diff -u curl-7.19.7/debian/changelog curl-7.19.7/debian/changelog --- curl-7.19.7/debian/changelog +++ curl-7.19.7/debian/changelog @@ -1,3 +1,24 @@ +curl (7.19.7-1ubuntu1.7) lucid-security; urgency=medium + + * SECURITY UPDATE: wrong re-use of connections + - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM + HTTP logic, and extend new connection logic to other protocols in + lib/http.c, lib/url.c, lib/urldata.h, add new tests to + tests/data/Makefile.am, tests/data/test1418, tests/data/test1419. + - CVE-2014-0138 + * SECURITY UPDATE: incorrect wildcard SSL certificate validation with + literal IP addresses + - debian/patches/CVE-2014-0139.patch: fix wildcard logic in + lib/ssluse.c. + - CVE-2014-0139 + * debian/patches/fix_test172.path: fix expired cookie causing test to + fail. + * debian/patches/disable_test519.path: disable test 519 as security + update causes it to hang. Fixing this would require backporting new + logic into tests/server/sws.c. + + -- Marc Deslauriers Mon, 14 Apr 2014 09:43:35 -0400 + curl (7.19.7-1ubuntu1.6) lucid-security; urgency=medium * SECURITY UPDATE: information disclosure via incorrect NTLM credential diff -u curl-7.19.7/debian/patches/series curl-7.19.7/debian/patches/series --- curl-7.19.7/debian/patches/series +++ curl-7.19.7/debian/patches/series @@ -9,7 +9,10 @@ CVE-2014-0015.patch - -# this must be the last curl-tailmatch.patch libcurl-contentencoding.patch -p0 0001-Curl_input_negotiate-do-not-delegate-credentials.patch +CVE-2014-0138.patch +CVE-2014-0139.patch +fix_test172.patch + +# this must be the last gnutls only in patch2: unchanged: --- curl-7.19.7.orig/debian/patches/CVE-2014-0138.patch +++ curl-7.19.7/debian/patches/CVE-2014-0138.patch @@ -0,0 +1,251 @@ +Description: fix wrong re-use of connections +Origin: backport, https://github.com/bagder/curl/commit/378af08c99299683eb728fd8f9d3d3ab05f73ec0 +Origin: backport, https://github.com/bagder/curl/commit/d765099813f58153cb859279c743e6494d179341 +Origin: backport, https://github.com/bagder/curl/commit/517b06d657aceb11a234b05cc891170c367ab80d +Origin: also based on patch by Steve Holme in Debian's 7.21.0-2.1+squeeze8 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728 + +WARNING: this patch contains weird line endings, editing it may +break tests. + +Index: curl-7.19.7/lib/url.c +=================================================================== +--- curl-7.19.7.orig/lib/url.c 2014-04-14 09:42:28.938301164 -0400 ++++ curl-7.19.7/lib/url.c 2014-04-14 09:42:28.934301164 -0400 +@@ -2729,11 +2729,11 @@ + continue; + } + } +- if((needle->protocol & PROT_FTP) || ++ if((!(needle->protocol & PROTOPT_CREDSPERREQUEST)) || + ((needle->protocol & PROT_HTTP) && + (data->state.authhost.want & CURLAUTH_NTLM))) { +- /* This is FTP or HTTP+NTLM, verify that we're using the same name +- and password as well */ ++ /* This protocol requires credentials per connection or is HTTP+NTLM, ++ so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ +Index: curl-7.19.7/lib/urldata.h +=================================================================== +--- curl-7.19.7.orig/lib/urldata.h 2014-04-14 09:42:28.938301164 -0400 ++++ curl-7.19.7/lib/urldata.h 2014-04-14 09:42:28.934301164 -0400 +@@ -931,6 +931,8 @@ + + #define PROT_SSL (1<<22) /* protocol requires SSL */ + #define PROT_MISSING (1<<23) ++#define PROTOPT_CREDSPERREQUEST (1<<24) /* requires login creditials per request ++ as opposed to per connection */ + + #define PROT_CLOSEACTION PROT_FTP /* these ones need action before socket + close */ +Index: curl-7.19.7/tests/data/Makefile.am +=================================================================== +--- curl-7.19.7.orig/tests/data/Makefile.am 2014-04-14 09:42:28.938301164 -0400 ++++ curl-7.19.7/tests/data/Makefile.am 2014-04-14 09:42:28.934301164 -0400 +@@ -63,6 +63,7 @@ + test1089 test1090 test1091 test1092 test1093 test1094 test1095 test1096 \ + test1097 test560 test561 test1098 test1099 test562 test563 test1100 \ + test564 test1101 test1102 test1103 test1104 test299 test310 test311 \ ++ test1418 test1419 \ + test312 test1105 test565 + + filecheck: +Index: curl-7.19.7/tests/data/test1418 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.19.7/tests/data/test1418 2014-04-14 09:42:28.934301164 -0400 +@@ -0,0 +1,106 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP NTLM auth ++connection re-use ++ ++ ++# Server-side ++ ++ ++connection-monitor ++ ++ ++ ++HTTP/1.1 401 Authentication please! ++Content-Length: 20 ++WWW-Authenticate: Digest realm="loonie", nonce="314156592" ++WWW-Authenticate: Basic ++ ++Please auth with me ++ ++ ++# This is supposed to be returned when the server gets the second ++# Authorization: NTLM line passed-in from the client ++ ++HTTP/1.1 200 Things are fine in server land ++Server: Microsoft-IIS/5.0 ++Content-Length: 4 ++ ++moo ++ ++ ++ ++HTTP/1.1 200 OK ++Server: Another one/1.0 ++Content-Length: 4 ++ ++boo ++ ++ ++# This is the first reply after the redirection ++ ++HTTP/1.1 200 OK ++Server: Microsoft-IIS/5.0 ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 34 ++ ++This is not the real page either! ++ ++ ++ ++HTTP/1.1 401 Authentication please! ++Content-Length: 20 ++WWW-Authenticate: Digest realm="loonie", nonce="314156592" ++WWW-Authenticate: Basic ++ ++HTTP/1.1 200 Things are fine in server land ++Server: Microsoft-IIS/5.0 ++Content-Length: 4 ++ ++moo ++ ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++crypto ++ ++ ++HTTP with --anyauth and connection re-use ++ ++ ++http://%HOSTIP:%HTTPPORT/1418 -u testuser:testpass --anyauth http://%HOSTIP:%HTTPPORT/14180003 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET /1418 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++GET /1418 HTTP/1.1 ++Authorization: Digest username="testuser", realm="loonie", nonce="314156592", uri="/1418", response="986238b7e0077754944c966f56d9bc77" ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++GET /14180003 HTTP/1.1 ++Authorization: Digest username="testuser", realm="loonie", nonce="314156592", uri="/14180003", response="1c6390a67bac3283a9b023402f3b3540" ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++ ++ ++ +Index: curl-7.19.7/tests/data/test1419 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ curl-7.19.7/tests/data/test1419 2014-04-14 09:42:28.934301164 -0400 +@@ -0,0 +1,68 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP NTLM auth ++connection re-use ++ ++ ++# Server-side ++ ++ ++connection-monitor ++ ++ ++ ++HTTP/1.1 200 fine! ++Content-Length: 20 ++ ++Feel free to get it ++ ++ ++ ++HTTP/1.1 200 OK ++Server: Another one/1.0 ++Content-Length: 4 ++ ++boo ++ ++ ++ ++HTTP/1.1 200 fine! ++Content-Length: 20 ++ ++Feel free to get it ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP with --anyauth (but no auth!) and connection re-use ++ ++ ++http://%HOSTIP:%HTTPPORT/1419 --anyauth http://%HOSTIP:%HTTPPORT/14190003 