diff -Nru curl-7.47.0/debian/changelog curl-7.47.0/debian/changelog --- curl-7.47.0/debian/changelog 2017-11-28 13:03:58.000000000 +0000 +++ curl-7.47.0/debian/changelog 2018-01-29 19:06:26.000000000 +0000 @@ -1,3 +1,18 @@ +curl (7.47.0-1ubuntu2.6) xenial-security; urgency=medium + + * SECURITY UPDATE: Out of bounds read in code handling HTTP/2 + - debian/patches/CVE-2018-1000005.patch: fix incorrect + trailer buffer size in lib/http2.c. + - CVE-2018-1000005 + * SECURITY UPDATE: leak authentication data + - debian/patches/CVE-2018-1000007.patch: prevent custom + authorization headers in redirects in lib/http.c, + lib/url.c, lib/urldata.h, tests/data/Makefile.in, + tests/data/test317, tests/data/test318. + - CVE-2018-1000007 + + -- Leonidas S. Barbosa Mon, 29 Jan 2018 16:06:08 -0300 + curl (7.47.0-1ubuntu2.5) xenial-security; urgency=medium * SECURITY UPDATE: NTLM buffer overflow via integer overflow diff -Nru curl-7.47.0/debian/patches/CVE-2018-1000005.patch curl-7.47.0/debian/patches/CVE-2018-1000005.patch --- curl-7.47.0/debian/patches/CVE-2018-1000005.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2018-1000005.patch 2018-01-29 19:05:15.000000000 +0000 @@ -0,0 +1,36 @@ +From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 +From: Zhouyihai Ding +Date: Wed, 10 Jan 2018 10:12:18 -0800 +Subject: [PATCH] http2: fix incorrect trailer buffer size + +Prior to this change the stored byte count of each trailer was +miscalculated and 1 less than required. It appears any trailer +after the first that was passed to Curl_client_write would be truncated +or corrupted as well as the size. Potentially the size of some +subsequent trailer could be erroneously extracted from the contents of +that trailer, and since that size is used by client write an +out-of-bounds read could occur and cause a crash or be otherwise +processed by client write. + +The bug appears to have been born in 0761a51 (precedes 7.49.0). + +Closes https://github.com/curl/curl/pull/2231 +--- + lib/http2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: curl-7.47.0/lib/http2.c +=================================================================== +--- curl-7.47.0.orig/lib/http2.c ++++ curl-7.47.0/lib/http2.c +@@ -799,8 +799,8 @@ static int on_header(nghttp2_session *se + + if(stream->bodystarted) { + /* This is trailer fields. */ +- /* 3 is for ":" and "\r\n". */ +- uint32_t n = (uint32_t)(namelen + valuelen + 3); ++ /* 4 is for ": " and "\r\n". */ ++ uint32_t n = (uint32_t)(namelen + valuelen + 4); + + DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, + value)); diff -Nru curl-7.47.0/debian/patches/CVE-2018-1000007.patch curl-7.47.0/debian/patches/CVE-2018-1000007.patch --- curl-7.47.0/debian/patches/CVE-2018-1000007.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.47.0/debian/patches/CVE-2018-1000007.patch 2018-01-29 19:05:25.000000000 +0000 @@ -0,0 +1,320 @@ +Backported of: +From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Jan 2018 13:19:25 +0100 +Subject: [PATCH] http: prevent custom Authorization headers in redirects + +... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how +curl already handles Authorization headers created internally. + +Note: this changes behavior slightly, for the sake of reducing mistakes. + +Added test 317 and 318 to verify. + +Reported-by: Craig de Stigter +Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html +--- + docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 10 ++++ + lib/http.c | 10 +++- + lib/url.c | 2 +- + lib/urldata.h | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test317 | 95 ++++++++++++++++++++++++++++++++++ + tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++ + 7 files changed, 212 insertions(+), 4 deletions(-) + create mode 100644 tests/data/test317 + create mode 100644 tests/data/test318 + +diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +index cd50431..c467f1b 100644 +--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 ++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +@@ -68,6 +68,16 @@ The most commonly replaced headers have "shortcuts" in the options + There's an alternative option that sets or replaces headers only for requests + that are sent with CONNECT to a proxy: \fICURLOPT_PROXYHEADER(3)\fP. Use + \fICURLOPT_HEADEROPT(3)\fP to control the behavior. ++ ++Custom headers are sent in all requests done by the easy handles, which ++implies that if you tell libcurl to follow redirects ++(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent ++in the subsequent request. Redirects can of course go to other hosts and thus ++those servers will get all the contents of your custom headers too. ++ ++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers ++from being sent to other hosts than the first used one, unless specifically ++permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option. + .SH SECURITY CONCERNS + By default, this option makes libcurl send the given headers