On 4/18/23 00:42, Steve Sakoman wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
There is also a patch submitted today that fixes this CVE as well as
two others: https://lists.openembedded.org/g/openembedded-core/message/180143
I'm fine with the patch as
https://lists.openembedded.org/g/openembedded-core/message/180143.
Thanks,
Could you review the above patch and ack if you approve. It would be
nice to fix all three patches in a single commit if possible.
Thanks!
Steve
On Sun, Apr 16, 2023 at 8:22 PM Yu, Mingli <[email protected]> wrote:
From: Mingli Yu <[email protected]>
Backport patch [1] to fix CVE-2023-27536.
[1] https://github.com/curl/curl/commit/cb49e67303dba
Signed-off-by: Mingli Yu <[email protected]>
---
.../curl/curl/CVE-2023-27536.patch | 57 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch
b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 0000000000..842c70785a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,57 @@
+From 6b1ef6d5ebbfd5e68dea1eea2dc0c6cc4dc2e394 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Mon, 17 Apr 2023 05:36:18 +0000
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+CVE: CVE-2023-27536
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dba]
+
+Signed-off-by: Mingli Yu <[email protected]>
+---
+ lib/url.c | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index df4377d..8c43c3b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1350,6 +1350,11 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ }
+
++ /* GSS delegation differences do not actually affect every connection
++ and auth method, but this check takes precaution before efficiency */
++ if(needle->gssapi_delegation != check->gssapi_delegation)
++ continue;
++
+ /* If multiplexing isn't enabled on the h2 connection and h1 is
+ explicitly requested, handle it: */
+ if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1807,6 +1812,7 @@ static struct connectdata *allocate_conn(struct
Curl_easy *data)
+ conn->fclosesocket = data->set.fclosesocket;
+ conn->closesocket_client = data->set.closesocket_client;
+ conn->lastused = Curl_now(); /* used now */
++ conn->gssapi_delegation = data->set.gssapi_delegation;
+
+ return conn;
+ error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 69eb2ee..c2a7e6c 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1131,6 +1131,7 @@ struct connectdata {
+ int socks5_gssapi_enctype;
+ #endif
+ unsigned short localport;
++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+
+ /* The end of connectdata. */
+--
+2.23.0
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb
b/meta/recipes-support/curl/curl_7.82.0.bb
index 945745cdde..888527857a 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-23914_5-4.patch \
file://CVE-2023-23914_5-5.patch \
file://CVE-2023-23916.patch \
+ file://CVE-2023-27536.patch \
"
SRC_URI[sha256sum] =
"0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180208):
https://lists.openembedded.org/g/openembedded-core/message/180208
Mute This Topic: https://lists.openembedded.org/mt/98313621/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
