aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-05 08:58:42 -0800
committerJoshua Lock <joshua.g.lock@intel.com>2016-02-29 15:05:16 +0000
commite479ec9e6cbd34f3a7a56a170aaabcc4229f1959 (patch)
tree580c56326d8fbe235fe541ba3b4571fc3484f2b5
parentb8df558ece47e51653e1fc0fb0637ec2cdf2907b (diff)
downloadopenembedded-core-e479ec9e6cbd34f3a7a56a170aaabcc4229f1959.tar.gz
openembedded-core-e479ec9e6cbd34f3a7a56a170aaabcc4229f1959.tar.bz2
openembedded-core-e479ec9e6cbd34f3a7a56a170aaabcc4229f1959.zip
curl: Secuirty fix CVE-2016-0755
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use (From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378) hand applied changed to url.c Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-0755.patch133
-rw-r--r--meta/recipes-support/curl/curl_7.40.0.bb3
2 files changed, 135 insertions, 1 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-0755.patch b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
new file mode 100644
index 0000000000..f67b9fc661
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-0755.patch
@@ -0,0 +1,133 @@
+From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 13 Jan 2016 11:05:51 +0200
+Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials
+
+Proxy NTLM authentication should compare credentials when
+re-using a connection similar to host authentication, as it
+authenticate the connection.
+
+Example:
+curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
+
+CVE-2016-0755
+
+Bug: http://curl.haxx.se/docs/adv_20160127A.html
+
+Upstream-Status: Backport
+http://curl.haxx.se/CVE-2016-0755.patch
+
+CVE: CVE-2016-0755
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+
+Index: curl-7.40.0/lib/url.c
+===================================================================
+--- curl-7.40.0.orig/lib/url.c
++++ curl-7.40.0/lib/url.c
+@@ -3043,11 +3043,16 @@ ConnectionExists(struct SessionHandle *d
+ struct connectdata *check;
+ struct connectdata *chosen = 0;
+ bool canPipeline = IsPipeliningPossible(data, needle);
+- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
+- (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
+- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
+ struct connectbundle *bundle;
+
++ bool wantNTLMhttp = ((data->state.authhost.want &
++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP));
++ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
++ ((data->state.authproxy.want &
++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP)));
++
+ *force_reuse = FALSE;
+
+ /* We can't pipe if the site is blacklisted */
+@@ -3076,9 +3081,6 @@ ConnectionExists(struct SessionHandle *d
+ curr = bundle->conn_list->head;
+ while(curr) {
+ bool match = FALSE;
+-#if defined(USE_NTLM)
+- bool credentialsMatch = FALSE;
+-#endif
+ size_t pipeLen;
+
+ /*
+@@ -3183,18 +3185,14 @@ ConnectionExists(struct SessionHandle *d
+ continue;
+ }
+
+- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+- (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+- /* This protocol requires credentials per connection or is HTTP+NTLM,
++ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
++ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+ if(!strequal(needle->user, check->user) ||
+ !strequal(needle->passwd, check->passwd)) {
+ /* one of them was different */
+ continue;
+ }
+-#if defined(USE_NTLM)
+- credentialsMatch = TRUE;
+-#endif
+ }
+
+ if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+@@ -3253,20 +3251,43 @@ ConnectionExists(struct SessionHandle *d
+ possible. (Especially we must not reuse the same connection if
+ partway through a handshake!) */
+ if(wantNTLMhttp) {
+- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
+- chosen = check;
++ if(!strequal(needle->user, check->user) ||
++ !strequal(needle->passwd, check->passwd))
++ continue;
++ }
++ else if(check->ntlm.state != NTLMSTATE_NONE) {
++ /* Connection is using NTLM auth but we don't want NTLM */
++ continue;
++ }
+
++ /* Same for Proxy NTLM authentication */
++ if(wantProxyNTLMhttp) {
++ if(!strequal(needle->proxyuser, check->proxyuser) ||
++ !strequal(needle->proxypasswd, check->proxypasswd))
++ continue;
++ }
++ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
++ /* Proxy connection is using NTLM auth but we don't want NTLM */
++ continue;
++ }
++
++ if(wantNTLMhttp || wantProxyNTLMhttp) {
++ /* Credentials are already checked, we can use this connection */
++ chosen = check;
++
++ if((wantNTLMhttp &&
++ (check->ntlm.state != NTLMSTATE_NONE)) ||
++ (wantProxyNTLMhttp &&
++ (check->proxyntlm.state != NTLMSTATE_NONE))) {
+ /* We must use this connection, no other */
+ *force_reuse = TRUE;
+ break;
+ }
+- else if(credentialsMatch)
+- /* this is a backup choice */
+- chosen = check;
++
++ /* Continue look up for a better connection */
+ continue;
+ }
+ #endif
+-
+ if(canPipeline) {
+ /* We can pipeline if we want to. Let's continue looking for
+ the optimal connection to use, i.e the shortest pipe that is not
diff --git a/meta/recipes-support/curl/curl_7.40.0.bb b/meta/recipes-support/curl/curl_7.40.0.bb
index 01c201e18a..7fa3274091 100644
--- a/meta/recipes-support/curl/curl_7.40.0.bb
+++ b/meta/recipes-support/curl/curl_7.40.0.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
# from mucking around with debug options
#
SRC_URI += " file://configure_ac.patch \
- file://CVE-2016-0754.patch"
+ file://CVE-2016-0754.patch \
+ file://CVE-2016-0755.patch"
SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9"
SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba"