rpms / curl

Clone
Source Code
GIT

Blame SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   d889a8b43266410303e7bd34988fabf4bb135a8e
  2.   SOURCES
  3.   0008-curl-7.76.1-CVE-2021-22946.patch
Blob History Raw
d889a8 
From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001
d889a8 
From: Patrick Monnerat <patrick@monnerat.net>
d889a8 
Date: Wed, 8 Sep 2021 11:56:22 +0200
d889a8 
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
d889a8
d889a8 
In imap and pop3, check if TLS is required even when capabilities
d889a8 
request has failed.
d889a8
d889a8 
In ftp, ignore preauthentication (230 status of server greeting) if TLS
d889a8 
is required.
d889a8
d889a8 
Bug: https://curl.se/docs/CVE-2021-22946.html
d889a8
d889a8 
CVE-2021-22946
d889a8
d889a8 
Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
d889a8 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
d889a8 
---
d889a8 
 lib/ftp.c               |  9 ++++---
d889a8 
 lib/imap.c              | 24 ++++++++----------
d889a8 
 lib/pop3.c              | 33 +++++++++++-------------
d889a8 
 tests/data/Makefile.inc |  2 ++
d889a8 
 tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
d889a8 
 tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
d889a8 
 tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
d889a8 
 7 files changed, 195 insertions(+), 36 deletions(-)
d889a8 
 create mode 100644 tests/data/test984
d889a8 
 create mode 100644 tests/data/test985
d889a8 
 create mode 100644 tests/data/test986
d889a8
d889a8 
diff --git a/lib/ftp.c b/lib/ftp.c
d889a8 
index 5ef1e2e..71f998e 100644
d889a8 
--- a/lib/ftp.c
d889a8 
+++ b/lib/ftp.c
d889a8 
@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
d889a8 
     /* we have now received a full FTP server response */
d889a8 
     switch(ftpc->state) {
d889a8 
     case FTP_WAIT220:
d889a8 
-      if(ftpcode == 230)
d889a8 
-        /* 230 User logged in - already! */
d889a8 
-        return ftp_state_user_resp(data, ftpcode, ftpc->state);
d889a8 
+      if(ftpcode == 230) {
d889a8 
+        /* 230 User logged in - already! Take as 220 if TLS required. */
d889a8 
+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
d889a8 
+           conn->bits.ftp_use_control_ssl)
d889a8 
+          return ftp_state_user_resp(data, ftpcode, ftpc->state);
d889a8 
+      }
d889a8 
       else if(ftpcode != 220) {
d889a8 
         failf(data, "Got a %03d ftp-server response when 220 was expected",
d889a8 
               ftpcode);
d889a8 
diff --git a/lib/imap.c b/lib/imap.c
d889a8 
index e50d7fd..feb7445 100644
d889a8 
--- a/lib/imap.c
d889a8 
+++ b/lib/imap.c
d889a8 
@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
d889a8 
       line += wordlen;
d889a8 
     }
d889a8 
   }
d889a8 
-  else if(imapcode == IMAP_RESP_OK) {
d889a8 
-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
d889a8 
-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
d889a8 
-      if(imapc->tls_supported)
d889a8 
-        /* Switch to TLS connection now */
d889a8 
-        result = imap_perform_starttls(data, conn);
d889a8 
-      else if(data->set.use_ssl == CURLUSESSL_TRY)
d889a8 
-        /* Fallback and carry on with authentication */
d889a8 
-        result = imap_perform_authentication(data, conn);
d889a8 
-      else {
d889a8 
-        failf(data, "STARTTLS not supported.");
d889a8 
-        result = CURLE_USE_SSL_FAILED;
d889a8 
-      }
d889a8 
+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
d889a8 
+    /* PREAUTH is not compatible with STARTTLS. */
d889a8 
+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
d889a8 
+      /* Switch to TLS connection now */
d889a8 
+      result = imap_perform_starttls(data, conn);
d889a8 
     }
d889a8 
-    else
d889a8 
+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
d889a8 
       result = imap_perform_authentication(data, conn);
d889a8 
+    else {
d889a8 
+      failf(data, "STARTTLS not available.");
d889a8 
+      result = CURLE_USE_SSL_FAILED;
d889a8 
+    }
d889a8 
   }
d889a8 
