Package: libcurl4 Version: 7.64.0-4+deb10u2 Severity: normal Tags: patch CVE-2021-22946 has not been fixed for buster. https://security-tracker.debian.org/tracker/CVE-2021-22946
So, I ported upstream patch to 7.64.0-4+deb10u2. https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca For testing, I applied the attached patch in two ways: * Apply all hunks of the patch * Apply hunks except for ftp.c, imap.,c pop3.c Then, I built the source and ran test984-986 for these case. ``` $ env PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig ./configure --with-ssl --prefix=`pwd`/install $ make $ make test ``` I confirmed that test 984-986 has passed only for former case. *** ftp-imap-pop3-do-not-ignore-ssl-reqd.patch Index: curl-7.64.0/lib/ftp.c =================================================================== --- curl-7.64.0.orig/lib/ftp.c +++ curl-7.64.0/lib/ftp.c @@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct /* we have now received a full FTP server response */ switch(ftpc->state) { case FTP_WAIT220: - if(ftpcode == 230) - /* 230 User logged in - already! */ - return ftp_state_user_resp(conn, ftpcode, ftpc->state); + if(ftpcode == 230) { + /* 230 User logged in - already! Take as 220 if TLS required. */ + if(data->set.use_ssl <= CURLUSESSL_TRY || + conn->ssl[FIRSTSOCKET].use) + return ftp_state_user_resp(conn, ftpcode, ftpc->state); + } else if(ftpcode != 220) { failf(data, "Got a %03d ftp-server response when 220 was expected", ftpcode); Index: curl-7.64.0/lib/imap.c =================================================================== --- curl-7.64.0.orig/lib/imap.c +++ curl-7.64.0/lib/imap.c @@ -922,22 +922,18 @@ static CURLcode imap_state_capability_re line += wordlen; } } - else if(imapcode == IMAP_RESP_OK) { - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { - /* We don't have a SSL/TLS connection yet, but SSL is requested */ - if(imapc->tls_supported) - /* Switch to TLS connection now */ - result = imap_perform_starttls(conn); - else if(data->set.use_ssl == CURLUSESSL_TRY) - /* Fallback and carry on with authentication */ - result = imap_perform_authentication(conn); - else { - failf(data, "STARTTLS not supported."); - result = CURLE_USE_SSL_FAILED; - } + else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { + /* PREAUTH is not compatible with STARTTLS. */ + if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { + /* Switch to TLS connection now */ + result = imap_perform_starttls(conn); } - else + else if(data->set.use_ssl <= CURLUSESSL_TRY) result = imap_perform_authentication(conn); + else { + failf(data, "STARTTLS not available."); + result = CURLE_USE_SSL_FAILED; + } } else result = imap_perform_authentication(conn); Index: curl-7.64.0/lib/pop3.c =================================================================== --- curl-7.64.0.orig/lib/pop3.c +++ curl-7.64.0/lib/pop3.c @@ -726,28 +726,23 @@ static CURLcode pop3_state_capa_resp(str } } } - else if(pop3code == '+') { - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { - /* We don't have a SSL/TLS connection yet, but SSL is requested */ - if(pop3c->tls_supported) - /* Switch to TLS connection now */ - result = pop3_perform_starttls(conn); - else if(data->set.use_ssl == CURLUSESSL_TRY) - /* Fallback and carry on with authentication */ - result = pop3_perform_authentication(conn); - else { - failf(data, "STLS not supported."); - result = CURLE_USE_SSL_FAILED; - } - } - else - result = pop3_perform_authentication(conn); - } else { /* Clear text is supported when CAPA isn't recognised */ - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; + if(pop3code != '+') + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - result = pop3_perform_authentication(conn); + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) + result = pop3_perform_authentication(conn); + else if(pop3code == '+' && pop3c->tls_supported) + /* Switch to TLS connection now */ + result = pop3_perform_starttls(conn); + else if(data->set.use_ssl <= CURLUSESSL_TRY) + /* Fallback and carry on