Re: libcurl not verifying proxy url against IP address present insubject alternate name

[Hemant Kumar via curl-library]

On Thu, Nov 30, 2017 at 2:57 AM, Ray Satiro via curl-library <
curl-library@cool.haxx.se> wrote:

> [image: Boxbe]  This message is eligible
> for Automatic Cleanup! (curl-library@cool.haxx.se) Add cleanup rule
> 
> | More info
> 
>
> On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
>
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS).Â
> While establishing SSL connection with the proxy, the certificate shared
> by proxy has both CN and SAN entries as below -
>
> Subject: C=IN, ST=KA, L=BGL, O=, OU=x, *CN=host.cust1.com 
> */emailAddress=em...@domain.com
>
> X509v3 Subject Alternative Name:
> DNS:host.cust1.com, *DNS:172.73.74.75*, 
> DNS:securepr.cust1.com 
>
> In my code when I use proxy's FQDN(host.cust1.com) as the proxy URL to access 
> then the ssl verification works fine but when I try using the IP Address I 
> get below error -
>
> "SSL: no alternative certificate subject name matches target host name 
> '172.73.74.75'"
>
> Should not libcurl verify the proxy URL against all the subject alternate
> names present in the received certificate or am I missing something here?
>
> Software versions used -  PycURL/7.43.0 libcurl/7.56.1
>
>
> In my opinion, no.
>
> Is the PycURL string supposed to include the libcurl version string? What
> SSL library is libcurl using? It should have shown you the SSL library in
> the version information. I will assume OpenSSL for this reply.
>
> libcurl w/ OpenSSL will only use iPAddress altname field for IP addresses
> and dNSName altname field for host names [1]. There's some anecdotal
> evidence of clients that accept IP address in dNSName [2]. I believe those
> clients are wrong. The original RFC 2818 is unambiguous [3]:
>
> Â Â  In some cases, the URI is specified as an IP address rather than a
> Â Â  hostname. In this case, the iPAddress subjectAltName must be present
> Â Â  in the certificate and must exactly match the IP in the URI.
>
>
> [1]: https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/
> openssl.c#L1389
> [2]: https://security.stackexchange.com/a/160809
> [3]: https://tools.ietf.org/html/rfc2818#page-5
>
>
> ---
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:   https://curl.haxx.se/mail/etiquette.html
>

Thanks Ray for the reply. Actually its a piece of software which generates
the CSR taking Subject Alt names as arguments.
And it does not seem to distinguish between hostname/IPAddress passed as
argument and keeps even the IPAddress in the dNSName field of Subject Alt
Names.

Regarding the version string, yes the PycURL version string contains
libcurl as well as SSL library version info -

>>> import pycurl

>>> pycurl.version
'PycURL/7.43.0 libcurl/7.56.1 OpenSSL/1.0.2l zlib/1.2.11 c-ares/1.13.0'
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: AW: AW: Problem/Crash with libCurl Daily Snapshot and Option CURLSHOPT_SHARE and Parameter CURL_LOCK_DATA_CONNECT

[Daniel Stenberg]

On Wed, 29 Nov 2017, Dawson, Patrick wrote:

Oops. I am sorry. You are right: I forgot to add this in the example 
project. I added them in my real project though. I still get sporadic 
crashes but now the callstacks are almost always the same and when the crash 
happens it seems to be early in the first 10 http calls. Here is the call 
stack:


Since the CURL_LOCK_DATA_CONNECT support is brand new, it is of course not 
unthinkable that there's a bug or two in there to fix. :-/


Feel free to file a bug about it so we don't forget about it: 
https://github.com/curl/curl/issues and I'll try to get around and see if I 
can reproduce it on my (Linux) machine.


--

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: libcurl not verifying proxy url against IP address present in subject alternate name

[Ray Satiro via curl-library]

On 11/28/2017 2:12 PM, Hemant Kumar via curl-library wrote:
> I am using pycurl (python wrapper of libcurl) to connect to a remote
> server(HTTPS) via a proxy(HTTPS). 
> While establishing SSL connection with the proxy, the certificate
> shared by proxy has both CN and SAN entries as below -
>
> Subject: C=IN, ST=KA, L=BGL, O=, OU=x, *CN=host.cust1.com 
> */emailAddress=em...@domain.com 
> 
> X509v3 Subject Alternative Name: 
> DNS:host.cust1.com , 
> *DNS:172.73.74.75*, DNS:securepr.cust1.com 
> In my code when I use proxy's FQDN(host.cust1.com
> ) as the proxy URL to access then the ssl
> verification works fine but when I try using the IP Address I get
> below error -
>
> "SSL: no alternative certificate subject name matches target host name
> '172.73.74.75'"
>
> Should not libcurl verify the proxy URL against all the subject
> alternate names present in the received certificate or am I missing
> something here?
> Software versions used - PycURL/7.43.0 libcurl/7.56.1

In my opinion, no.

Is the PycURL string supposed to include the libcurl version string?
What SSL library is libcurl using? It should have shown you the SSL
library in the version information. I will assume OpenSSL for this reply.

libcurl w/ OpenSSL will only use iPAddress altname field for IP
addresses and dNSName altname field for host names [1]. There's some
anecdotal evidence of clients that accept IP address in dNSName [2]. I
believe those clients are wrong. The original RFC 2818 is unambiguous [3]:

   In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.


[1]: https://github.com/curl/curl/blob/curl-7_56_1/lib/vtls/openssl.c#L1389
[2]: https://security.stackexchange.com/a/160809
[3]: https://tools.ietf.org/html/rfc2818#page-5

---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: [RELEASE] curl 7.57.0

[Michael Felt]

I got some initial issues resolved (see 
https://github.com/curl/curl/issues/2124) and now, in 32-bit mode:


Warning: dict server unexpectedly alive
TESTDONE: 883 tests out of 885 reported OK: 99%
TESTFAIL: These test cases failed: 1013 1140
TESTDONE: 1164 tests were considered

After the 64-bit build will have, finally, a new release available.


On 11/29/2017 10:33 AM, Daniel Stenberg wrote:

Hi friends!

I'm glad to once again present a brand new curl release. This time we 
introduce a few changes and three security advisories. The latter will 
be detailed in separate mails sent out in assocation with this.


As always, download the latest curl from https://curl.haxx.se/

Curl and libcurl 7.57.0

 Public curl releases: 171
 Command line options: 211
 curl_easy_setopt() options:   249
 Public functions in libcurl:  74
 Contributors: 1649

This release includes the following changes:

 o auth: add support for RFC7616 - HTTP Digest access authentication [12]
 o share: add support for sharing the connection cache [31]
 o HTTP: implement Brotli content encoding [28]

This release includes the following bugfixes:

 o CVE-2017-8816: NTLM buffer overflow via integer overflow [47]
 o CVE-2017-8817: FTP wildcard out of bounds read [48]
 o CVE-2017-8818: SSL out of buffer access [49]
 o curl_mime_filedata.3: fix typos [1]
 o libtest: Add required test libraries for lib1552 and lib1553 [2]
 o fix time diffs for systems using unsigned time_t [3]
 o ftplistparser: memory leak fix: free temporary memory always [4]
 o multi: allow table handle sizes to be overridden [5]
 o wildcards: don't use with non-supported protocols [6]
 o curl_fnmatch: return error on illegal wildcard pattern [7]
 o transfer: Fix chunked-encoding upload too early exit [8]
 o curl_setup: Improve detection of CURL_WINDOWS_APP [9]
 o resolvers: only include anything if needed [10]
 o setopt: fix CURLOPT_SSH_AUTH_TYPES option read
 o appveyor: add a win32 build
 o Curl_timeleft: change return type to timediff_t [11]
 o cmake: Export libcurl and curl targets to use by other cmake 
projects [13]

 o curl: in -F option arg, comma is a delimiter for files only [14]
 o curl: improved ";type=" handling in -F option arguments
 o timeval: use mach_absolute_time() on MacOS [15]
 o curlx: the timeval functions are no longer provided as curlx_* [16]
 o mkhelp.pl: do not generate comment with current date [17]
 o memdebug: use send/recv signature for curl_dosend/curl_dorecv [18]
 o cookie: avoid NULL dereference [19]
 o url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 [20]
 o include: remove conncache.h inclusion from where its not needed
 o CURLOPT_MAXREDIRS: allow -1 as a value [21]
 o tests: Fixed torture tests on tests 556 and 650
 o http2: Fixed OOM handling in upgrade request
 o url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
 o CURLOPT_INFILESIZE: accept -1 [22]
 o curl: pass through [] in URLs instead of calling globbing error [23]
 o curl: speed up handling of many URLs [24]
 o ntlm: avoid malloc(0) for zero length passwords [25]
 o url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES [26]
 o HTTP: support multiple Content-Encodings [27]
 o travis: add a job with brotli enabled
 o url: remove unncessary NULL-check
 o fnmatch: remove dead code
 o connect: store IPv6 connection status after valid connection [29]
 o imap: deal with commands case insensitively [30]
 o --interface: add support for Linux VRF [32]
 o content_encoding: fix inflate_stream for no bytes available [33]
 o cmake: Correctly include curl.rc in Windows builds [34]
 o cmake: Add missing setmode check [35]
 o connect.c: remove executable bit on file [36]
 o SMB: fix uninitialized local variable
 o zlib/brotli: only include header files in modules needing them [37]
 o URL: return error on malformed URLs with junk after IPv6 bracket [38]
 o openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY [39]
 o macOS: Fix missing connectx function with Xcode version older than 
9.0 [40]

 o --resolve: allow IP address within [] brackets [41]
 o examples/curlx: Fix code style [42]
 o ntlm: remove unnecessary NULL-check to please scan-build [43]
 o Curl_llist_remove: fix potential NULL pointer deref [43]
 o mime: fix "Value stored to 'sz' is never read" scan-build error [43]
 o openssl: fix "Value stored to 'rc' is never read" scan-build error 
[43]
 o http2: fix "Value stored to 'hdbuf' is never read" scan-build error 
[43]

 o http2: fix "Value stored to 'end' is never read" scan-build error [43]
 o Curl_open: fix OOM return error correctly [43]
 o url: reject ASCII control characters and space in host names [44]
 o examples/rtsp: clear RANGE again after use [45]
 o connect: improve the bind error message [46]
 o make: fix "make distclean" [50]
 o connect: add support for new TCP Fast Open API on Linux [51]
 o metalink: fix memory-leak and NULL pointer dereference [52]
 o URL: update "file:" URL handling [53]
 o ssh: remove check for 

AW: AW: Problem/Crash with libCurl Daily Snapshot and Option CURLSHOPT_SHARE and Parameter CURL_LOCK_DATA_CONNECT

[Dawson, Patrick]

Note:
I switched to the official release version today (source code and build myself) 
and the mentioned errors still occur.


 static void ShareLockFunc( CURL* pHandle, curl_lock_data Data, 
 curl_lock_access Access, void* pUseptr )

 static void ShareUnlockFunc( CURL* pHandle, curl_lock_data Data, void* 
 pUseptr )
>>>
>>> Vanem, Gisle wrote:
>>> What are these used for?
>> 
>> In my understanding they are used to lock the access to the shared handle. 
>
>Yes, I know. But you forgot to use those lock-options. I've made a
>patch for you:)

Oops. I am sorry. You are right: I forgot to add this in the example project. I 
added them in my real project though.
I still get sporadic crashes but now the callstacks are almost always the same 
and when the crash happens it seems to be early in the first 10 http calls.
Here is the call stack:

free(ca->ai_addr); // Read access violation, ca is 0x1

libcurl.dll!Curl_freeaddrinfo(Curl_addrinfo * cahead) Line 84   C
libcurl.dll!freednsentry(void * freethis) Line 744  C
libcurl.dll!hash_element_dtor(void * user, void * element) Line 41  C
libcurl.dll!Curl_llist_remove(curl_llist * list, curl_llist_element * e, void * 
user) Line 130  C
libcurl.dll!Curl_llist_destroy(curl_llist * list, void * user) Line 138 C
libcurl.dll!Curl_hash_destroy(curl_hash * h) Line 213   C
libcurl.dll!curl_multi_cleanup(Curl_multi * multi) Line 2237C
libcurl.dll!Curl_close(Curl_easy * data) Line 327   C
HttpClientDirectTest2.exe!MyThreadFunction(void * lpParam) Line 134 C++


Other crashes still happen but less frequently.

Callstack:
diff = Curl_timediff(node->time, now); // node is 0

libcurl.dll!add_next_timeout(curltime now, Curl_multi * multi, Curl_easy * d) 
Line 2483 C
libcurl.dll!curl_multi_perform(Curl_multi * multi, int * running_handles) Line 
2187 C
libcurl.dll!easy_transfer(Curl_multi * multi) Line 683  C
libcurl.dll!easy_perform(Curl_easy * data, bool events) Line 769C
libcurl.dll!curl_easy_perform(Curl_easy * data) Line 788C
HttpClientDirectTest2.exe!CurlPerformGet(void * pHandle) Line 49C++
HttpClientDirectTest2.exe!MyThreadFunction(void * lpParam) Line 133 C++


>> Crash 2:
>> hash.c: 114
>> struct curl_llist *l = FETCH_LIST(h, key, key_len); // h is 0
>
>Looks very much like this issue:
>   https://github.com/curl/curl/pull/712
>
>Fixed last year though. Your subject says "libCurl Daily Snapshot".
>So I assume you're using libcurl from a few days ago (?)

I downloaded the sources from https://curl.haxx.se/snapshots:
* https://curl.haxx.se/snapshots/curl-7.57.0-20171128.zip and
* https://curl.haxx.se/snapshots/curl-7.57.0-20171127.zip and today the offical 
source
* https://curl.haxx.se/download/curl-7.57.0.zip

>Is this a 64-bit version? I also tried your sample on 64-bit;
>no problems there either.

I have build the target "DLL Release" with Visual Studio 2015 in 32 bit mode 
from the downloaded source code.

--
Best regards
Patrick Dawson

---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: AW: Problem/Crash with libCurl Daily Snapshot and Option CURLSHOPT_SHARE and Parameter CURL_LOCK_DATA_CONNECT

[Gisle Vanem via curl-library]

Patrick Dawson wrote:


static void ShareLockFunc( CURL* pHandle, curl_lock_data Data, curl_lock_access 
Access, void* pUseptr )
{
...
}

static void ShareUnlockFunc( CURL* pHandle, curl_lock_data Data, void* pUseptr )
{
...
}


Vanem, Gisle wrote:
What are these used for?


In my understanding they are used to lock the access to the shared handle. 


Yes, I know. But you forgot to use those lock-options. I've made a
patch for you:)

@@ -73,6 +73,8 @@

 CURLSH *pShare = curl_share_init();
 curl_share_setopt( pShare, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT );
+curl_share_setopt( pShare, CURLSHOPT_LOCKFUNC, ShareLockFunc);
+curl_share_setopt( pShare, CURLSHOPT_UNLOCKFUNC, ShareUnlockFunc);



Crash 2:
hash.c: 114
struct curl_llist *l = FETCH_LIST(h, key, key_len); // h is 0


Looks very much like this issue:
  https://github.com/curl/curl/pull/712

Fixed last year though. Your subject says "libCurl Daily Snapshot".
So I assume you're using libcurl from a few days ago (?)

Is this a 64-bit version? I also tried your sample on 64-bit;
no problems there either.

--
--gv
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Outlook/Office365 SMTP working?

[Christian Schmitz]

Hello,

Does someone of you have SMTP servers from Outlook.com/Office365.com working to 
send emails?

We got login problems although same login works for IMAP there.

Related to that, does someone know how to use XOAUTH2 with CURL for 
authentication to SMTP?
Server Reports that:

250-AUTH LOGIN XOAUTH2

Thanks in advance.

Sincerely
Christian

-- 
Read our blog about news on our plugins:

http://www.mbsplugins.de/



---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

[SECURITY ADVISORY] curl: NTLM buffer overflow via integer overflow

[Daniel Stenberg]

NTLM buffer overflow via integer overflow
=

Project curl Security Advisory, November 29th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_2017-11e7.html)

VULNERABILITY
-

libcurl contains a buffer overrun flaw in the NTLM authentication code.

The internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of
the user name + password (= SUM) and multiplies the sum by two (= SIZE) to
figure out how large storage to allocate from the heap.

The SUM value is subsequently used to iterate over the input and generate
output into the storage buffer. On systems with a 32 bit `size_t`, the math to
calculate SIZE triggers an integer overflow when the combined lengths of the
user name and password is larger than 2GB (2^31 bytes). This integer overflow
usually causes a very small buffer to actually get allocated instead of the
intended very huge one, making the use of that buffer end up in a buffer
overrun.

We are not aware of any exploit of this flaw.

INFO


This bug was introduced in commit
[be285cde3f5](https://github.com/curl/curl/commit/be285cde3f5), April 2006.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-8816 to this issue.

AFFECTED VERSIONS
-

This is only an issue on 32 bit systems. It also requires the user and
password fields to use more than 2GB of memory combined, which in itself
should be rare.

- Affected versions: libcurl 7.15.4 to and including 7.56.1
- Not affected versions: libcurl < 7.15.4 and >= 7.57.0

curl is used by many applications, but not always advertised as such.

THE SOLUTION


In libcurl version 7.57.0, the integer overflow is avoided.

A [patch for CVE-2017-8816](https://curl.haxx.se/CVE-2017-8816.patch) is
available.

RECOMMENDATIONS
---

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.57.0

 B - Apply the patch to your version and rebuild

 C - Put length restrictions on the user name and passwords you can pass to
 libcurl

TIME LINE
-

It was reported to the curl project on November 6, 2017.  We contacted
distros@openwall on November 21.

curl 7.57.10 was released on November 29 2017, coordinated with the
publication of this advisory.

CREDITS
---

Reported by Alex Nichols. Patch by Daniel Stenberg.

Thanks a lot!

--

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

[SECURITY ADVISORY] curl: SSL out of buffer access

[Daniel Stenberg]

SSL out of buffer access


Project curl Security Advisory, November 29th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_2017-af0a.html)

VULNERABILITY
-

libcurl contains an out boundary access flaw in SSL related code.

When allocating memory for a connection (the internal struct called
`connectdata`), a certain amount of memory is allocated at the end of the
struct to be used for SSL related structs. Those structs are used by the
particular SSL library libcurl is built to use. The application can also tell
libcurl which specific SSL library to use if it was built to support more than
one.

The math used to calculate the extra memory amount necessary for the SSL
library was wrong on 32 bit systems, which made the allocated memory too small
by 4 bytes. The last struct member of the last object within the memory area
could then be outside of what was allocated. Accessing that member could lead
to a crash or other undefined behaviors depending on what memory that is
present there and how the particular SSL library decides to act on that memory
content.

Specifically the vulnerability is present if libcurl was built so that
`sizeof(long long *) < sizeof(long long)` which as far as we are aware only
happens in 32-bit builds.

We are not aware of any exploit of this flaw.

INFO


This bug was introduced in commit
[70f1db321a](https://github.com/curl/curl/commit/70f1db321a), July 2017.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-8818 to this issue.

AFFECTED VERSIONS
-

This is only an issue on systems with 32 bit pointers. (Technically, on
systems where `sizeof(long long *) < sizeof(long long)`.)

- Affected versions: libcurl 7.56.0 to and including 7.56.1
- Not affected versions: libcurl < 7.56.0 and >= 7.57.0

curl is used by many applications, but not always advertised as such.

THE SOLUTION


In libcurl version 7.57.0, the allocation size is corrected.

A [patch for CVE-2017-8818](https://curl.haxx.se/CVE-2017-8818.patch) is
available.

RECOMMENDATIONS
---

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.57.0

 B - Apply the patch to your version and rebuild

TIME LINE
-

It was reported to the curl project on November 18, 2017.  We contacted
distros@openwall on November 24.

curl 7.57.0 was released on November 29 2017, coordinated with the publication
of this advisory.

(The [original report](https://github.com/curl/curl/issues/2093) was made in 
public)

CREDITS
---

Reported by John Schoenick. Patch by Ray Satiro.

Thanks a lot!

--

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

[SECURITY ADVISORY] curl: FTP wildcard out of bounds read

[Daniel Stenberg]

FTP wildcard out of bounds read
===

Project curl Security Advisory, November 29th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_2017-ae72.html)

VULNERABILITY
-

libcurl contains a read out of bounds flaw in the FTP wildcard function.

libcurl's FTP wildcard matching feature, which is enabled with the
`CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user
provided one. The built-in wildcard function has a flaw that makes it not
detect the end of the pattern string if it ends with an open bracket (`[`) but
instead it will continue reading the heap beyond the end of the URL buffer
that holds the wildcard.

For applications that use HTTP(S) URLs, allow libcurl to handle redirects and
have FTP wildcards enabled, this flaw can be triggered by malicious servers
that can redirect clients to a URL using such a wildcard pattern.

We are not aware of any exploit of this flaw.

INFO


This bug was introduced in commit
[0825cd80a62c](https://github.com/curl/curl/commit/0825cd80a62c), May 2010.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-8817 to this issue.

AFFECTED VERSIONS
-

- Affected versions: libcurl 7.21.0 to and including 7.56.1
- Not affected versions: libcurl < 7.21.0 and >= 7.57.0

curl is used by many applications, but not always advertised as such.

THE SOLUTION


In libcurl version 7.57.0, there's a better check for the end of the
string. Additionally, the wildcard feature is turned off if the URL passed to
libcurl is not using FTP(S), so a redirect to an FTP URL cannot trigger
wildcard functionality.

A [patch for CVE-2017-8817](https://curl.haxx.se/CVE-2017-8817.patch) is
available.

RECOMMENDATIONS
---

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.57.0

 B - Apply the patch to your version and rebuild

 C - Do not use `CURLOPT_WILDCARDMATCH` without carfully verifying the
 patterns used.

TIME LINE
-

It was reported to the curl project on November 10, 2017.  We contacted
distros@openwall on November 21.

curl 7.57.10 was released on November 29 2017, coordinated with the
publication of this advisory.

CREDITS
---

Reported by OSS-Fuzz. Researched by Max Dymond. Patch by Daniel Stenberg.

Thanks a lot!

--

 / daniel.haxx.se
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

[RELEASE] curl 7.57.0

[Daniel Stenberg]

Hi friends!

I'm glad to once again present a brand new curl release. This time we 
introduce a few changes and three security advisories. The latter will be 
detailed in separate mails sent out in assocation with this.


As always, download the latest curl from https://curl.haxx.se/

Curl and libcurl 7.57.0

 Public curl releases: 171
 Command line options: 211
 curl_easy_setopt() options:   249
 Public functions in libcurl:  74
 Contributors: 1649

This release includes the following changes:

 o auth: add support for RFC7616 - HTTP Digest access authentication [12]
 o share: add support for sharing the connection cache [31]
 o HTTP: implement Brotli content encoding [28]

This release includes the following bugfixes:

 o CVE-2017-8816: NTLM buffer overflow via integer overflow [47]
 o CVE-2017-8817: FTP wildcard out of bounds read [48]
 o CVE-2017-8818: SSL out of buffer access [49]
 o curl_mime_filedata.3: fix typos [1]
 o libtest: Add required test libraries for lib1552 and lib1553 [2]
 o fix time diffs for systems using unsigned time_t [3]
 o ftplistparser: memory leak fix: free temporary memory always [4]
 o multi: allow table handle sizes to be overridden [5]
 o wildcards: don't use with non-supported protocols [6]
 o curl_fnmatch: return error on illegal wildcard pattern [7]
 o transfer: Fix chunked-encoding upload too early exit [8]
 o curl_setup: Improve detection of CURL_WINDOWS_APP [9]
 o resolvers: only include anything if needed [10]
 o setopt: fix CURLOPT_SSH_AUTH_TYPES option read
 o appveyor: add a win32 build
 o Curl_timeleft: change return type to timediff_t [11]
 o cmake: Export libcurl and curl targets to use by other cmake projects [13]
 o curl: in -F option arg, comma is a delimiter for files only [14]
 o curl: improved ";type=" handling in -F option arguments
 o timeval: use mach_absolute_time() on MacOS [15]
 o curlx: the timeval functions are no longer provided as curlx_* [16]
 o mkhelp.pl: do not generate comment with current date [17]
 o memdebug: use send/recv signature for curl_dosend/curl_dorecv [18]
 o cookie: avoid NULL dereference [19]
 o url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 [20]
 o include: remove conncache.h inclusion from where its not needed
 o CURLOPT_MAXREDIRS: allow -1 as a value [21]
 o tests: Fixed torture tests on tests 556 and 650
 o http2: Fixed OOM handling in upgrade request
 o url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
 o CURLOPT_INFILESIZE: accept -1 [22]
 o curl: pass through [] in URLs instead of calling globbing error [23]
 o curl: speed up handling of many URLs [24]
 o ntlm: avoid malloc(0) for zero length passwords [25]
 o url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES [26]
 o HTTP: support multiple Content-Encodings [27]
 o travis: add a job with brotli enabled
 o url: remove unncessary NULL-check
 o fnmatch: remove dead code
 o connect: store IPv6 connection status after valid connection [29]
 o imap: deal with commands case insensitively [30]
 o --interface: add support for Linux VRF [32]
 o content_encoding: fix inflate_stream for no bytes available [33]
 o cmake: Correctly include curl.rc in Windows builds [34]
 o cmake: Add missing setmode check [35]
 o connect.c: remove executable bit on file [36]
 o SMB: fix uninitialized local variable
 o zlib/brotli: only include header files in modules needing them [37]
 o URL: return error on malformed URLs with junk after IPv6 bracket [38]
 o openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY [39]
 o macOS: Fix missing connectx function with Xcode version older than 9.0 [40]
 o --resolve: allow IP address within [] brackets [41]
 o examples/curlx: Fix code style [42]
 o ntlm: remove unnecessary NULL-check to please scan-build [43]
 o Curl_llist_remove: fix potential NULL pointer deref [43]
 o mime: fix "Value stored to 'sz' is never read" scan-build error [43]
 o openssl: fix "Value stored to 'rc' is never read" scan-build error [43]
 o http2: fix "Value stored to 'hdbuf' is never read" scan-build error [43]
 o http2: fix "Value stored to 'end' is never read" scan-build error [43]
 o Curl_open: fix OOM return error correctly [43]
 o url: reject ASCII control characters and space in host names [44]
 o examples/rtsp: clear RANGE again after use [45]
 o connect: improve the bind error message [46]
 o make: fix "make distclean" [50]
 o connect: add support for new TCP Fast Open API on Linux [51]
 o metalink: fix memory-leak and NULL pointer dereference [52]
 o URL: update "file:" URL handling [53]
 o ssh: remove check for a NULL pointer [54]
 o global_init: ignore CURL_GLOBAL_SSL's absense [55]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alessandro Ghedini, Alex Malinovich, Alex Nichols, Alfonso Martone,
  Andrew Lambert, arainchik on 

libcurl not verifying proxy url against IP address present in subject alternate name

[Hemant Kumar via curl-library]

Hi All,

I am using pycurl (python wrapper of libcurl) to connect to a remote
server(HTTPS) via a proxy(HTTPS).
While establishing SSL connection with the proxy, the certificate shared by
proxy has both CN and SAN entries as below -

Subject: C=IN, ST=KA, L=BGL, O=, OU=x, *CN=host.cust1.com
*/emailAddress=em...@domain.com

X509v3 Subject Alternative Name:
DNS:host.cust1.com, *DNS:172.73.74.75*,
DNS:securepr.cust1.com 


In my code when I use proxy's FQDN(host.cust1.com) as the proxy URL to
access then the ssl verification works fine but when I try using the
IP Address I get below error -

"SSL: no alternative certificate subject name matches target host name
'172.73.74.75'"


Should not libcurl verify the proxy URL against all the subject alternate
names present in the received certificate or am I missing something here?

Software versions used -  PycURL/7.43.0 libcurl/7.56.1


Regards,

Hemant
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html