Hi, I have prepared an update for curl in Wheezy.
Please see the diff to previous version attached. Changes: curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS team. * Fix CVE-2016-7141: Incorrect reuse of client certificates The binary packages for amd64 are also available for testing here: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ The build-time tests did not show any regression and the fix is very simple thus I believe it can be used without reproducing the actual issue. I'm not aware of any available exploit. Cheers, Balint
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog --- curl-7.26.0/debian/changelog 2016-08-04 13:40:13.000000000 +0200 +++ curl-7.26.0/debian/changelog 2016-09-07 20:31:51.000000000 +0200 @@ -1,3 +1,10 @@ +curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * Fix CVE-2016-7141: Incorrect reuse of client certificates + + -- Balint Reczey <[email protected]> Wed, 07 Sep 2016 20:28:07 +0200 + curl (7.26.0-1+wheezy14) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru curl-7.26.0/debian/patches/CVE-2016-7141.patch curl-7.26.0/debian/patches/CVE-2016-7141.patch --- curl-7.26.0/debian/patches/CVE-2016-7141.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.26.0/debian/patches/CVE-2016-7141.patch 2016-09-07 20:27:28.000000000 +0200 @@ -0,0 +1,37 @@ +From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <[email protected]> +Date: Mon, 22 Aug 2016 10:24:35 +0200 +Subject: [PATCH] nss: refuse previously loaded certificate from file + +... when we are not asked to use a certificate from file + +Origin: upstream +Reviewed-by: Balint Reczey <[email protected]> + +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -779,10 +779,10 @@ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg; + struct SessionHandle *data = connssl->data; + const char *nickname = connssl->client_nickname; ++ static const char pem_slotname[] = "PEM Token #1"; + + if(connssl->obj_clicert) { + /* use the cert/key provided by PEM reader */ +- static const char pem_slotname[] = "PEM Token #1"; + SECItem cert_der = { 0, NULL, 0 }; + void *proto_win = SSL_RevealPinArg(sock); + +@@ -839,6 +839,12 @@ + if(NULL == nickname) + nickname = "[unknown]"; + ++ if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) { ++ failf(data, "NSS: refusing previously loaded certificate from file: %s", ++ nickname); ++ return SECFailure; ++ } ++ + if(NULL == *pRetKey) { + failf(data, "NSS: private key not found for certificate: %s", nickname); + return SECFailure; diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series --- curl-7.26.0/debian/patches/series 2016-08-04 13:40:13.000000000 +0200 +++ curl-7.26.0/debian/patches/series 2016-09-07 20:22:24.000000000 +0200 @@ -22,6 +22,7 @@ 22_CVE-2015-3148-2.patch CVE-2016-5419.patch CVE-2016-5420.patch +CVE-2016-7141.patch # Add new patches before the ones below this line 90_gnutls.patch