   else
d889a8 
     result = imap_perform_authentication(data, conn);
d889a8 
diff --git a/lib/pop3.c b/lib/pop3.c
d889a8 
index 6168b12..7698d1c 100644
d889a8 
--- a/lib/pop3.c
d889a8 
+++ b/lib/pop3.c
d889a8 
@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
d889a8 
       }
d889a8 
     }
d889a8 
   }
d889a8 
-  else if(pop3code == '+') {
d889a8 
-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
d889a8 
-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
d889a8 
-      if(pop3c->tls_supported)
d889a8 
-        /* Switch to TLS connection now */
d889a8 
-        result = pop3_perform_starttls(data, conn);
d889a8 
-      else if(data->set.use_ssl == CURLUSESSL_TRY)
d889a8 
-        /* Fallback and carry on with authentication */
d889a8 
-        result = pop3_perform_authentication(data, conn);
d889a8 
-      else {
d889a8 
-        failf(data, "STLS not supported.");
d889a8 
-        result = CURLE_USE_SSL_FAILED;
d889a8 
-      }
d889a8 
-    }
d889a8 
-    else
d889a8 
-      result = pop3_perform_authentication(data, conn);
d889a8 
-  }
d889a8 
   else {
d889a8 
     /* Clear text is supported when CAPA isn't recognised */
d889a8 
-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
d889a8 
+    if(pop3code != '+')
d889a8 
+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
d889a8
d889a8 
-    result = pop3_perform_authentication(data, conn);
d889a8 
+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
d889a8 
+      result = pop3_perform_authentication(data, conn);
d889a8 
+    else if(pop3code == '+' && pop3c->tls_supported)
d889a8 
+      /* Switch to TLS connection now */
d889a8 
+      result = pop3_perform_starttls(data, conn);
d889a8 
+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
d889a8 
+      /* Fallback and carry on with authentication */
d889a8 
+      result = pop3_perform_authentication(data, conn);
d889a8 
+    else {
d889a8 
+      failf(data, "STLS not supported.");
d889a8 
+      result = CURLE_USE_SSL_FAILED;
d889a8 
+    }
d889a8 
   }
d889a8
d889a8 
   return result;
d889a8 
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
d889a8 
index d083baf..163ce59 100644
d889a8 
--- a/tests/data/Makefile.inc
d889a8 
+++ b/tests/data/Makefile.inc
d889a8 
@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
d889a8 
 test954 test955 test956 test957 test958 test959 test960 test961 test962 \
d889a8 
 test963 test964 test965 test966 test967 test968 test969 test970 test971 \
d889a8 
 \
d889a8 
+test984 test985 test986 \
d889a8 
+\
d889a8 
 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
d889a8 
 test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
d889a8 
 test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
d889a8 
diff --git a/tests/data/test984 b/tests/data/test984
d889a8 
new file mode 100644
d889a8 
index 0000000..e573f23
d889a8 
--- /dev/null
d889a8 
+++ b/tests/data/test984
d889a8 
@@ -0,0 +1,56 @@
d889a8 
+<testcase>
d889a8 
+<info>
d889a8 
+<keywords>
d889a8 
+IMAP
d889a8 
+STARTTLS
d889a8 
+</keywords>
d889a8 
+</info>
d889a8 
+
d889a8 
+#
d889a8 
+# Server-side
d889a8 
+<reply>
d889a8 
+<servercmd>
d889a8 
+REPLY CAPABILITY A001 BAD Not implemented
d889a8 
+</servercmd>
d889a8 
+</reply>
d889a8 
+
d889a8 
+#
d889a8 
+# Client-side
d889a8 
+<client>
d889a8 
+<features>
d889a8 
+SSL
d889a8 
+</features>
d889a8 
+<server>
d889a8 
+imap
d889a8 
+</server>
d889a8 
+ <name>
d889a8 
+IMAP require STARTTLS with failing capabilities
d889a8 
+ </name>
d889a8 
+ <command>
d889a8 
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
d889a8 
+</command>
d889a8 
+<file name="log/upload%TESTNUMBER">
d889a8 
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
d889a8 
+From: Fred Foobar <foobar@example.COM>
d889a8 
+Subject: afternoon meeting
d889a8 
+To: joe@example.com
d889a8 
+Message-Id: <B27397-0100000@example.COM>
d889a8 
+MIME-Version: 1.0
d889a8 
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
d889a8 
+
d889a8 
+Hello Joe, do you think we can meet at 3:30 tomorrow?
