diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/cve-2021-22946.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/cve-2021-22946.patch | 332 |
1 files changed, 0 insertions, 332 deletions
diff --git a/meta/recipes-support/curl/curl/cve-2021-22946.patch b/meta/recipes-support/curl/curl/cve-2021-22946.patch deleted file mode 100644 index 1a4b3e1144..0000000000 --- a/meta/recipes-support/curl/curl/cve-2021-22946.patch +++ /dev/null @@ -1,332 +0,0 @@ -CVE: CVE-2021-22946 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat <patrick@monnerat.net> -Date: Wed, 8 Sep 2021 11:56:22 +0200 -Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd - -In imap and pop3, check if TLS is required even when capabilities -request has failed. - -In ftp, ignore preauthentication (230 status of server greeting) if TLS -is required. - -Bug: https://curl.se/docs/CVE-2021-22946.html - -CVE-2021-22946 ---- - lib/ftp.c | 9 ++++--- - lib/imap.c | 24 ++++++++---------- - lib/pop3.c | 33 +++++++++++------------- - tests/data/Makefile.inc | 2 ++ - tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ - tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ - 7 files changed, 195 insertions(+), 36 deletions(-) - create mode 100644 tests/data/test984 - create mode 100644 tests/data/test985 - create mode 100644 tests/data/test986 - -diff --git a/lib/ftp.c b/lib/ftp.c -index 1a699de59..08d18ca74 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, - /* we have now received a full FTP server response */ - switch(ftpc->state) { - case FTP_WAIT220: -- if(ftpcode == 230) -- /* 230 User logged in - already! */ -- return ftp_state_user_resp(data, ftpcode, ftpc->state); -+ if(ftpcode == 230) { -+ /* 230 User logged in - already! Take as 220 if TLS required. */ -+ if(data->set.use_ssl <= CURLUSESSL_TRY || -+ conn->bits.ftp_use_control_ssl) -+ return ftp_state_user_resp(data, ftpcode, ftpc->state); -+ } - else if(ftpcode != 220) { - failf(data, "Got a %03d ftp-server response when 220 was expected", - ftpcode); -diff --git a/lib/imap.c b/lib/imap.c -index ab4d412ee..efc0420ce 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, - line += wordlen; - } - } -- else if(imapcode == IMAP_RESP_OK) { -- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -- /* We don't have a SSL/TLS connection yet, but SSL is requested */ -- if(imapc->tls_supported) -- /* Switch to TLS connection now */ -- result = imap_perform_starttls(data, conn); -- else if(data->set.use_ssl == CURLUSESSL_TRY) -- /* Fallback and carry on with authentication */ -- result = imap_perform_authentication(data, conn); -- else { -- failf(data, "STARTTLS not supported."); -- result = CURLE_USE_SSL_FAILED; -- } -+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -+ /* PREAUTH is not compatible with STARTTLS. */ -+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { -+ /* Switch to TLS connection now */ -+ result = imap_perform_starttls(data, conn); - } -- else -+ else if(data->set.use_ssl <= CURLUSESSL_TRY) - result = imap_perform_authentication(data, conn); -+ else { -+ failf(data, "STARTTLS not available."); -+ result = CURLE_USE_SSL_FAILED; -+ } - } - else - result = imap_perform_authentication(data, conn); -diff --git a/lib/pop3.c b/lib/pop3.c -index 5fdd6f3e0..f97e10eab 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, - } - } - } -- else if(pop3code == '+') { -- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -- /* We don't have a SSL/TLS connection yet, but SSL is requested */ -- if(pop3c->tls_supported) -- /* Switch to TLS connection now */ -- result = pop3_perform_starttls(data, conn); -- else if(data->set.use_ssl == CURLUSESSL_TRY) -- /* Fallback and carry on with authentication */ -- result = pop3_perform_authentication(data, conn); -- else { -- failf(data, "STLS not supported."); -- result = CURLE_USE_SSL_FAILED; -- } -- } -- else -- result = pop3_perform_authentication(data, conn); -- } - else { - /* Clear text is supported when CAPA isn't recognised */ -- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; -+ if(pop3code != '+') -+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - -- result = pop3_perform_authentication(data, conn); -+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) -+ result = pop3_perform_authentication(data, conn); -+ else if(pop3code == '+' && pop3c->tls_supported) -+ /* Switch to TLS connection now */ -+ result = pop3_perform_starttls(data, conn); -+ else if(data->set.use_ssl <= CURLUSESSL_TRY) -+ /* Fallback and carry on with authentication */ -+ result = pop3_perform_authentication(data, conn); -+ else { -+ failf(data, "STLS not supported."); -+ result = CURLE_USE_SSL_FAILED; -+ } - } - - return result; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 163696962..5cd092192 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ - test972 \ - \ -+test984 test985 test986 \ -+\ - test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ - test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ - test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ -diff --git a/tests/data/test984 b/tests/data/test984 -new file mode 100644 -index 000000000..e573f23c1 ---- /dev/null -+++ b/tests/data/test984 -@@ -0,0 +1,56 @@ -+<testcase> -+<info> -+<keywords> -+IMAP -+STARTTLS -+</keywords> -+</info> -+ -+# -+# Server-side -+<reply> -+<servercmd> -+REPLY CAPABILITY A001 BAD Not implemented -+</servercmd> -+</reply> -+ -+# -+# Client-side -+<client> -+<features> -+SSL -+</features> -+<server> -+imap -+</server> -+ <name> -+IMAP require STARTTLS with failing capabilities -+ </name> -+ <command> -+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd -+</command> -+<file name="log/upload%TESTNUMBER"> -+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) -+From: Fred Foobar <foobar@example.COM> -+Subject: afternoon meeting -+To: joe@example.com -+Message-Id: <B27397-0100000@example.COM> -+MIME-Version: 1.0 -+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII -+ -+Hello Joe, do you think we can meet at 3:30 tomorrow? -+</file> -+</client> -+ -+# -+# Verify data after the test has been "shot" -+<verify> -+# 64 is CURLE_USE_SSL_FAILED -+<errorcode> -+64 -+</errorcode> -+<protocol> -+A001 CAPABILITY -+</protocol> -+</verify> -+</testcase> -diff --git a/tests/data/test985 b/tests/data/test985 -new file mode 100644 -index 000000000..d0db4aadf ---- /dev/null -+++ b/tests/data/test985 -@@ -0,0 +1,54 @@ -+<testcase> -+<info> -+<keywords> -+POP3 -+STARTTLS -+</keywords> -+</info> -+ -+# -+# Server-side -+<reply> -+<servercmd> -+REPLY CAPA -ERR Not implemented -+</servercmd> -+<data nocheck="yes"> -+From: me@somewhere -+To: fake@nowhere -+ -+body -+ -+-- -+ yours sincerely -+</data> -+</reply> -+ -+# -+# Client-side -+<client> -+<features> -+SSL -+</features> -+<server> -+pop3 -+</server> -+ <name> -+POP3 require STARTTLS with failing capabilities -+ </name> -+ <command> -+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd -+ </command> -+</client> -+ -+# -+# Verify data after the test has been "shot" -+<verify> -+# 64 is CURLE_USE_SSL_FAILED -+<errorcode> -+64 -+</errorcode> -+<protocol> -+CAPA -+</protocol> -+</verify> -+</testcase> -diff --git a/tests/data/test986 b/tests/data/test986 -new file mode 100644 -index 000000000..a709437a4 ---- /dev/null -+++ b/tests/data/test986 -@@ -0,0 +1,53 @@ -+<testcase> -+<info> -+<keywords> -+FTP -+STARTTLS -+</keywords> -+</info> -+ -+# -+# Server-side -+<reply> -+<servercmd> -+REPLY welcome 230 Welcome -+REPLY AUTH 500 unknown command -+</servercmd> -+</reply> -+ -+# Client-side -+<client> -+<features> -+SSL -+</features> -+<server> -+ftp -+</server> -+ <name> -+FTP require STARTTLS while preauthenticated -+ </name> -+<file name="log/test%TESTNUMBER.txt"> -+data -+ to -+ see -+that FTPS -+works -+ so does it? -+</file> -+ <command> -+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -+</command> -+</client> -+ -+# Verify data after the test has been "shot" -+<verify> -+# 64 is CURLE_USE_SSL_FAILED -+<errorcode> -+64 -+</errorcode> -+<protocol> -+AUTH SSL -+AUTH TLS -+</protocol> -+</verify> -+</testcase> --- -2.25.1 - |