, for the sake of reducing mistakes. + +Added test 317 and 318 to verify. + +Reported-by: Craig de Stigter +Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html +--- + docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++- + lib/http.c | 10 ++- + lib/setopt.c | 2 +- + lib/urldata.h | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test317 | 94 +++++++++++++++++++++++++ + tests/data/test318 | 95 ++++++++++++++++++++++++++ + 7 files changed, 212 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test317 + create mode 100644 tests/data/test318 + +--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 ++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -77,6 +77,16 @@ the headers. They may be private or othe + + Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you + intend them to get sent. ++ ++Custom headers are sent in all requests done by the easy handles, which ++implies that if you tell libcurl to follow redirects ++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent ++in the subsequent request. Redirects can of course go to other hosts and thus ++those servers will get all the contents of your custom headers too. ++ ++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers ++from being sent to other hosts than the first used one, unless specifically ++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option. + .SH DEFAULT + NULL + .SH PROTOCOLS +--- a/lib/http.c ++++ b/lib/http.c +@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata + if(!data->state.this_is_a_follow || + conn->bits.netrc || + !data->state.first_host || +- data->set.http_disable_hostname_check_before_authentication || ++ data->set.allow_auth_to_other_hosts || + strcasecompare(data->state.first_host, conn->host.name)) { + result = output_auth_headers(conn, authhost, request, path, FALSE); + } +@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct + checkprefix("Transfer-Encoding:", headers->data)) + /* HTTP/2 doesn't support chunked requests */ + ; ++ else if(checkprefix("Authorization:", headers->data) && ++ /* be careful of sending this potentially sensitive header to ++ other hosts */ ++ (data->state.this_is_a_follow && ++ data->state.first_host && ++ !data->set.allow_auth_to_other_hosts && ++ !strcasecompare(data->state.first_host, conn->host.name))) ++ ; + else { + CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", + headers->data); +--- a/lib/url.c ++++ b/lib/url.c +@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d + * Send authentication (user+password) when following locations, even when + * hostname changed. + */ +- data->set.http_disable_hostname_check_before_authentication = ++ data->set.allow_auth_to_other_hosts = + (0 != va_arg(param, long)) ? TRUE : FALSE; + break; + +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1675,7 +1675,7 @@ struct UserDefined { + bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ + bool http_follow_location; /* follow HTTP redirects */ + bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ +- bool http_disable_hostname_check_before_authentication; ++ bool allow_auth_to_other_hosts; + bool include_header; /* include received protocol headers in data output */ + bool http_set_referer; /* is a custom referer used */ + bool http_auto_referer; /* set "correct" referer when following location: */ -- cgit v1.2.3