d889a8 
+</file>
d889a8 
+</client>
d889a8 
+
d889a8 
+#
d889a8 
+# Verify data after the test has been "shot"
d889a8 
+<verify>
d889a8 
+# 64 is CURLE_USE_SSL_FAILED
d889a8 
+<errorcode>
d889a8 
+64
d889a8 
+</errorcode>
d889a8 
+<protocol>
d889a8 
+A001 CAPABILITY
d889a8 
+</protocol>
d889a8 
+</verify>
d889a8 
+</testcase>
d889a8 
diff --git a/tests/data/test985 b/tests/data/test985
d889a8 
new file mode 100644
d889a8 
index 0000000..d0db4aa
d889a8 
--- /dev/null
d889a8 
+++ b/tests/data/test985
d889a8 
@@ -0,0 +1,54 @@
d889a8 
+<testcase>
d889a8 
+<info>
d889a8 
+<keywords>
d889a8 
+POP3
d889a8 
+STARTTLS
d889a8 
+</keywords>
d889a8 
+</info>
d889a8 
+
d889a8 
+#
d889a8 
+# Server-side
d889a8 
+<reply>
d889a8 
+<servercmd>
d889a8 
+REPLY CAPA -ERR Not implemented
d889a8 
+</servercmd>
d889a8 
+<data nocheck="yes">
d889a8 
+From: me@somewhere
d889a8 
+To: fake@nowhere
d889a8 
+
d889a8 
+body
d889a8 
+
d889a8 
+--
d889a8 
+  yours sincerely
d889a8 
+</data>
d889a8 
+</reply>
d889a8 
+
d889a8 
+#
d889a8 
+# Client-side
d889a8 
+<client>
d889a8 
+<features>
d889a8 
+SSL
d889a8 
+</features>
d889a8 
+<server>
d889a8 
+pop3
d889a8 
+</server>
d889a8 
+ <name>
d889a8 
+POP3 require STARTTLS with failing capabilities
d889a8 
+ </name>
d889a8 
+ <command>
d889a8 
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
d889a8 
+ </command>
d889a8 
+</client>
d889a8 
+
d889a8 
+#
d889a8 
+# Verify data after the test has been "shot"
d889a8 
+<verify>
d889a8 
+# 64 is CURLE_USE_SSL_FAILED
d889a8 
+<errorcode>
d889a8 
+64
d889a8 
+</errorcode>
d889a8 
+<protocol>
d889a8 
+CAPA
d889a8 
+</protocol>
d889a8 
+</verify>
d889a8 
+</testcase>
d889a8 
diff --git a/tests/data/test986 b/tests/data/test986
d889a8 
new file mode 100644
d889a8 
index 0000000..a709437
d889a8 
--- /dev/null
d889a8 
+++ b/tests/data/test986
d889a8 
@@ -0,0 +1,53 @@
d889a8 
+<testcase>
d889a8 
+<info>
d889a8 
+<keywords>
d889a8 
+FTP
d889a8 
+STARTTLS
d889a8 
+</keywords>
d889a8 
+</info>
d889a8 
+
d889a8 
+#
d889a8 
+# Server-side
d889a8 
+<reply>
d889a8 
+<servercmd>
d889a8 
+REPLY welcome 230 Welcome
d889a8 
+REPLY AUTH 500 unknown command
d889a8 
+</servercmd>
d889a8 
+</reply>
d889a8 
+
d889a8 
+# Client-side
d889a8 
+<client>
d889a8 
+<features>
d889a8 
+SSL
d889a8 
+</features>
d889a8 
+<server>
d889a8 
+ftp
d889a8 
+</server>
d889a8 
+ <name>
d889a8 
+FTP require STARTTLS while preauthenticated
d889a8 
+ </name>
d889a8 
+<file name="log/test%TESTNUMBER.txt">
d889a8 
+data
d889a8 
+    to
d889a8 
+      see
d889a8 
+that FTPS
d889a8 
+works
d889a8 
+  so does it?
d889a8 
+</file>
d889a8 
+ <command>
d889a8 
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
d889a8 
+</command>
d889a8 
+</client>
d889a8 
+
d889a8 
+# Verify data after the test has been "shot"
d889a8 
+<verify>
d889a8 
+# 64 is CURLE_USE_SSL_FAILED
d889a8 
+<errorcode>
d889a8 
+64
d889a8 
+</errorcode>
d889a8 
+<protocol>
d889a8 
+AUTH SSL
d889a8 
+AUTH TLS
d889a8 
+</protocol>
d889a8 
+</verify>
d889a8 
+</testcase>
d889a8 
--
d889a8 
2.31.1
d889a8

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation