Blame SOURCES/0032-curl-7.29.0-CVE-2015-3148.patch

92baa4
From 55689681595d76ee53d76d6698f5a99e18395857 Mon Sep 17 00:00:00 2001
92baa4
From: David Woodhouse <David.Woodhouse@intel.com>
92baa4
Date: Fri, 11 Jul 2014 11:09:34 +0100
92baa4
Subject: [PATCH 1/2] Don't clear GSSAPI state between each exchange in the
92baa4
 negotiation
92baa4
92baa4
GSSAPI doesn't work very well if we forget everything ever time.
92baa4
92baa4
XX: Is Curl_http_done() the right place to do the final cleanup?
92baa4
92baa4
Upstream-commit: f78ae415d24b9bd89d6c121c556e411fdb21c6aa
92baa4
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
92baa4
---
92baa4
 lib/http.c                | 6 ++++++
92baa4
 lib/http_negotiate.c      | 1 -
92baa4
 lib/http_negotiate_sspi.c | 1 -
92baa4
 3 files changed, 6 insertions(+), 2 deletions(-)
92baa4
92baa4
diff --git a/lib/http.c b/lib/http.c
92baa4
index e2448bc..c32eae0 100644
92baa4
--- a/lib/http.c
92baa4
+++ b/lib/http.c
92baa4
@@ -1404,6 +1404,12 @@ CURLcode Curl_http_done(struct connectdata *conn,
92baa4
 
92baa4
   Curl_unencode_cleanup(conn);
92baa4
 
92baa4
+#ifdef USE_HTTP_NEGOTIATE
92baa4
+  if(data->state.proxyneg.state == GSS_AUTHSENT ||
92baa4
+      data->state.negotiate.state == GSS_AUTHSENT)
92baa4
+    Curl_cleanup_negotiate(data);
92baa4
+#endif
92baa4
+
92baa4
   /* set the proper values (possibly modified on POST) */
92baa4
   conn->fread_func = data->set.fread_func; /* restore */
92baa4
   conn->fread_in = data->set.in; /* restore */
92baa4
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
92baa4
index 535a427..b56e7d0 100644
92baa4
--- a/lib/http_negotiate.c
92baa4
+++ b/lib/http_negotiate.c
92baa4
@@ -343,7 +343,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
92baa4
   else
92baa4
     conn->allocptr.userpwd = userp;
92baa4
   free(encoded);
92baa4
-  Curl_cleanup_negotiate (conn->data);
92baa4
   return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
92baa4
 }
92baa4
 
92baa4
diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
92baa4
index 1381d52..678e605 100644
92baa4
--- a/lib/http_negotiate_sspi.c
92baa4
+++ b/lib/http_negotiate_sspi.c
92baa4
@@ -271,7 +271,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
92baa4
   else
92baa4
     conn->allocptr.userpwd = userp;
92baa4
   free(encoded);
92baa4
-  Curl_cleanup_negotiate (conn->data);
92baa4
   return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
92baa4
 }
92baa4
 
92baa4
-- 
92baa4
2.3.6
92baa4
92baa4
92baa4
From 28e84254779c0d4b31844d928e5dae8941128f05 Mon Sep 17 00:00:00 2001
92baa4
From: Daniel Stenberg <daniel@haxx.se>
92baa4
Date: Sat, 18 Apr 2015 23:50:16 +0200
92baa4
Subject: [PATCH 2/2] http_done: close Negotiate connections when done
92baa4
92baa4
When doing HTTP requests Negotiate authenticated, the entire connnection
92baa4
may become authenticated and not just the specific HTTP request which is
92baa4
otherwise how HTTP works, as Negotiate can basically use NTLM under the
92baa4
hood. curl was not adhering to this fact but would assume that such
92baa4
requests would also be authenticated per request.
92baa4
92baa4
CVE-2015-3148
92baa4
92baa4
Bug: http://curl.haxx.se/docs/adv_20150422B.html
92baa4
Reported-by: Isaac Boukris
92baa4
92baa4
Upstream-commit: 79b9d5f1a42578f807a6c94914bc65cbaa304b6d
92baa4
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
92baa4
---
92baa4
 lib/http.c | 8 +++++++-
92baa4
 1 file changed, 7 insertions(+), 1 deletion(-)
92baa4
92baa4
diff --git a/lib/http.c b/lib/http.c
92baa4
index c32eae0..04beeb1 100644
92baa4
--- a/lib/http.c
92baa4
+++ b/lib/http.c
92baa4
@@ -1406,8 +1406,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
92baa4
 
92baa4
 #ifdef USE_HTTP_NEGOTIATE
92baa4
   if(data->state.proxyneg.state == GSS_AUTHSENT ||
92baa4
-      data->state.negotiate.state == GSS_AUTHSENT)
92baa4
+     data->state.negotiate.state == GSS_AUTHSENT) {
92baa4
+    /* add forbid re-use if http-code != 401/407 as a WA only needed for
92baa4
+     * 401/407 that signal auth failure (empty) otherwise state will be RECV
92baa4
+     * with current code */
92baa4
+    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
92baa4
+      conn->bits.close = TRUE; /* Negotiate transfer completed */
92baa4
     Curl_cleanup_negotiate(data);
92baa4
+  }
92baa4
 #endif
92baa4
 
92baa4
   /* set the proper values (possibly modified on POST) */
92baa4
-- 
92baa4
2.3.6
92baa4