Version in base suite: 7.74.0-1.3+deb11u3 Base version: curl_7.74.0-1.3+deb11u3 Target version: curl_7.74.0-1.3+deb11u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.74.0-1.3+deb11u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.74.0-1.3+deb11u5.dsc changelog | 40 +++ patches/CVE-2021-22946.patch | 63 ++--- patches/CVE-2022-27774.patch | 167 -------------- patches/CVE-2022-27774_1_of_4.patch | 48 ++++ patches/CVE-2022-27774_2_of_4.patch | 143 ++++++++++++ patches/CVE-2022-27774_3_of_4.patch | 406 ++++++++++++++++++++++++++++++++++++ patches/CVE-2022-27774_4_of_4.patch | 86 +++++++ patches/CVE-2022-32221.patch | 21 + patches/CVE-2022-43552.patch | 69 ++++++ patches/series | 7 10 files changed, 849 insertions(+), 201 deletions(-) diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog --- curl-7.74.0/debian/changelog 2022-09-03 10:26:12.000000000 +0000 +++ curl-7.74.0/debian/changelog 2022-12-31 14:35:15.000000000 +0000 @@ -1,3 +1,43 @@ +curl (7.74.0-1.3+deb11u5) bullseye-security; urgency=high + + * Follow up to CVE-2022-27774: + The patch included to address this CVE in 7.74.0-1.3+deb11u2 was not + effective and the vulnerability was still present. The patch is corrected + and the vulberability addressed in this version. Thanks to Kamil Dudka + for providing the patches used in CentOS 8 and 9 and upon which the + corrected patch is based. + + -- Roberto C. Sánchez Sat, 31 Dec 2022 09:35:15 -0500 + +curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high + + * Fix backport of patch for CVE-2021-22946, which was passing a wrong first + argument to ftp_state_user_resp, this was likely causing a regression when + using ftp. + * Backport two patches from upstream to solve 2 CVEs: + CVE-2022-32221.patch, CVE-2022-43552.patch. + - CVE-2022-32221 + POST following PUT confusion When doing HTTP(S) transfers, libcurl might + erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data + to send, even when the CURLOPT_POSTFIELDS option has been set, if the + same handle previously was used to issue a PUT request which used that + callback. + . + This flaw may surprise the application and cause it to misbehave and + either send off the wrong data or use memory after free or similar in the + subsequent POST request. + - CVE-2022-43552 + HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all + protocols it supports through an HTTP proxy. HTTP proxies can (and often + do) deny such tunnel operations using an appropriate HTTP error response + code. + . + When getting denied to tunnel the specific protocols SMB or TELNET, curl + would use a heap-allocated struct after it had been freed, in its + transfer shutdown code path. + + -- Samuel Henrique Tue, 27 Dec 2022 00:05:50 +0000 + curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium * cookie: reject cookies with "control bytes" (CVE-2022-35252) diff -Nru curl-7.74.0/debian/patches/CVE-2021-22946.patch curl-7.74.0/debian/patches/CVE-2021-22946.patch --- curl-7.74.0/debian/patches/CVE-2021-22946.patch 2022-09-03 10:26:12.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2021-22946.patch 2022-12-31 14:35:15.000000000 +0000 @@ -16,11 +16,11 @@ create mode 100644 tests/data/test985 create mode 100644 tests/data/test986 -diff --git a/lib/ftp.c b/lib/ftp.c -index bc35574..481a07a 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2642,9 +2642,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) +Index: curl/lib/ftp.c +=================================================================== +--- curl.orig/lib/ftp.c ++++ curl/lib/ftp.c +@@ -2642,9 +2642,12 @@ static CURLcode ftp_statemach_act(struct /* we have now received a full FTP server response */ switch(ftpc->state) { case FTP_WAIT220: @@ -31,16 +31,16 @@ + /* 230 User logged in - already! Take as 220 if TLS required. */ + if(data->set.use_ssl <= CURLUSESSL_TRY || + conn->bits.ftp_use_control_ssl) -+ return ftp_state_user_resp(data, ftpcode, ftpc->state); ++ return ftp_state_user_resp(conn, ftpcode, ftpc->state); + } else if(ftpcode != 220) { failf(data, "Got a %03d ftp-server response when 220 was expected", ftpcode); -diff --git a/lib/imap.c b/lib/imap.c -index c6dd7a2..c37da83 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -919,22 +919,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn, +Index: curl/lib/imap.c +=================================================================== +--- curl.orig/lib/imap.c ++++ curl/lib/imap.c +@@ -919,22 +919,18 @@ static CURLcode imap_state_capability_re line += wordlen; } } @@ -73,11 +73,11 @@ } else result = imap_perform_authentication(conn); -diff --git a/lib/pop3.c b/lib/pop3.c -index e71860e..c90e929 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -723,28 +723,22 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code, +Index: curl/lib/pop3.c +=================================================================== +--- curl.orig/lib/pop3.c ++++ curl/lib/pop3.c +@@ -723,28 +723,22 @@ static CURLcode pop3_state_capa_resp(str } } } @@ -120,11 +120,11 @@ } return result; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index aac8bc7..df3485a 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ +Index: curl/tests/data/Makefile.inc +=================================================================== +--- curl.orig/tests/data/Makefile.inc ++++ curl/tests/data/Makefile.inc +@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test954 test955 test956 test957 test958 test959 test960 test961 test962 \ test963 test964 test965 test966 test967 test968 test969 test970 test971 \ \ @@ -133,11 +133,10 @@ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ -diff --git a/tests/data/test984 b/tests/data/test984 -new file mode 100644 -index 0000000..e573f23 +Index: curl/tests/data/test984 +=================================================================== --- /dev/null -+++ b/tests/data/test984 ++++ curl/tests/data/test984 @@ -0,0 +1,56 @@ + + @@ -195,11 +194,10 @@ + + + -diff --git a/tests/data/test985 b/tests/data/test985 -new file mode 100644 -index 0000000..d0db4aa +Index: curl/tests/data/test985 +=================================================================== --- /dev/null -+++ b/tests/data/test985 ++++ curl/tests/data/test985 @@ -0,0 +1,54 @@ + + @@ -255,11 +253,10 @@ + + + -diff --git a/tests/data/test986 b/tests/data/test986 -new file mode 100644 -index 0000000..a709437 +Index: curl/tests/data/test986 +=================================================================== --- /dev/null -+++ b/tests/data/test986 ++++ curl/tests/data/test986 @@ -0,0 +1,53 @@ + + diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774.patch curl-7.74.0/debian/patches/CVE-2022-27774.patch --- curl-7.74.0/debian/patches/CVE-2022-27774.patch 2022-09-03 10:26:12.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-27774.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,167 +0,0 @@ -From: Markus Koschany -Date: Thu, 28 Jul 2022 14:17:33 +0200 -Subject: CVE-2022-27774 - -Bug-Debian: https://bugs.debian.org/1010254 -Origin: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 -Origin: https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 ---- - lib/connect.c | 1 + - lib/http.c | 10 +++++----- - lib/http.h | 6 ++++++ - lib/transfer.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++- - lib/urldata.h | 1 + - lib/vtls/openssl.c | 3 ++- - 6 files changed, 62 insertions(+), 7 deletions(-) - -diff --git a/lib/connect.c b/lib/connect.c -index e65d24d..0f122ce 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -611,6 +611,7 @@ void Curl_persistconninfo(struct connectdata *conn) - conn->data->info.conn_scheme = conn->handler->scheme; - conn->data->info.conn_protocol = conn->handler->protocol; - conn->data->info.conn_primary_port = conn->primary_port; -+ conn->data->info.conn_remote_port = conn->remote_port; - conn->data->info.conn_local_port = conn->local_port; - } - -diff --git a/lib/http.c b/lib/http.c -index bf78eb2..35ec7c5 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -752,10 +752,10 @@ output_auth_headers(struct connectdata *conn, - } - - /* -- * allow_auth_to_host() tells if autentication, cookies or other "sensitive -- * data" can (still) be sent to this host. -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. - */ --static bool allow_auth_to_host(struct Curl_easy *data) -+bool Curl_allow_auth_to_host(struct Curl_easy *data) - { - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || -@@ -839,7 +839,7 @@ Curl_http_output_auth(struct connectdata *conn, - - /* To prevent the user+password to get sent to other than the original host - due to a location-follow */ -- if(allow_auth_to_host(data) -+ if(Curl_allow_auth_to_host(data) - || conn->bits.netrc - ) - result = output_auth_headers(conn, authhost, request, path, FALSE); -@@ -1814,7 +1814,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- !allow_auth_to_host(data)) -+ !Curl_allow_auth_to_host(data)) - ; - else { - result = Curl_dyn_addf(req, "%s\r\n", compare); -diff --git a/lib/http.h b/lib/http.h -index 1aaec22..49fcb3d 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -252,4 +252,10 @@ Curl_http_output_auth(struct connectdata *conn, - bool proxytunnel); /* TRUE if this is the request setting - up the proxy tunnel */ - -+/* -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. -+ */ -+bool Curl_allow_auth_to_host(struct Curl_easy *data); -+ - #endif /* HEADER_CURL_HTTP_H */ -diff --git a/lib/transfer.c b/lib/transfer.c -index b8c3bcb..3f21c76 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1645,10 +1645,56 @@ CURLcode Curl_follow(struct Curl_easy *data, - return CURLE_OUT_OF_MEMORY; - } - else { -- - uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); - if(uc) - return Curl_uc_to_curlcode(uc); -+ -+ /* Clear auth if this redirects to a different port number or protocol, -+ unless permitted */ -+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { -+ char *portnum; -+ int port; -+ bool clear = FALSE; -+ -+ if(data->set.use_port && data->state.allow_port) -+ /* a custom port is used */ -+ port = (int)data->set.use_port; -+ else { -+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, -+ CURLU_DEFAULT_PORT); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ port = atoi(portnum); -+ free(portnum); -+ } -+ if(port != data->info.conn_remote_port) { -+ infof(data, "Clear auth, redirects to port from %u to %u", -+ data->info.conn_remote_port, port); -+ clear = TRUE; -+ } -+ else { -+ char *scheme; -+ const struct Curl_handler *p; -+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ -+ p = Curl_builtin_scheme(scheme); -+ if(p && (p->protocol != data->info.conn_protocol)) { -+ infof(data, "Clear auth, redirects scheme from %s to %s", -+ data->info.conn_scheme, scheme); -+ clear = TRUE; -+ } -+ free(scheme); -+ } -+ if(clear) { -+ Curl_safefree(data->state.aptr.userpwd); -+ } -+ } - } - - if(type == FOLLOW_FAKE) { -diff --git a/lib/urldata.h b/lib/urldata.h -index d9d441e..044c840 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1148,6 +1148,7 @@ struct PureInfo { - - char conn_primary_ip[MAX_IPADR_LEN]; - long conn_primary_port; -+ long conn_remote_port; - char conn_local_ip[MAX_IPADR_LEN]; - long conn_local_port; - const char *conn_scheme; -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 794e297..31c7386 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) - #endif - - #ifdef USE_OPENSSL_SRP -- if(ssl_authtype == CURL_TLSAUTH_SRP) { -+ if((ssl_authtype == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(primary.username); - char * const ssl_password = SSL_SET_OPTION(primary.password); - diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774_1_of_4.patch curl-7.74.0/debian/patches/CVE-2022-27774_1_of_4.patch --- curl-7.74.0/debian/patches/CVE-2022-27774_1_of_4.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-27774_1_of_4.patch 2022-12-31 14:35:15.000000000 +0000 @@ -0,0 +1,48 @@ +The following sequence of patches is based on these upstream commits: +https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839 +https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 +https://github.com/curl/curl/commit/5295e8d64ac6949ecb3f9e564317a608f51b90d8 +https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 + +It is further based on work by Kamil Dudka for +CentOS 8 and CentOS 9: +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch + + +From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -611,6 +611,7 @@ + conn->data->info.conn_scheme = conn->handler->scheme; + conn->data->info.conn_protocol = conn->handler->protocol; + conn->data->info.conn_primary_port = conn->primary_port; ++ conn->data->info.conn_remote_port = conn->remote_port; + conn->data->info.conn_local_port = conn->local_port; + } + +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1147,7 +1147,11 @@ + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- long conn_primary_port; ++ long conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + long conn_local_port; + const char *conn_scheme; diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch --- curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch 2022-12-31 14:35:15.000000000 +0000 @@ -0,0 +1,143 @@ +The following sequence of patches is based on these upstream commits: +https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839 +https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 +https://github.com/curl/curl/commit/5295e8d64ac6949ecb3f9e564317a608f51b90d8 +https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 + +It is further based on work by Kamil Dudka for +CentOS 8 and CentOS 9: +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch + + +From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 +--- + lib/transfer.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++- + lib/url.c | 35 +++++++++++++++++++++-------------- + lib/urldata.h | 1 + + 3 files changed, 68 insertions(+), 15 deletions(-) + +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1645,10 +1645,55 @@ + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) ++ data->state.this_is_a_follow_without_auth = TRUE; ++ } + } + + if(type == FOLLOW_FAKE) { +--- a/lib/url.c ++++ b/lib/url.c +@@ -2819,22 +2819,29 @@ + conn->bits.user_passwd = FALSE; /* disable user+password */ + } + +- if(data->set.str[STRING_USERNAME]) { +- free(*userp); +- *userp = strdup(data->set.str[STRING_USERNAME]); +- if(!