in all HTTP + requests done by this handle. You should therefore use this option with +diff --git a/lib/http.c b/lib/http.c +index 70d2be0..cb4b4c3 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -723,7 +723,7 @@ Curl_http_output_auth(struct connectdata *conn, + if(!data->state.this_is_a_follow || + conn->bits.netrc || + !data->state.first_host || +- data->set.http_disable_hostname_check_before_authentication || ++ data->set.allow_auth_to_other_hosts || + Curl_raw_equal(data->state.first_host, conn->host.name)) { + result = output_auth_headers(conn, authhost, request, path, FALSE); + } +@@ -1658,6 +1658,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, + Connection: */ + checkprefix("Connection", headers->data)) + ; ++ else if(checkprefix("Authorization:", headers->data) && ++ /* be careful of sending this potentially sensitive header to ++ other hosts */ ++ (data->state.this_is_a_follow && ++ data->state.first_host && ++ !data->set.allow_auth_to_other_hosts && ++ !Curl_raw_equal(data->state.first_host, conn->host.name))) ++ ; + else { + CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", + headers->data); +diff --git a/lib/url.c b/lib/url.c +index 8280122..4342b05 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -956,7 +956,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + * Send authentication (user+password) when following locations, even when + * hostname changed. + */ +- data->set.http_disable_hostname_check_before_authentication = ++ data->set.allow_auth_to_other_hosts = + (0 != va_arg(param, long))?TRUE:FALSE; + break; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 84207fc..ed06ad5 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1582,7 +1582,7 @@ struct UserDefined { + bool http_fail_on_error; /* fail on HTTP error codes >= 400 */ + bool http_follow_location; /* follow HTTP redirects */ + bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ +- bool http_disable_hostname_check_before_authentication; ++ bool allow_auth_to_other_hosts; + bool include_header; /* include received protocol headers in data output */ + bool http_set_referer; /* is a custom referer used */ + bool http_auto_referer; /* set "correct" referer when following location: */ +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index cafa2dc..b28fac0 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -55,7 +55,7 @@ test280 test281 test282 test283 test284 test285 test286 test287 test288 \ + test289 test290 test291 test292 test293 test294 test295 test296 test297 \ + test298 test299 test300 test301 test302 test303 test304 test305 test306 \ + test307 test308 test309 test310 test311 test312 test313 \ +- test320 test321 test322 test323 test324 \ ++ test317 test318 test320 test321 test322 test323 test324 \ + test325 \ + test350 test351 test352 test353 test354 \ + \ +diff --git a/tests/data/test317 b/tests/data/test317 +new file mode 100644 +index 0000000..57c7187 +--- /dev/null ++++ b/tests/data/test317 +@@ -0,0 +1,95 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HTTP Basic auth ++HTTP proxy Basic auth ++followlocation ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3170002 ++Content-Length: 8 ++Connection: close ++ ++contents ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3170002 ++Content-Length: 8 ++Connection: close ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom Authorization: and redirect to new host ++ ++ ++http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 ++Host: first.host.it.is ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++GET http://goto.second.host.now/3170002 HTTP/1.1 ++Host: goto.second.host.now ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ ++ +diff --git a/tests/data/test318 b/tests/data/test318 +new file mode 100644 +index 0000000..838d1ba +--- /dev/null ++++ b/tests/data/test318 +@@ -0,0 +1,95 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HTTP Basic auth ++HTTP proxy Basic auth ++followlocation ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3180002 ++Content-Length: 8 ++Connection: close ++ ++contents ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3180002 ++Content-Length: 8 ++Connection: close ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom Authorization: and redirect to new host ++ ++ ++http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 ++Host: first.host.it.is ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++GET http://goto.second.host.now/3180002 HTTP/1.1 ++Host: goto.second.host.now ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++ ++ ++ +-- +2.7.4 + diff -Nru curl-7.47.0/debian/patches/series curl-7.47.0/debian/patches/series --- curl-7.47.0/debian/patches/series 2017-11-28 13:04:18.000000000 +0000 +++ curl-7.47.0/debian/patches/series 2018-01-29 19:05:58.000000000 +0000 @@ -28,6 +28,8 @@ CVE-2017-1000257.patch CVE-2017-8816.patch CVE-2017-8817.patch +CVE-2018-1000005.patch +CVE-2018-1000007.patch # do not add patches below 90_gnutls.patch