Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id
<92fe43e7805e82e43100a6471ccbf91cd9a12944.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1019052,
regarding bullseye-pu: package curl/7.74.0-1.3+deb11u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1019052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019052
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected],[email protected]
Hi SRM,
[ Reason ]
curl is affected by another CVE which does not warrant a DSA,
CVE-2022-35252.
[ Impact ]
Will have the CVE open until it will be included in a future update.
Severity is low that said.
[ Tests ]
Have run the testsuite without the fix, confirming the 0008 test will
fail and is succeding after the fix.
[ Risks ]
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Code rejects now cookies with "control bytes".
[ Other info ]
None
Regards,
Salvatore
diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog 2022-07-23 17:47:52.000000000 +0200
+++ curl-7.74.0/debian/changelog 2022-09-03 12:26:12.000000000 +0200
@@ -1,3 +1,11 @@
+curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium
+
+ * cookie: reject cookies with "control bytes" (CVE-2022-35252)
+ (Closes: #1018831)
+ * test8: verify that "ctrl-byte cookies" are ignored
+
+ -- Salvatore Bonaccorso <[email protected]> Sat, 03 Sep 2022 12:26:12 +0200
+
curl (7.74.0-1.3+deb11u2) bullseye-security; urgency=high
* Non-maintainer upload.
diff -Nru
curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch
curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch
--- curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch
1970-01-01 01:00:00.000000000 +0100
+++ curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch
2022-09-03 12:26:12.000000000 +0200
@@ -0,0 +1,65 @@
+From: Daniel Stenberg <[email protected]>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: cookie: reject cookies with "control bytes"
+Origin:
https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Bug-Debian: https://bugs.debian.org/1018831
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-35252
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -375,6 +375,30 @@ static void strstore(char **str, const c
+ }
+
+ /*
++ RFC 6265 section 4.1.1 says a server should accept this range:
++
++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++ fine. The prime reason for filtering out control bytes is that some HTTP
++ servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++ static const char badoctets[] = {
++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++ };
++ size_t vlen, len;
++ /* scan for all the octets that are *not* in cookie-octet */
++ len = strcspn(p, badoctets);
++ vlen = strlen(p);
++ return (len != vlen);
++}
++
++/*
+ * remove_expired() removes expired cookies.
+ */
+ static void remove_expired(struct CookieInfo *cookies)
+@@ -562,6 +586,11 @@ Curl_cookie_add(struct Curl_easy *data,
+ badcookie = TRUE;
+ break;
+ }
++ if(invalid_octets(whatptr) || invalid_octets(name)) {
++ infof(data, "invalid octets in name/value, cookie dropped");
++ badcookie = TRUE;
++ break;
++ }
+ }
+ else if(!len) {
+ /* this was a "<name>=" with no content, and we must allow
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series 2022-07-23 17:47:52.000000000 +0200
+++ curl-7.74.0/debian/patches/series 2022-09-03 12:26:12.000000000 +0200
@@ -24,6 +24,8 @@
CVE-2022-32207.patch
CVE-2022-32208.patch
CVE-2022-27774.patch
+cookie-reject-cookies-with-control-bytes.patch
+test8-verify-that-ctrl-byte-cookies-are-ignored.patch
# Always add CVE patches before these two patches
90_gnutls.patch
diff -Nru
curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch
curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch
---
curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch
1970-01-01 01:00:00.000000000 +0100
+++
curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch
2022-09-03 12:26:12.000000000 +0200
@@ -0,0 +1,62 @@
+From: Daniel Stenberg <[email protected]>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: test8: verify that "ctrl-byte cookies" are ignored
+Origin:
https://github.com/curl/curl/commit/2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6c2ea5..858761159aa0 100644
+--- a/tests/data/test8
++++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
++Set-Cookie: cookie1=%hex[%01-junk]hex%
++Set-Cookie: cookie2=%hex[%02-junk]hex%
++Set-Cookie: cookie3=%hex[%03-junk]hex%
++Set-Cookie: cookie4=%hex[%04-junk]hex%
++Set-Cookie: cookie5=%hex[%05-junk]hex%
++Set-Cookie: cookie6=%hex[%06-junk]hex%
++Set-Cookie: cookie7=%hex[%07-junk]hex%
++Set-Cookie: cookie8=%hex[%08-junk]hex%
++Set-Cookie: cookie9=%hex[junk-%09-]hex%
++Set-Cookie: cookie11=%hex[%0b-junk]hex%
++Set-Cookie: cookie12=%hex[%0c-junk]hex%
++Set-Cookie: cookie14=%hex[%0e-junk]hex%
++Set-Cookie: cookie15=%hex[%0f-junk]hex%
++Set-Cookie: cookie16=%hex[%10-junk]hex%
++Set-Cookie: cookie17=%hex[%11-junk]hex%
++Set-Cookie: cookie18=%hex[%12-junk]hex%
++Set-Cookie: cookie19=%hex[%13-junk]hex%
++Set-Cookie: cookie20=%hex[%14-junk]hex%
++Set-Cookie: cookie21=%hex[%15-junk]hex%
++Set-Cookie: cookie22=%hex[%16-junk]hex%
++Set-Cookie: cookie23=%hex[%17-junk]hex%
++Set-Cookie: cookie24=%hex[%18-junk]hex%
++Set-Cookie: cookie25=%hex[%19-junk]hex%
++Set-Cookie: cookie26=%hex[%1a-junk]hex%
++Set-Cookie: cookie27=%hex[%1b-junk]hex%
++Set-Cookie: cookie28=%hex[%1c-junk]hex%
++Set-Cookie: cookie29=%hex[%1d-junk]hex%
++Set-Cookie: cookie30=%hex[%1e-junk]hex%
++Set-Cookie: cookie31=%hex[%1f-junk]hex%
++Set-Cookie: cookie31=%hex[%7f-junk]hex%
+
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps;
cookie=yes; foobar=name; blexp=yesyes
++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps;
cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- -
+
+ </protocol>
+ </verify>
+--
+2.30.2
+
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.5
Hi,
The updates referred to in each of these bugs were included in today's
11.5 point release.
Regards,
Adam
--- End Message ---