*userp) +- return CURLE_OUT_OF_MEMORY; +- conn->bits.user_passwd = TRUE; /* enable user+password */ +- user_changed = TRUE; ++ if(data->state.this_is_a_follow ++ && data->state.this_is_a_follow_without_auth) ++ { ++ conn->bits.user_passwd = FALSE; + } ++ else { ++ if(data->set.str[STRING_USERNAME]) { ++ free(*userp); ++ *userp = strdup(data->set.str[STRING_USERNAME]); ++ if(!*userp) ++ return CURLE_OUT_OF_MEMORY; ++ conn->bits.user_passwd = TRUE; /* enable user+password */ ++ user_changed = TRUE; ++ } + +- if(data->set.str[STRING_PASSWORD]) { +- free(*passwdp); +- *passwdp = strdup(data->set.str[STRING_PASSWORD]); +- if(!*passwdp) +- return CURLE_OUT_OF_MEMORY; +- conn->bits.user_passwd = TRUE; /* enable user+password */ +- passwd_changed = TRUE; ++ if(data->set.str[STRING_PASSWORD]) { ++ free(*passwdp); ++ *passwdp = strdup(data->set.str[STRING_PASSWORD]); ++ if(!*passwdp) ++ return CURLE_OUT_OF_MEMORY; ++ conn->bits.user_passwd = TRUE; /* enable user+password */ ++ passwd_changed = TRUE; ++ } + } + + if(data->set.str[STRING_OPTIONS]) { +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1440,6 +1440,7 @@ + BIT(multi_owned_by_easy); + + BIT(this_is_a_follow); /* this is a followed Location: request */ ++ BIT(this_is_a_follow_without_auth); + BIT(refused_stream); /* this was refused, try again */ + BIT(errorbuf); /* Set to TRUE if the error buffer is already filled in. + This must be set to FALSE every time _easy_perform() is diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774_3_of_4.patch curl-7.74.0/debian/patches/CVE-2022-27774_3_of_4.patch --- curl-7.74.0/debian/patches/CVE-2022-27774_3_of_4.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-27774_3_of_4.patch 2022-12-31 14:35:15.000000000 +0000 @@ -0,0 +1,406 @@ +The following sequence of patches is based on these upstream commits: +https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839 +https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 +https://github.com/curl/curl/commit/5295e8d64ac6949ecb3f9e564317a608f51b90d8 +https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 + +It is further based on work by Kamil Dudka for +CentOS 8 and CentOS 9: +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch + + +From 5295e8d64ac6949ecb3f9e564317a608f51b90d8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] tests: verify the fix for CVE-2022-27774 + + - Test 973 redirects from HTTP to FTP, clear auth + - Test 974 redirects from HTTP to HTTP different port, clear auth + - Test 975 redirects from HTTP to FTP, permitted to keep auth + - Test 976 redirects from HTTP to HTTP different port, permitted to keep + auth +--- + tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 351 insertions(+) + create mode 100644 tests/data/test973 + create mode 100644 tests/data/test974 + create mode 100644 tests/data/test975 + create mode 100644 tests/data/test976 + +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -114,6 +114,7 @@ + test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ ++test973 test974 test975 test976 \ + \ + test980 test981 test982 test983 test984 test985 test986 \ + \ +--- /dev/null ++++ b/tests/data/test973 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/9730002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/9730002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP w/o auth ++ ++ ++http://%HOSTIP:%HTTPPORT/973 -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /973 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE 9730002 ++RETR 9730002 ++QUIT ++ ++ ++ +--- /dev/null ++++ b/tests/data/test974 +@@ -0,0 +1,87 @@ ++ ++ ++ ++HTTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/9740002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/9740002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port w/o auth ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/9740002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +--- /dev/null ++++ b/tests/data/test975 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/9750002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/9750002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP allowing auth to continue ++ ++ ++http://%HOSTIP:%HTTPPORT/975 --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /975 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER joe ++PASS secret ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE 9750002 ++RETR 9750002 ++QUIT ++ ++ ++ +--- /dev/null ++++ b/tests/data/test976 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/9760002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/9760002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port --location-trusted ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/9760002 HTTP/1.1 ++Host: firsthost.com:9999 ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774_4_of_4.patch curl-7.74.0/debian/patches/CVE-2022-27774_4_of_4.patch --- curl-7.74.0/debian/patches/CVE-2022-27774_4_of_4.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-27774_4_of_4.patch 2022-12-31 14:35:15.000000000 +0000 @@ -0,0 +1,86 @@ +The following sequence of patches is based on these upstream commits: +https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839 +https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 +https://github.com/curl/curl/commit/5295e8d64ac6949ecb3f9e564317a608f51b90d8 +https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 + +It is further based on work by Kamil Dudka for +CentOS 8 and CentOS 9: +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch +https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch + + +From 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/lib/http.c ++++ b/lib/http.c +@@ -752,10 +752,10 @@ + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -839,7 +839,7 @@ + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + || conn->bits.netrc + ) + result = output_auth_headers(conn, authhost, request, path, FALSE); +@@ -1814,7 +1814,7 @@ + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + result = Curl_dyn_addf(req, "%s\r\n", compare); +--- a/lib/http.h ++++ b/lib/http.h +@@ -252,4 +252,10 @@ + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2857,7 +2857,8 @@ + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(primary.username); + char * const ssl_password = SSL_SET_OPTION(primary.password); + diff -Nru curl-7.74.0/debian/patches/CVE-2022-32221.patch curl-7.74.0/debian/patches/CVE-2022-32221.patch --- curl-7.74.0/debian/patches/CVE-2022-32221.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-32221.patch 2022-12-31 14:35:15.000000000 +0000 @@ -0,0 +1,21 @@ +From: Samuel Henrique +Date: Tue, 27 Dec 2022 00:05:50 +0000 +Subject: setopt: when POST is set, reset the 'upload' field (CVE-2022-32221) + +Origin: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +Index: curl/lib/setopt.c +=================================================================== +--- curl.orig/lib/setopt.c ++++ curl/lib/setopt.c +@@ -626,6 +626,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: diff -Nru curl-7.74.0/debian/patches/CVE-2022-43552.patch curl-7.74.0/debian/patches/CVE-2022-43552.patch --- curl-7.74.0/debian/patches/CVE-2022-43552.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.74.0/debian/patches/CVE-2022-43552.patch 2022-12-31 14:35:15.000000000 +0000 @@ -0,0 +1,69 @@ +From: Samuel Henrique +Date: Tue, 27 Dec 2022 00:05:50 +0000 +Subject: smb/telnet: do not free the protocol struct in *_done() (CVE-2022-43552) + +Origin: https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2 +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +Index: curl/lib/smb.c +=================================================================== +--- curl.orig/lib/smb.c ++++ curl/lib/smb.c +@@ -59,8 +59,6 @@ static CURLcode smb_connect(struct conne + static CURLcode smb_connection_state(struct connectdata *conn, bool *done); + static CURLcode smb_do(struct connectdata *conn, bool *done); + static CURLcode smb_request_state(struct connectdata *conn, bool *done); +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct connectdata *conn, bool dead); + static int smb_getsock(struct connectdata *conn, curl_socket_t *socks); + static CURLcode smb_parse_url_path(struct connectdata *conn); +@@ -72,7 +70,7 @@ const struct Curl_handler Curl_handler_s + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -98,7 +96,7 @@ const struct Curl_handler Curl_handler_s + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct + return CURLE_OK; + } + +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(conn->data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct connectdata *conn, bool dead) + { + struct smb_conn *smbc = &conn->proto.smbc; +Index: curl/lib/telnet.c +=================================================================== +--- curl.orig/lib/telnet.c ++++ curl/lib/telnet.c +@@ -1250,8 +1250,6 @@ static CURLcode telnet_done(struct conne + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; + +- Curl_safefree(conn->data->req.p.telnet); +- + return CURLE_OK; + } + diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series --- curl-7.74.0/debian/patches/series 2022-09-03 10:26:12.000000000 +0000 +++ curl-7.74.0/debian/patches/series 2022-12-31 14:35:15.000000000 +0000 @@ -23,9 +23,14 @@ CVE-2022-32206.patch CVE-2022-32207.patch CVE-2022-32208.patch -CVE-2022-27774.patch +CVE-2022-27774_1_of_4.patch +CVE-2022-27774_2_of_4.patch +CVE-2022-27774_3_of_4.patch +CVE-2022-27774_4_of_4.patch cookie-reject-cookies-with-control-bytes.patch test8-verify-that-ctrl-byte-cookies-are-ignored.patch +CVE-2022-32221.patch +CVE-2022-43552.patch # Always add CVE patches before these two patches 90_gnutls.patch