Version in base suite: 7.88.1-10+deb12u8 Base version: curl_7.88.1-10+deb12u8 Target version: curl_7.88.1-10+deb12u9 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.88.1-10+deb12u8.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.88.1-10+deb12u9.dsc changelog | 18 + patches/CVE-2024-9681-0.patch | 88 +++++ patches/CVE-2024-9681-1.patch | 405 +++++++++++++++++++++++++++ patches/dont-stop-stunnel-before-retry.patch | 45 +++ patches/large-time-testable-feature.patch | 60 ++++ patches/series | 6 6 files changed, 622 insertions(+) diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2024-09-17 19:29:24.000000000 +0000 +++ curl-7.88.1/debian/changelog 2025-01-03 00:11:56.000000000 +0000 @@ -1,3 +1,21 @@ +curl (7.88.1-10+deb12u9) bookworm; urgency=medium + + * Team upload. + * Import patches for CVE-2024-9681 + - A vulnerability in curl's HSTS handling allows a subdomain’s expiry time + to overwrite its parent domain’s cache entry. This can lead to unintended + HTTPS upgrades or premature reversion to HTTP when both subdomains and + parent domains are used. Affects applications with HSTS enabled, + potentially disrupting access when a domain stops supporting HTTPS. + * d/patches: + - CVE-2024-9681-*.patch: Backport patches. + - CVE-2024-9681-1: fix backport inconsistencies + - large-time-testable-feature.patch: Import 'large-time' feature for tests + - dont-stop-stunnel-before-retry.patch: Import patch to avoid stopping + stunnel before retrying + + -- Aquila Macedo Costa Thu, 02 Jan 2025 21:11:56 -0300 + curl (7.88.1-10+deb12u8) bookworm; urgency=medium * Team upload. diff -Nru curl-7.88.1/debian/patches/CVE-2024-9681-0.patch curl-7.88.1/debian/patches/CVE-2024-9681-0.patch --- curl-7.88.1/debian/patches/CVE-2024-9681-0.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2024-9681-0.patch 2025-01-03 00:11:56.000000000 +0000 @@ -0,0 +1,88 @@ +From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 9 Oct 2024 10:04:35 +0200 +Subject: [PATCH] hsts: improve subdomain handling + +- on load, only replace existing HSTS entries if there is a full host + match + +- on matching, prefer a full host match and secondary the longest tail + subdomain match + +Closes #15210 + +Backported by: Aquila Macedo Costa . + +Changes: +- Refresh patch context. +--- + lib/hsts.c | 16 +++++++++++----- + tests/data/test1660 | 2 +- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 64cbae1..7701703 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -248,12 +248,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, + struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + bool subdomain) + { ++ struct stsentry *bestsub = NULL; + if(h) { + char buffer[MAX_HSTS_HOSTLEN + 1]; + time_t now = time(NULL); + size_t hlen = strlen(hostname); + struct Curl_llist_element *e; + struct Curl_llist_element *n; ++ size_t blen = 0; + + if((hlen > MAX_HSTS_HOSTLEN) || !hlen) + return NULL; +@@ -278,15 +280,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + if(ntail < hlen) { + size_t offs = hlen - ntail; + if((hostname[offs-1] == '.') && +- strncasecompare(&hostname[offs], sts->host, ntail)) +- return sts; ++ strncasecompare(&hostname[offs], sts->host, ntail) && ++ (ntail > blen)) { ++ /* save the tail match with the longest tail */ ++ bestsub = sts; ++ blen = ntail; ++ } + } + } + if(strcasecompare(hostname, sts->host)) + return sts; + } + } +- return NULL; /* no match */ ++ return bestsub; + } + + /* +@@ -438,8 +444,8 @@ static CURLcode hsts_add(struct hsts *h, char *line) + e = Curl_hsts(h, p, subdomain); + if(!e) + result = hsts_create(h, p, subdomain, expires); +- else { +- /* the same host name, use the largest expire time */ ++ else if(strcasecompare(p, e->host)) { ++ /* the same hostname, use the largest expire time */ + if(expires > e->expires) + e->expires = expires; + } +diff --git a/tests/data/test1660 b/tests/data/test1660 +index cbbcf75..662026b 100644 +--- a/tests/data/test1660 ++++ b/tests/data/test1660 +@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797 + Input 12: error 43 + Input 13: error 43 + Input 14: error 43 +-3.example.com [example.com]: 1569905261 includeSubDomains ++3.example.com [3.example.com]: 1569905261 includeSubDomains + 3.example.com [example.com]: 1569905261 includeSubDomains + foo.example.com [example.com]: 1569905261 includeSubDomains + 'foo.xample.com' is not HSTS diff -Nru curl-7.88.1/debian/patches/CVE-2024-9681-1.patch curl-7.88.1/debian/patches/CVE-2024-9681-1.patch --- curl-7.88.1/debian/patches/CVE-2024-9681-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2024-9681-1.patch 2025-01-03 