Re: [OE-core] [poky][zeus][PATCH] curl: Security fixes for CVE-2020-{8169/8177}
Hi,
Could you please review below patch for curl to be upstreamed
Thanks & Regards,
Sana Kazi
KPIT Technologies Limited
From: Sana Kazi
Sent: Thursday, January 7, 2021 5:26 PM
To: Openembedded-core@lists.openembedded.org
; raj.k...@gmail.com
Cc: Nisha Parrakat ; Aditya Tayade
; Harpritkaur Bhandari ;
Sana Kazi
Subject: [poky][zeus][PATCH] curl: Security fixes for CVE-2020-{8169/8177}
From: Armin Kuster
Source: https://curl.haxx.se/
MR: 104472, 104458
Type: Security Fix
Disposition: Backport from
https://github.com/curl/curl/commit/{600a8cded447cd/8236aba58542c5f}
ChangeID: 1300924f7a64b22375b4326daeef0b686481e30c
Description:
- Affected versions: curl 7.20.0 to and including 7.70.0
- Not affected versions: curl < 7.20.0 and curl >= 7.71.0
Fixes both CVE-2020-8169 and CVE-2020-8177
(From OE-Core rev: f42702baee57ab3d1b7ab7833e72c7d56ad4ee94)
Signed-off-by: Armin Kuster
Signed-off-by: Steve Sakoman
Signed-off-by: Richard Purdie
Signed-off-by: Sana Kazi
---
.../curl/curl/CVE-2020-8169.patch | 141 ++
.../curl/curl/CVE-2020-8177.patch | 67 +
meta/recipes-support/curl/curl_7.66.0.bb | 2 +
3 files changed, 210 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2020-8169.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2020-8177.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8169.patch
b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
new file mode 100644
index 00..774567c017
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
@@ -0,0 +1,141 @@
+From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Thu, 14 May 2020 14:37:12 +0200
+Subject: [PATCH] url: make the updated credentials URL-encoded in the URL
+
+Found-by: Gregory Jefferis
+Reported-by: Jeroen Ooms
+Added test 1168 to verify. Bug spotted when doing a redirect.
+Bug: https://github.com/jeroen/curl/issues/224
+Closes #5400
+
+Upstream-Status: Backport
+https://github.com/curl/curl/commit/600a8cded447cd
+
+CVE: CVE-2020-8169
+Signed-off-by: Armin Kuster
+
+---
+ lib/url.c | 6 ++--
+ tests/data/Makefile.inc | 1 +
+ tests/data/test1168 | 78 +
+ 3 files changed, 83 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1168
+
+Index: curl-7.69.1/lib/url.c
+===
+--- curl-7.69.1.orig/lib/url.c
curl-7.69.1/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu
+
+ /* for updated strings, we update them in the URL */
+ if(user_changed) {
+-uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
++uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+ if(passwd_changed) {
+-uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
++uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+Index: curl-7.69.1/tests/data/Makefile.inc
+===
+--- curl-7.69.1.orig/tests/data/Makefile.inc
curl-7.69.1/tests/data/Makefile.inc
+@@ -129,7 +129,7 @@
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
+ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
+-test1160 test1161 test1162 test1163 test1164 test1165 \
++test1160 test1161 test1162 test1163 test1164 test1165 test1168 \
+ test1170 test1171 test1172 test1173 test1174 \
+ \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+Index: curl-7.69.1/tests/data/test1168
+===
+--- /dev/null
curl-7.69.1/tests/data/test1168
+@@ -0,0 +1,78 @@
++
++
++
++HTTP
++HTTP GET
++followlocation
++
++
++# Server-side
++
++
++HTTP/1.1 301 This is a weirdo text message swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Location: /data/11680002.txt
++Connection: close
++
++This server reply is for testing a simple Location: following
++
++
++
++HTTP/1.1 200 Followed here fine swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 52
++
++If this is received, the location following worked
++
++
++
++HTTP/1.1 301 This is a weirdo text message swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Location: /data/11680002.txt
++Connection: close
++
++HTTP/1.1 200 Followed here fine swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 52
++
++If this is received, the location following worked
++
++
++
++