with authentication */ + result = pop3_perform_authentication(conn); + else { + failf(data, "STLS not supported."); + result = CURLE_USE_SSL_FAILED; + } } return result; Index: curl-7.64.0/tests/data/Makefile.inc =================================================================== --- curl-7.64.0.orig/tests/data/Makefile.inc +++ curl-7.64.0/tests/data/Makefile.inc @@ -108,6 +108,8 @@ test927 test928 test929 test930 test931 test936 test937 test938 test939 test940 test941 test942 test943 test944 \ test945 test946 test947 test948 test949 test950 test951 test952 \ \ +test984 test985 test986 \ +\ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ Index: curl-7.64.0/tests/data/test984 =================================================================== --- /dev/null +++ curl-7.64.0/tests/data/test984 @@ -0,0 +1,56 @@ +<testcase> +<info> +<keywords> +IMAP +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +REPLY CAPABILITY A001 BAD Not implemented +</servercmd> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +imap +</server> + <name> +IMAP require STARTTLS with failing capabilities + </name> + <command> +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd +</command> +<file name="log/upload%TESTNUMBER"> +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) +From: Fred Foobar <foo...@example.com> +Subject: afternoon meeting +To: j...@example.com +Message-Id: <b27397-0100...@example.com> +MIME-Version: 1.0 +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII + +Hello Joe, do you think we can meet at 3:30 tomorrow? +</file> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 64 is CURLE_USE_SSL_FAILED +<errorcode> +64 +</errorcode> +<protocol> +A001 CAPABILITY +</protocol> +</verify> +</testcase> Index: curl-7.64.0/tests/data/test985 =================================================================== --- /dev/null +++ curl-7.64.0/tests/data/test985 @@ -0,0 +1,54 @@ +<testcase> +<info> +<keywords> +POP3 +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +REPLY CAPA -ERR Not implemented +</servercmd> +<data nocheck="yes"> +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely +</data> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +pop3 +</server> + <name> +POP3 require STARTTLS with failing capabilities + </name> + <command> +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd + </command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 64 is CURLE_USE_SSL_FAILED +<errorcode> +64 +</errorcode> +<protocol> +CAPA +</protocol> +</verify> +</testcase> Index: curl-7.64.0/tests/data/test986 =================================================================== --- /dev/null +++ curl-7.64.0/tests/data/test986 @@ -0,0 +1,53 @@ +<testcase> +<info> +<keywords> +FTP +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +REPLY welcome 230 Welcome +REPLY AUTH 500 unknown command +</servercmd> +</reply> + +# Client-side +<client> +<features> +SSL +</features> +<server> +ftp +</server> + <name> +FTP require STARTTLS while preauthenticated + </name> +<file name="log/test%TESTNUMBER.txt"> +data + to + see +that FTPS +works + so does it? +</file> + <command> +--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +# 64 is CURLE_USE_SSL_FAILED +<errorcode> +64 +</errorcode> +<protocol> +AUTH SSL +AUTH TLS +</protocol> +</verify> +</testcase> -- System Information: Debian Release: 10.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-21-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libcurl4 depends on: ii libc6 2.28-10+deb10u1 ii libcom-err2 1.44.5-1+deb10u3 ii libgssapi-krb5-2 1.17-3+deb10u3 ii libidn2-0 2.0.5-1+deb10u1 ii libk5crypto3 1.17-3+deb10u3 ii libkrb5-3 1.17-3+deb10u3 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u7 ii libnghttp2-14 1.36.0-2+deb10u1 ii libpsl5 0.20.2-2 ii librtmp1 2.4+20151223.gitfa8646d.1-2 ii libssh2-1 1.8.0-2.1 ii libssl1.1 1.1.1n-0+deb10u3 ii zlib1g 1:1.2.11.dfsg-1+deb10u1 Versions of packages libcurl4 recommends: ii ca-certificates 20200601~deb10u2 libcurl4 suggests no packages. -- no debconf information