00:11:56.000000000 +0000 @@ -0,0 +1,405 @@ +From 5ee43bb82e1a5259c5dea482e9921419aee887bb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 9 Oct 2024 11:27:29 +0200 +Subject: [PATCH] tests: 780 - 783, new HSTS tests + +test780: verify updated HSTS data in response header + +test781: HSTS update expiry, with parent includeSubDomains domain +present + +test782: HSTS update expiry, with two includeSubDomains domains present + +test783: HSTS update expiry, removing includesubdomains in update + +Backported by: Aquila Macedo Costa . + +Changes: +- Adjust `tests/data/Makefile.inc` to include new HSTS tests (780 - 783). +- Updates 'Debug' to 'debug' in test data files (`test780`, `test781`, + `test782`, `test783`) to align with curl conventions in bookworm and + ensure consistency in feature definitions. +- Additionally, `%LOGDIR` is replaced with log in the test files due to + its absence in curl bookworm. +--- + tests/data/Makefile.inc | 2 ++ + tests/data/test780 | 81 +++++++++++++++++++++++++++++++++++++++++++++++ + tests/data/test781 | 84 +++++++++++++++++++++++++++++++++++++++++++++++++ + tests/data/test782 | 84 +++++++++++++++++++++++++++++++++++++++++++++++++ + tests/data/test783 | 84 +++++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 335 insertions(+) + create mode 100644 tests/data/test780 + create mode 100644 tests/data/test781 + create mode 100644 tests/data/test782 + create mode 100644 tests/data/test783 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 85b2e8c..379e6e0 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -102,6 +102,8 @@ test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ + test718 test719 test720 test721 test728\ + \ ++test780 test781 test782 test783 \ ++\ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ + test818 test819 test820 test821 test822 test823 test824 test825 test826 \ +diff --git a/tests/data/test780 b/tests/data/test780 +new file mode 100644 +index 0000000..7bd362a +--- /dev/null ++++ b/tests/data/test780 +@@ -0,0 +1,81 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000 ++ ++ ++ ++ ++ ++ ++http ++http-proxy ++https ++ ++ ++HSTS ++proxy ++https ++debug ++ ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=1728465947 ++ ++ ++ ++this.hsts.example "99991001 04:47:41" ++ ++ ++ ++HSTS with updated expiry in response ++ ++ ++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k ++ ++ ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000 ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++this.hsts.example "20241009 09:42:27" ++ ++ ++ +diff --git a/tests/data/test781 b/tests/data/test781 +new file mode 100644 +index 0000000..e9a023a +--- /dev/null ++++ b/tests/data/test781 +@@ -0,0 +1,84 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000 ++ ++ ++ ++ ++ ++ ++http ++http-proxy ++https ++ ++ ++HSTS ++proxy ++https ++debug ++large-time ++ ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=1728465947 ++ ++ ++ ++.hsts.example "20991001 04:47:41" ++this.hsts.example "99991001 04:47:41" ++ ++ ++ ++HSTS update expiry, with parent includeSubDomains domain present ++ ++ ++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k ++ ++ ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000 ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++.hsts.example "20991001 04:47:41" ++this.hsts.example "20241009 09:42:27" ++ ++ ++ +diff --git a/tests/data/test782 b/tests/data/test782 +new file mode 100644 +index 0000000..8f12658 +--- /dev/null ++++ b/tests/data/test782 +@@ -0,0 +1,84 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000; includesubdomains ++ ++ ++ ++ ++ ++ ++http ++http-proxy ++https ++ ++ ++HSTS ++proxy ++https ++debug ++large-time ++ ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=1728465947 ++ ++ ++ ++.hsts.example "20991001 04:47:41" ++.this.hsts.example "99991001 04:47:41" ++ ++ ++ ++HSTS update expiry, with two includeSubDomains domains present ++ ++ ++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k ++ ++ ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000; includesubdomains ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++.hsts.example "20991001 04:47:41" ++.this.hsts.example "20241009 09:42:27" ++ ++ ++ +diff --git a/tests/data/test783 b/tests/data/test783 +new file mode 100644 +index 0000000..59313d3 +--- /dev/null ++++ b/tests/data/test783 +@@ -0,0 +1,84 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000; ++ ++ ++ ++ ++ ++ ++http ++http-proxy ++https ++ ++ ++HSTS ++proxy ++https ++debug ++large-time ++ ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=1728465947 ++ ++ ++ ++.hsts.example "20991001 04:47:41" ++.this.hsts.example "99991001 04:47:41" ++ ++ ++ ++HSTS update expiry, removing includesubdomains in update ++ ++ ++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k ++ ++ ++ ++ ++ ++ ++HTTP/1.1 200 OK ++Server: fake ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Strict-Transport-Security: max-age=1000; ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++.hsts.example "20991001 04:47:41" ++this.hsts.example "20241009 09:42:27" ++ ++ ++ diff -Nru curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch --- curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch 2025-01-03 00:11:56.000000000 +0000 @@ -0,0 +1,45 @@ +From f9e8c5f5781c85a16f1da1c55af02e0bdd688af6 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Mon, 17 Apr 2023 16:57:17 -0700 +Subject: [PATCH] runtests: don't try to stop stunnel before trying again + +Calling stopserver() before retrying stunnel due to an error would stop +the dependent server (such as HTTP) meaning stunnel would have nothing +to talk to when it came up. Don't try to force a stop when it didn't +actually start. Also, don't mark the server as bad for future use when +it starts up on a retry. + +Reported-by: eaglegai at github +Tested-by: eaglegai at github +Fixes #10976 + +Backported by: Aquila Macedo Costa . + +Changes: +- Apply the changes to `runtests.pl` instead of `servers.pm`, as + `servers.pm` does not exist in this version of bookworm. +--- + tests/runtests.pl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index c4c7717..7ac9de2 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1837,12 +1837,15 @@ sub runhttpsserver { + + if($httpspid <= 0 || !pidexists($httpspid)) { + # it is NOT alive +- stopserver($server, "$pid2"); ++ # don't call stopserver since that will also kill the dependent ++ # server that has already been started properly + displaylogs($testnumcheck); + $doesntrun{$pidfile} = 1; + $httpspid = $pid2 = 0; + next; + } ++ ++ $doesntrun{$pidfile} = 0; + # we have a server! + if($verbose) { + logmsg "RUN: $srvrname server is PID $httpspid port $port\n"; diff -Nru curl-7.88.1/debian/patches/large-time-testable-feature.patch curl-7.88.1/debian/patches/large-time-testable-feature.patch --- curl-7.88.1/debian/patches/large-time-testable-feature.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/large-time-testable-feature.patch 2025-01-03 00:11:56.000000000 +0000 @@ -0,0 +1,60 @@ +From 1c3fcbdaa99a2859ea008061782223f4d1b40cce Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 19 Aug 2023 21:20:03 +0200 +Subject: [PATCH] tests: add 'large-time' as a testable feature + +This allows test cases to require this feature to run and to be used in +%if conditions. + +Large here means larger than 32 bits. Ie does not suffer from y2038. + +Closes #11696 + +Backported by: Aquila Macedo Costa . + +Changes: +- Refresh patch context +--- + tests/FILEFORMAT.md | 1 + + tests/runtests.pl | 1 + + tests/server/disabled.c | 3 +++ + 3 files changed, 5 insertions(+) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index aff0e2d..65df41c 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -417,6 +417,7 @@ Features testable here are: + - `ipv6` + - `Kerberos` + - `large_file` ++- `large-time` (time_t is larger than 32 bit) + - `ld_preload` + - `libssh2` + - `libssh` +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 1510527..c4c7717 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3064,6 +3064,7 @@ sub setupfeatures { + $feature{"wakeup"} = 1; + $feature{"headers-api"} = 1; + $feature{"xattr"} = 1; ++ $feature{"large-time"} = 1; + $feature{"nghttpx"} = !!$ENV{'NGHTTPX'}; + $feature{"nghttpx-h3"} = !!$nghttpx_h3; + } +diff --git a/tests/server/disabled.c b/tests/server/disabled.c +index 7ce2903..48cf878 100644 +--- a/tests/server/disabled.c ++++ b/tests/server/disabled.c +@@ -78,6 +78,9 @@ static const char *disabled[]={ + #endif + #ifndef USE_XATTR + "xattr", ++#endif ++#if (SIZEOF_TIME_T < 5) ++ "large-time", + #endif + NULL + }; diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2024-09-17 19:29:24.000000000 +0000 +++ curl-7.88.1/debian/patches/series 2025-01-03 00:11:56.000000000 +0000 @@ -8,6 +8,8 @@ fix-unix-domain-socket.patch openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch +large-time-testable-feature.patch +dont-stop-stunnel-before-retry.patch # CVE fixes. # Patches from 8.0.1. @@ -51,6 +53,10 @@ # Patches from 8.10.0. CVE-2024-8096.patch +# Patches from 8.11.0. +CVE-2024-9681-0.patch +CVE-2024-9681-1.patch + # Do not add patches below. # Used to generate packages for the other crypto libraries. 90_gnutls.patch