[OE-core] [poky][zeus][PATCH] curl: Security fixes for CVE-2020-{8169/8177}
From: Armin Kuster
Source: https://curl.haxx.se/
MR: 104472, 104458
Type: Security Fix
Disposition: Backport from
https://github.com/curl/curl/commit/{600a8cded447cd/8236aba58542c5f}
ChangeID: 1300924f7a64b22375b4326daeef0b686481e30c
Description:
- Affected versions: curl 7.20.0 to and including 7.70.0
- Not affected versions: curl < 7.20.0 and curl >= 7.71.0
Fixes both CVE-2020-8169 and CVE-2020-8177
(From OE-Core rev: f42702baee57ab3d1b7ab7833e72c7d56ad4ee94)
Signed-off-by: Armin Kuster
Signed-off-by: Steve Sakoman
Signed-off-by: Richard Purdie
Signed-off-by: Sana Kazi
---
.../curl/curl/CVE-2020-8169.patch | 141 ++
.../curl/curl/CVE-2020-8177.patch | 67 +
meta/recipes-support/curl/curl_7.66.0.bb | 2 +
3 files changed, 210 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2020-8169.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2020-8177.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8169.patch
b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
new file mode 100644
index 00..774567c017
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8169.patch
@@ -0,0 +1,141 @@
+From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Thu, 14 May 2020 14:37:12 +0200
+Subject: [PATCH] url: make the updated credentials URL-encoded in the URL
+
+Found-by: Gregory Jefferis
+Reported-by: Jeroen Ooms
+Added test 1168 to verify. Bug spotted when doing a redirect.
+Bug: https://github.com/jeroen/curl/issues/224
+Closes #5400
+
+Upstream-Status: Backport
+https://github.com/curl/curl/commit/600a8cded447cd
+
+CVE: CVE-2020-8169
+Signed-off-by: Armin Kuster
+
+---
+ lib/url.c | 6 ++--
+ tests/data/Makefile.inc | 1 +
+ tests/data/test1168 | 78 +
+ 3 files changed, 83 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1168
+
+Index: curl-7.69.1/lib/url.c
+===
+--- curl-7.69.1.orig/lib/url.c
curl-7.69.1/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu
+
+ /* for updated strings, we update them in the URL */
+ if(user_changed) {
+-uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
++uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+ if(passwd_changed) {
+-uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
++uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+Index: curl-7.69.1/tests/data/Makefile.inc
+===
+--- curl-7.69.1.orig/tests/data/Makefile.inc
curl-7.69.1/tests/data/Makefile.inc
+@@ -129,7 +129,7 @@
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
+ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
+-test1160 test1161 test1162 test1163 test1164 test1165 \
++test1160 test1161 test1162 test1163 test1164 test1165 test1168 \
+ test1170 test1171 test1172 test1173 test1174 \
+ \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+Index: curl-7.69.1/tests/data/test1168
+===
+--- /dev/null
curl-7.69.1/tests/data/test1168
+@@ -0,0 +1,78 @@
++
++
++
++HTTP
++HTTP GET
++followlocation
++
++
++# Server-side
++
++
++HTTP/1.1 301 This is a weirdo text message swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Location: /data/11680002.txt
++Connection: close
++
++This server reply is for testing a simple Location: following
++
++
++
++HTTP/1.1 200 Followed here fine swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 52
++
++If this is received, the location following worked
++
++
++
++HTTP/1.1 301 This is a weirdo text message swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Location: /data/11680002.txt
++Connection: close
++
++HTTP/1.1 200 Followed here fine swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 52
++
++If this is received, the location following worked
++
++
++
++
++# Client-side
++
++
++http
++
++
++HTTP redirect with credentials using # in user and password
++
++
++http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
++
++
++
++# Verify data after the test has been "shot"
++
++
++^User-Agent:.*
++
++
++GET /want/1168 HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
++Accept: */*
++
++GET /data/11680002.txt HTTP/1.1
++Host:
