fix CVE-2024-9681

(cherry picked from commit 11d16568b92f5e4bdacfa119917a3551958d2502)
2024-11-11 10:38:30 +00:00 · 2024-11-11 10:38:30 +00:00 · 3596054e95
commit 3596054e95
parent b1ffd44a2d
2 changed files with 109 additions and 1 deletions
--- a/backport-CVE-2024-9681.patch
+++ b/backport-CVE-2024-9681.patch
@ -0,0 +1,101 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+  match
+
+- on matching, prefer a full host match and secondary the longest tail
+  subdomain match
+
+Closes #15210
+Conflict:Adaptation of community patches with reference to other vendors' modification
+         1.Context adaptation 
+         2.strncasecompare(&hostname[offs], sts->host, ntail)=>Curl_strncasecompare(&hostname[offs], sts->host, ntail)
+         3.Added if((hlen == ntail) && Curl_strncasecompare(hostname, sts->host, hlen)) modification.
+Reference:https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316
+---
+ lib/hsts.c          | 26 ++++++++++++++++----------
+ tests/data/test1660 |  2 +-
+ 2 files changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 6035995..32151bd 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -238,13 +238,16 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+                            bool subdomain)
+ {
+  struct stsentry *bestsub = NULL;	
+   if(h) {
+     time_t now = time(NULL);
+     size_t hlen = strlen(hostname);
+     struct Curl_llist_element *e;
+     struct Curl_llist_element *n;
+    size_t blen = 0;
+     for(e = h->list.head; e; e = n) {
+       struct stsentry *sts = e->ptr;
+      size_t ntail;
+       n = e->next;
+       if(sts->expires <= now) {
+         /* remove expired entries */
+@@ -252,20 +255,23 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+         hsts_free(sts);
+         continue;
+       }
+-      if(subdomain && sts->includeSubDomains) {
+-        size_t ntail = strlen(sts->host);
+-        if(ntail < hlen) {
+-          size_t offs = hlen - ntail;
+-          if((hostname[offs-1] == '.') &&
+-             Curl_strncasecompare(&hostname[offs], sts->host, ntail))
+-            return sts;
+      ntail = strlen(sts->host);
+      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+        size_t offs = hlen - ntail;
+        if((hostname[offs-1] == '.') &&
+           Curl_strncasecompare(&hostname[offs], sts->host, ntail) &&
+           (ntail > blen)) {
+          /* save the tail match with the longest tail */
+          bestsub = sts;
+          blen = ntail;
+         }
+       }
+-      if(Curl_strcasecompare(hostname, sts->host))
+      /* avoid strcasecompare because the host name is not null terminated */
+      if((hlen == ntail) && Curl_strncasecompare(hostname, sts->host, hlen))
+         return sts;
+     }
+   }
+-  return NULL; /* no match */
+  return bestsub;
+ }
+ 
+ /*
+@@ -417,7 +423,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+     e = Curl_hsts(h, p, subdomain);
+     if(!e)
+       result = hsts_create(h, p, subdomain, expires);
+-    else {
+    else if(Curl_strcasecompare(p, e->host)) {	    
+       /* the same host name, use the largest expire time */
+       if(expires > e->expires)
+         e->expires = expires;
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index cbbcf75..662026b 100644
+--- a/tests/data/test1660
+++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
+-- 
+2.33.0
+
--- a/curl.spec
+++ b/curl.spec
@ -6,7 +6,7 @@

 Name:           curl
 Version:        7.79.1
-Release:        32
+Release:        33
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@ -107,6 +107,7 @@ Patch93:        backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
 Patch94:        backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
 Patch95:        backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
 Patch96:        backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
+Patch97:        backport-CVE-2024-9681.patch 

 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@ -275,6 +276,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*

 %changelog
+* