diff -Nru curl-7.43.0/debian/changelog curl-7.43.0/debian/changelog --- curl-7.43.0/debian/changelog 2015-08-10 23:42:18.000000000 +0000 +++ curl-7.43.0/debian/changelog 2016-01-26 14:50:28.000000000 +0000 @@ -1,3 +1,13 @@ +curl (7.43.0-1ubuntu2.1) wily-security; urgency=medium + + * SECURITY UPDATE: NTLM credentials not-checked for proxy connection + re-use + - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare + Proxy credentials in lib/url.c. + - CVE-2016-0755 + + -- Marc Deslauriers Tue, 26 Jan 2016 09:50:28 -0500 + curl (7.43.0-1ubuntu2) wily; urgency=medium * debian/control: diff -Nru curl-7.43.0/debian/patches/CVE-2016-0755.patch curl-7.43.0/debian/patches/CVE-2016-0755.patch --- curl-7.43.0/debian/patches/CVE-2016-0755.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.43.0/debian/patches/CVE-2016-0755.patch 2016-01-26 14:50:09.000000000 +0000 @@ -0,0 +1,129 @@ +Backport of: + +From 54b2c806edc3bbd2dada86055f2be41c4cbed762 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 13 Jan 2016 11:05:51 +0200 +Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials + +Proxy NTLM authentication should compare credentials when +re-using a connection similar to host authentication, as it +authenticate the connection. + +Example: +curl -v -x http://proxy:port http://host/ -U good_user:good_pwd + --proxy-ntlm --next -x http://proxy:port http://host/ + [-U fake_user:fake_pwd --proxy-ntlm] +--- + lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 40 insertions(+), 22 deletions(-) + +Index: curl-7.43.0/lib/url.c +=================================================================== +--- curl-7.43.0.orig/lib/url.c 2016-01-26 09:50:07.246333970 -0500 ++++ curl-7.43.0/lib/url.c 2016-01-26 09:50:07.242333932 -0500 +@@ -3107,12 +3107,17 @@ + struct connectdata *check; + struct connectdata *chosen = 0; + bool canPipeline = IsPipeliningPossible(data, needle); ++ struct connectbundle *bundle; ++ + #ifdef USE_NTLM +- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) || +- (data->state.authhost.want & CURLAUTH_NTLM_WB)) && +- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE; ++ bool wantNTLMhttp = ((data->state.authhost.want & ++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP)); ++ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd && ++ ((data->state.authproxy.want & ++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP))); + #endif +- struct connectbundle *bundle; + + *force_reuse = FALSE; + *waitpipe = FALSE; +@@ -3152,9 +3157,6 @@ + curr = bundle->conn_list->head; + while(curr) { + bool match = FALSE; +-#if defined(USE_NTLM) +- bool credentialsMatch = FALSE; +-#endif + size_t pipeLen; + + /* +@@ -3262,21 +3264,14 @@ + continue; + } + +- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) +-#ifdef USE_NTLM +- || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE) +-#endif +- ) { +- /* This protocol requires credentials per connection or is HTTP+NTLM, ++ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { ++ /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } +-#if defined(USE_NTLM) +- credentialsMatch = TRUE; +-#endif + } + + if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || +@@ -3335,20 +3330,43 @@ + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) { +- chosen = check; ++ if(!strequal(needle->user, check->user) || ++ !strequal(needle->passwd, check->passwd)) ++ continue; ++ } ++ else if(check->ntlm.state != NTLMSTATE_NONE) { ++ /* Connection is using NTLM auth but we don't want NTLM */ ++ continue; ++ } ++ ++ /* Same for Proxy NTLM authentication */ ++ if(wantProxyNTLMhttp) { ++ if(!strequal(needle->proxyuser, check->proxyuser) || ++ !strequal(needle->proxypasswd, check->proxypasswd)) ++ continue; ++ } ++ else if(check->proxyntlm.state != NTLMSTATE_NONE) { ++ /* Proxy connection is using NTLM auth but we don't want NTLM */ ++ continue; ++ } + ++ if(wantNTLMhttp || wantProxyNTLMhttp) { ++ /* Credentials are already checked, we can use this connection */ ++ chosen = check; ++ ++ if((wantNTLMhttp && ++ (check->ntlm.state != NTLMSTATE_NONE)) || ++ (wantProxyNTLMhttp && ++ (check->proxyntlm.state != NTLMSTATE_NONE))) { + /* We must use this connection, no other */ + *force_reuse = TRUE; + break; + } +- else if(credentialsMatch) +- /* this is a backup choice */ +- chosen = check; ++ ++ /* Continue look up for a better connection */ + continue; + } + #endif +- + if(canPipeline) { + /* We can pipeline if we want to. Let's continue looking for + the optimal connection to use, i.e the shortest pipe that is not diff -Nru curl-7.43.0/debian/patches/series curl-7.43.0/debian/patches/series --- curl-7.43.0/debian/patches/series 2015-06-17 08:21:41.000000000 +0000 +++ curl-7.43.0/debian/patches/series 2016-01-26 14:50:22.000000000 +0000 @@ -4,6 +4,7 @@ 04_workaround_as_needed_bug.patch 06_always-disable-valgrind.patch 07_do-not-disable-debug-symbols.patch +CVE-2016-0755.patch # do not add patches below 90_gnutls.patch