Bug#729965: libcurl3 7.21.0-2.1+squeeze5 --insecure regression

Alessandro Ghedini Tue, 19 Nov 2013 09:28:59 -0800

Control: reassing -1 curl
Control: found -1 curl/7.21.0-2.1+squeeze5
Control: found -1 curl/7.26.0-1+wheezy5
Control: tags -1 confirmed

On mar, nov 19, 2013 at 09:51:35 -0600, Brian Kroth wrote:
> Package: libcurl3
> Version: 7.21.0-2.1+squeeze5
> Severity: important
> 
> 
> Hi, I believe I've found a regression in the recent libcurl3 DSA update.  
> Basically, it doesn't seem to be respecting the --insecure option in all 
> cases.

Yes, it seems that the libcurl3 patch exposed a latent bug in the curl tool
that was fixed in a later version (7.28.1 AFAICT). Wheezy is affected too.

For the security team, I prepared new uploads that fix the regression (see
attached debdiffs), could you please have a look?

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

diff -Nru curl-7.21.0/debian/changelog curl-7.21.0/debian/changelog
--- curl-7.21.0/debian/changelog	2013-11-16 13:16:01.000000000 +0100
+++ curl-7.21.0/debian/changelog	2013-11-19 17:40:46.000000000 +0100
@@ -1,3 +1,10 @@
+curl (7.21.0-2.1+squeeze6) oldstable-security; urgency=low
+
+  * Disable host verification too when using the --insecure option
+    (Closes: #729965)
+
+ -- Alessandro Ghedini <[email protected]>  Tue, 19 Nov 2013 17:29:46 +0100
+
 curl (7.21.0-2.1+squeeze5) oldstable-security; urgency=high
 
   * Fix OpenSSL checking of a certificate CN or SAN name field when the
diff -Nru curl-7.21.0/debian/patches/disable-verifyhost-with-insecure.patch curl-7.21.0/debian/patches/disable-verifyhost-with-insecure.patch
--- curl-7.21.0/debian/patches/disable-verifyhost-with-insecure.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.21.0/debian/patches/disable-verifyhost-with-insecure.patch	2013-11-19 17:40:46.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Disable host verification too when the --insecure option is used
+Origin: vendor
+Bug-Debian: http://bug.debian.org/729965
+Forwarded: not-needed
+Author: Alessandro Ghedini <[email protected]>
+Last-Update: 2013-11-19
+
+--- a/src/main.c
++++ b/src/main.c
+@@ -5106,7 +5106,7 @@
+         if(config->insecure_ok) {
+           /* new stuff needed for libcurl 7.10 */
+           my_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
+-          my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
++          my_setopt(curl, CURLOPT_SSL_VERIFYHOST, FALSE);
+         }
+         else {
+           char *home = homedir();
diff -Nru curl-7.21.0/debian/patches/series curl-7.21.0/debian/patches/series
--- curl-7.21.0/debian/patches/series	2013-11-16 13:16:01.000000000 +0100
+++ curl-7.21.0/debian/patches/series	2013-11-19 17:40:46.000000000 +0100
@@ -12,6 +12,7 @@
 test1218-another-cookie-tailmatch-test
 CVE-2013-2174.patch
 CVE-2013-4545.patch
+disable-verifyhost-with-insecure.patch
 
 # this must be the last
 curl_links_with_rt

diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog	2013-11-16 13:12:02.000000000 +0100
+++ curl-7.26.0/debian/changelog	2013-11-19 17:41:19.000000000 +0100
@@ -1,3 +1,10 @@
+curl (7.26.0-1+wheezy6) stable-security; urgency=low
+
+  * Disable host verification too when using the --insecure option
+    (Closes: #729965)
+
+ -- Alessandro Ghedini <[email protected]>  Tue, 19 Nov 2013 17:15:32 +0100
+
 curl (7.26.0-1+wheezy5) stable-security; urgency=high
 
   * Fix OpenSSL checking of a certificate CN or SAN name field when the
diff -Nru curl-7.26.0/debian/patches/11_disable-verifyhost-with-insecure.patch curl-7.26.0/debian/patches/11_disable-verifyhost-with-insecure.patch
--- curl-7.26.0/debian/patches/11_disable-verifyhost-with-insecure.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.26.0/debian/patches/11_disable-verifyhost-with-insecure.patch	2013-11-19 17:41:19.000000000 +0100
@@ -0,0 +1,21 @@
+From a1be8e7f9be2feff103f314cd8ea8a50a560e79e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Tue, 6 Nov 2012 22:27:25 +0100
+Subject: [PATCH] curl: set CURLOPT_SSL_VERIFYHOST to 0 to disable
+Bug-Debian: http://bugs.debian.org/729965
+
+---
+ src/tool_operate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -982,7 +982,7 @@
+         if(curlinfo->features & CURL_VERSION_SSL) {
+           if(config->insecure_ok) {
+             my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
+-            my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
++            my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+           }
+           else {
+             my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series
--- curl-7.26.0/debian/patches/series	2013-11-16 13:12:02.000000000 +0100
+++ curl-7.26.0/debian/patches/series	2013-11-19 17:41:19.000000000 +0100
@@ -8,6 +8,7 @@
 08_CVE-2013-2174.patch
 09_reset-timecond.patch
 10_CVE-2013-4545.patch
+11_disable-verifyhost-with-insecure.patch
 
 90_gnutls.patch
 99_nss.patch

signature.asc
Description: Digital signature

Bug#729965: libcurl3 7.21.0-2.1+squeeze5 --insecure regression

Reply via email to