MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 21:09:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

curl: Secuirty fix CVE-2016-0755

Browse Source 
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use

(From OE-Core master rev: 8322814c7f657f572d5c986652e708d6bd774378)

hand applied changed to url.c

(From OE-Core rev: e479ec9e6cbd34f3a7a56a170aaabcc4229f1959)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster 2016-02-05 08:58:42 -08:00 committed by Richard Purdie
parent 8ca73f8fa4
commit 854c2e724d
2 changed files with 135 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
meta/recipes-support/curl/curl/CVE-2016-0755.patch Normal file
View File

@ -0,0 +1,133 @@
From d41dcba4e9b69d6b761e3460cc6ae7e8fd8f621f Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 13 Jan 2016 11:05:51 +0200
Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials
Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.
Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
--proxy-ntlm --next -x http://proxy:port http://host/
[-U fake_user:fake_pwd --proxy-ntlm]
CVE-2016-0755
Bug: http://curl.haxx.se/docs/adv_20160127A.html
Upstream-Status: Backport
http://curl.haxx.se/CVE-2016-0755.patch
CVE: CVE-2016-0755
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++----------------------
1 file changed, 40 insertions(+), 22 deletions(-)
Index: curl-7.40.0/lib/url.c
===================================================================
--- curl-7.40.0.orig/lib/url.c
+++ curl-7.40.0/lib/url.c
@@ -3043,11 +3043,16 @@ ConnectionExists(struct SessionHandle *d
struct connectdata *check;
struct connectdata *chosen = 0;
bool canPipeline = IsPipeliningPossible(data, needle);
- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
- (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
struct connectbundle *bundle;
+ bool wantNTLMhttp = ((data->state.authhost.want &
+ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+ (needle->handler->protocol & PROTO_FAMILY_HTTP));
+ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
+ ((data->state.authproxy.want &
+ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
+ (needle->handler->protocol & PROTO_FAMILY_HTTP)));
+
*force_reuse = FALSE;
/* We can't pipe if the site is blacklisted */
@@ -3076,9 +3081,6 @@ ConnectionExists(struct SessionHandle *d
curr = bundle->conn_list->head;
while(curr) {
bool match = FALSE;
-#if defined(USE_NTLM)
- bool credentialsMatch = FALSE;
-#endif
size_t pipeLen;
/*
@@ -3183,18 +3185,14 @@ ConnectionExists(struct SessionHandle *d
continue;
}
- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
- (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
- /* This protocol requires credentials per connection or is HTTP+NTLM,
+ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+ /* This protocol requires credentials per connection,
so verify that we're using the same name and password as well */
if(!strequal(needle->user, check->user) ||
!strequal(needle->passwd, check->passwd)) {
/* one of them was different */
continue;
}
-#if defined(USE_NTLM)
- credentialsMatch = TRUE;
-#endif
}
if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
@@ -3253,20 +3251,43 @@ ConnectionExists(struct SessionHandle *d
possible. (Especially we must not reuse the same connection if
partway through a handshake!) */
if(wantNTLMhttp) {
- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
- chosen = check;
+ if(!strequal(needle->user, check->user) ||
+ !strequal(needle->passwd, check->passwd))
+ continue;
+ }
+ else if(check->ntlm.state != NTLMSTATE_NONE) {
+ /* Connection is using NTLM auth but we don't want NTLM */
+ continue;
+ }
+ /* Same for Proxy NTLM authentication */
+ if(wantProxyNTLMhttp) {
+ if(!strequal(needle->proxyuser, check->proxyuser) ||
+ !strequal(needle->proxypasswd, check->proxypasswd))
+ continue;
+ }
+ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
+ /* Proxy connection is using NTLM auth but we don't want NTLM */
+ continue;
+ }
+
+ if(wantNTLMhttp || wantProxyNTLMhttp) {
+ /* Credentials are already checked, we can use this connection */
+ chosen = check;
+
+ if((wantNTLMhttp &&
+ (check->ntlm.state != NTLMSTATE_NONE)) ||
+ (wantProxyNTLMhttp &&
+ (check->proxyntlm.state != NTLMSTATE_NONE))) {
/* We must use this connection, no other */
*force_reuse = TRUE;
break;
}
- else if(credentialsMatch)
- /* this is a backup choice */
- chosen = check;
+
+ /* Continue look up for a better connection */
continue;
}
#endif
-
if(canPipeline) {
/* We can pipeline if we want to. Let's continue looking for
the optimal connection to use, i.e the shortest pipe that is not

3
meta/recipes-support/curl/curl_7.40.0.bb
View File

@ -17,7 +17,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
# from mucking around with debug options
#
SRC_URI += " file://configure_ac.patch \
file://CVE-2016-0754.patch"
file://CVE-2016-0754.patch \
file://CVE-2016-0755.patch"
SRC_URI[md5sum] = "8d30594212e65657a5c32030f0998fa9"
SRC_URI[sha256sum] = "899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba"