diff -Nru curl-7.35.0/debian/changelog curl-7.35.0/debian/changelog --- curl-7.35.0/debian/changelog 2016-01-26 17:10:58.000000000 +0000 +++ curl-7.35.0/debian/changelog 2016-08-05 15:23:05.000000000 +0000 @@ -1,3 +1,28 @@ +curl (7.35.0-1ubuntu2.8) trusty-security; urgency=medium + + * SECURITY UPDATE: TLS session resumption client cert bypass + - debian/patches/CVE-2016-5419.patch: switch off SSL session id when + client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c. + - CVE-2016-5419 + * SECURITY UPDATE: re-using connections with wrong client cert + - debian/patches/CVE-2016-5420.patch: only reuse connections with the + same client cert in lib/vtls/vtls.c. + - CVE-2016-5420 + * SECURITY UPDATE: use of connection struct after free + - debian/patches/CVE-2016-5421.patch: clear connection pointer for easy + handles in lib/multi.c. + - CVE-2016-5421 + + -- Marc Deslauriers Fri, 05 Aug 2016 11:23:04 -0400 + +curl (7.35.0-1ubuntu2.7) trusty; urgency=medium + + [ Matthew Hall ] + * debian/patches/libcurl_broken_pkcs12.patch: + - fix p12 client certificates (LP: #1556330) + + -- Gianfranco Costamagna Sat, 12 Mar 2016 17:22:33 +0100 + curl (7.35.0-1ubuntu2.6) trusty-security; urgency=medium * SECURITY UPDATE: NTLM credentials not-checked for proxy connection diff -Nru curl-7.35.0/debian/patches/CVE-2016-5419.patch curl-7.35.0/debian/patches/CVE-2016-5419.patch --- curl-7.35.0/debian/patches/CVE-2016-5419.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/debian/patches/CVE-2016-5419.patch 2016-08-05 15:21:17.000000000 +0000 @@ -0,0 +1,67 @@ +From 416ad90afc50d9cbcb50ba4ab28f88d260774f6d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 1 Jul 2016 13:32:31 +0200 +Subject: [PATCH] TLS: switch off SSL session id when client cert is used + +CVE-2016-5419 +Bug: https://curl.haxx.se/docs/adv_20160803A.html +Reported-by: Bru Rom +Contributions-by: Eric Rescorla and Ray Satiro +--- + lib/url.c | 1 + + lib/urldata.h | 1 + + lib/vtls/vtls.c | 10 ++++++++++ + 3 files changed, 12 insertions(+) + +Index: curl-7.35.0/lib/url.c +=================================================================== +--- curl-7.35.0.orig/lib/url.c 2016-08-05 11:21:14.124206286 -0400 ++++ curl-7.35.0/lib/url.c 2016-08-05 11:21:14.120206237 -0400 +@@ -5404,6 +5404,7 @@ + data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; ++ data->set.ssl.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP + data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; +Index: curl-7.35.0/lib/urldata.h +=================================================================== +--- curl-7.35.0.orig/lib/urldata.h 2016-08-05 11:21:14.124206286 -0400 ++++ curl-7.35.0/lib/urldata.h 2016-08-05 11:21:14.120206237 -0400 +@@ -366,6 +366,7 @@ + char *CAfile; /* certificate to verify peer against */ + const char *CRLfile; /* CRL to check certificate revocation */ + const char *issuercert;/* optional issuer certificate filename */ ++ char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ + char *cipher_list; /* list of ciphers to use */ +Index: curl-7.35.0/lib/vtls/vtls.c +=================================================================== +--- curl-7.35.0.orig/lib/vtls/vtls.c 2016-08-05 11:21:14.124206286 -0400 ++++ curl-7.35.0/lib/vtls/vtls.c 2016-08-05 11:21:14.120206237 -0400 +@@ -166,6 +166,15 @@ + else + dest->random_file = NULL; + ++ if(source->clientcert) { ++ dest->clientcert = strdup(source->clientcert); ++ if(!dest->clientcert) ++ return FALSE; ++ dest->sessionid = FALSE; ++ } ++ else ++ dest->clientcert = NULL; ++ + return TRUE; + } + +@@ -176,6 +185,7 @@ + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->egdsocket); + Curl_safefree(sslc->random_file); ++ Curl_safefree(sslc->clientcert); + } + + diff -Nru curl-7.35.0/debian/patches/CVE-2016-5420.patch curl-7.35.0/debian/patches/CVE-2016-5420.patch --- curl-7.35.0/debian/patches/CVE-2016-5420.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/debian/patches/CVE-2016-5420.patch 2016-08-05 15:21:22.000000000 +0000 @@ -0,0 +1,23 @@ +From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 31 Jul 2016 00:51:48 +0200 +Subject: [PATCH] TLS: only reuse connections with the same client cert + +CVE-2016-5420 +Bug: https://curl.haxx.se/docs/adv_20160803B.html +--- + lib/vtls/vtls.c | 1 + + 1 file changed, 1 insertion(+) + +Index: curl-7.35.0/lib/vtls/vtls.c +=================================================================== +--- curl-7.35.0.orig/lib/vtls/vtls.c 2016-08-05 11:21:21.068292257 -0400 ++++ curl-7.35.0/lib/vtls/vtls.c 2016-08-05 11:21:21.068292257 -0400 +@@ -109,6 +109,7 @@ + (data->verifyhost == needle->verifyhost) && + safe_strequal(data->CApath, needle->CApath) && + safe_strequal(data->CAfile, needle->CAfile) && ++ safe_strequal(data->clientcert, needle->clientcert) && + safe_strequal(data->random_file, needle->random_file) && + safe_strequal(data->egdsocket, needle->egdsocket) && + safe_strequal(data->cipher_list, needle->cipher_list)) diff -Nru curl-7.35.0/debian/patches/CVE-2016-5421.patch curl-7.35.0/debian/patches/CVE-2016-5421.patch --- curl-7.35.0/debian/patches/CVE-2016-5421.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/debian/patches/CVE-2016-5421.patch 2016-08-05 15:22:41.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From ccb7d79b62c8b15a6be446f9c9fd3767c01eb5b6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 31 Jul 2016 01:09:04 +0200 +Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2016-5421 +Bug: https://curl.haxx.se/docs/adv_20160803C.html +Reported-by: Marcelo Echeverria and Fernando Muñoz +--- + lib/multi.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: curl-7.35.0/lib/multi.c +=================================================================== +--- curl-7.35.0.orig/lib/multi.c 2016-08-05 11:21:29.356394772 -0400 ++++ curl-7.35.0/lib/multi.c 2016-08-05 11:22:22.945055280 -0400 +@@ -1798,6 +1798,8 @@ + while(conn) { + conn->data = multi->closure_handle; + ++ conn->data->easy_conn = NULL; /* clear the easy handle's connection ++ pointer */ + /* This will remove the connection from the cache */ + (void)Curl_disconnect(conn, FALSE); + diff -Nru curl-7.35.0/debian/patches/libcurl_broken_pkcs12.patch curl-7.35.0/debian/patches/libcurl_broken_pkcs12.patch --- curl-7.35.0/debian/patches/libcurl_broken_pkcs12.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/debian/patches/libcurl_broken_pkcs12.patch 2016-04-12 12:18:20.000000000 +0000 @@ -0,0 +1,23 @@ +commit 52d16c84d21ceb670914b56275b579535b271550 +Author: Daniel Stenberg +Date: Mon May 12 13:04:27 2014 +0200 + + openssl: unbreak PKCS12 support + + Regression introduced in ce362e8eb9c (7.31.0) + + Bug: http://curl.haxx.se/bug/view.cgi?id=1371 + Reported-by: Dmitry + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 5a66566..d13436d 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -538,6 +538,7 @@ int cert_stuff(struct connectdata *conn, + + if(!cert_done) + return 0; /* failure! */ ++ break; + #else + failf(data, "file type P12 for certificate not supported"); + return 0; diff -Nru curl-7.35.0/debian/patches/series curl-7.35.0/debian/patches/series --- curl-7.35.0/debian/patches/series 2016-01-26 17:10:52.000000000 +0000 +++ curl-7.35.0/debian/patches/series 2016-08-05 15:22:59.000000000 +0000 @@ -15,6 +15,10 @@ CVE-2015-3145.patch CVE-2015-3148.patch CVE-2016-0755.patch +libcurl_broken_pkcs12.patch +CVE-2016-5419.patch +CVE-2016-5420.patch +CVE-2016-5421.patch # the following two patches are reverted during build # any new patches must be added before them