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET /1419 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++GET /14190003 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++ ++ ++ +Index: curl-7.19.7/lib/http.c +=================================================================== +--- curl-7.19.7.orig/lib/http.c 2014-04-14 09:42:22.530300925 -0400 ++++ curl-7.19.7/lib/http.c 2014-04-14 09:42:48.798301906 -0400 +@@ -162,7 +162,7 @@ + ZERO_NULL, /* perform_getsock */ + ZERO_NULL, /* disconnect */ + PORT_HTTPS, /* defport */ +- PROT_HTTP | PROT_HTTPS | PROT_SSL /* protocol */ ++ PROT_HTTP | PROT_HTTPS | PROT_SSL | PROTOPT_CREDSPERREQUEST /* protocol */ + }; + #endif + only in patch2: unchanged: --- curl-7.19.7.orig/debian/patches/CVE-2014-0139.patch +++ curl-7.19.7/debian/patches/CVE-2014-0139.patch @@ -0,0 +1,153 @@ +Description: fix incorrect wildcard SSL certificate validation with + literal IP addresses +Origin: backport, https://github.com/bagder/curl/commit/5019c780958c3a8dbe64123aa90e6eaff1b84cfa +Origin: backport, https://github.com/bagder/curl/commit/965690f67e190b5069cb0b16eef6917cb0d8ae18 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728 + +Index: curl-7.19.7/lib/ssluse.c +=================================================================== +--- curl-7.19.7.orig/lib/ssluse.c 2014-04-02 08:23:31.979862702 -0400 ++++ curl-7.19.7/lib/ssluse.c 2014-04-02 08:27:00.391868283 -0400 +@@ -981,55 +981,108 @@ + * E.g. + * "foo.host.com" matches "*.host.com". + * +- * We are a bit more liberal than RFC2818 describes in that we +- * accept multiple "*" in pattern (similar to what some other browsers do). +- * E.g. +- * "abc.def.domain.com" should strickly not match "*.domain.com", but we +- * don't consider "." to be important in CERT checking. ++ * We use the matching rule described in RFC6125, section 6.4.3. ++ * http://tools.ietf.org/html/rfc6125#section-6.4.3 ++ * ++ * In addition: ignore trailing dots in the host names and wildcards, so that ++ * the names are used normalized. This is what the browsers do. ++ * ++ * Do not allow wildcard matching on IP numbers. There are apparently ++ * certificates being used with an IP address in the CN field, thus making no ++ * apparent distinction between a name and an IP. We need to detect the use of ++ * an IP address and not wildcard match on such names. ++ * ++ * NOTE: hostmatch() gets called with copied buffers so that it can modify the ++ * contents at will. + */ + #define HOST_NOMATCH 0 + #define HOST_MATCH 1 + +-static int hostmatch(const char *hostname, const char *pattern) ++static int hostmatch(char *hostname, char *pattern) + { +- while(1) { +- char c = *pattern++; +- +- if(c == '\0') +- return (*hostname ? HOST_NOMATCH : HOST_MATCH); +- +- if(c == '*') { +- c = *pattern; +- if(c == '\0') /* "*\0" matches anything remaining */ +- return HOST_MATCH; +- +- while(*hostname) { +- /* The only recursive function in libcurl! */ +- if(hostmatch(hostname++,pattern) == HOST_MATCH) +- return HOST_MATCH; +- } +- break; +- } ++ const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; ++ int wildcard_enabled; ++ size_t prefixlen, suffixlen; ++ struct in_addr ignored; ++#ifdef ENABLE_IPV6 ++ struct sockaddr_in6 si6; ++#endif ++ ++ /* normalize pattern and hostname by stripping off trailing dots */ ++ size_t len = strlen(hostname); ++ if(hostname[len-1]=='.') ++ hostname[len-1]=0; ++ len = strlen(pattern); ++ if(pattern[len-1]=='.') ++ pattern[len-1]=0; ++ ++ pattern_wildcard = strchr(pattern, '*'); ++ if(pattern_wildcard == NULL) { ++ return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; ++ } + +- if(Curl_raw_toupper(c) != Curl_raw_toupper(*hostname++)) +- break; ++ /* detect IP address as hostname and fail the match if so */ ++ if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) ++ return HOST_NOMATCH; ++#ifdef ENABLE_IPV6 ++ else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) ++ return HOST_NOMATCH; ++#endif ++ ++ /* We require at least 2 dots in pattern to avoid too wide wildcard ++ match. */ ++ wildcard_enabled = 1; ++ pattern_label_end = strchr(pattern, '.'); ++ if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || ++ pattern_wildcard > pattern_label_end || ++ Curl_raw_nequal(pattern, "xn--", 4)) { ++ wildcard_enabled = 0; ++ } ++ if(!wildcard_enabled) { ++ return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH; ++ } ++ hostname_label_end = strchr(hostname, '.'); ++ if(hostname_label_end == NULL || ++ !Curl_raw_equal(pattern_label_end, hostname_label_end)) { ++ return HOST_NOMATCH; ++ } ++ /* The wildcard must match at least one character, so the left-most ++ label of the hostname is at least as large as the left-most label ++ of the pattern. */ ++ if(hostname_label_end - hostname < pattern_label_end - pattern) { ++ return HOST_NOMATCH; + } +- return HOST_NOMATCH; ++ prefixlen = pattern_wildcard - pattern; ++ suffixlen = pattern_label_end - (pattern_wildcard+1); ++ return Curl_raw_nequal(pattern, hostname, prefixlen) && ++ Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, ++ suffixlen) ? ++ HOST_MATCH : HOST_NOMATCH; + } + + static int + cert_hostcheck(const char *match_pattern, const char *hostname) + { ++ char *matchp; ++ char *hostp; ++ int res = 0; + if(!match_pattern || !*match_pattern || + !hostname || !*hostname) /* sanity check */ +- return 0; +- +- if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ +- return 1; ++ ; ++ else { ++ matchp = strdup(match_pattern); ++ if(matchp) { ++ hostp = strdup(hostname); ++ if(hostp) { ++ if(hostmatch(hostp, matchp) == HOST_MATCH) ++ res= 1; ++ free(hostp); ++ } ++ free(matchp); ++ } ++ } + +- if(hostmatch(hostname,match_pattern) == HOST_MATCH) +- return 1; +- return 0; ++ return res; + } + + /* Quote from RFC2818 section 3.1 "Server Identity" only in patch2: unchanged: --- curl-7.19.7.orig/debian/patches/fix_test172.patch +++ curl-7.19.7/debian/patches/fix_test172.patch @@ -0,0 +1,32 @@ +From ffb8a21d85bde8b626e5dc52ce25f0447ee49f89 Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Sun, 2 Feb 2014 11:01:10 +0000 +Subject: [PATCH] tests: Fixed test172 cookie expiry + +The test contains a cookie jar file where one of the cookies has an +expiry date of 1391252187 -- Sat, 1 Feb 2014 10:56:27 GMT which has +now expired. Updated to Wed, 14 Oct 2037 16:36:33 GMT as per test +179. + +Reported-by: Adam Sampson +Bug: http://curl.haxx.se/bug/view.cgi?id=1330 +--- + tests/data/test172 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/test172 b/tests/data/test172 +index b3efae9..3d53418 100644 +--- a/tests/data/test172 ++++ b/tests/data/test172 +@@ -36,7 +36,7 @@ http://%HOSTIP:%HTTPPORT/we/want/172 -b log/jar172.txt -b "tool=curl; name=fool" + + .%HOSTIP TRUE /silly/ FALSE 0 ismatch this + .%HOSTIP TRUE / FALSE 0 partmatch present +-%HOSTIP FALSE /we/want/ FALSE 1391252187 nodomain value ++%HOSTIP FALSE /we/want/ FALSE 2139150993 nodomain value + + + +-- +1.9.1 +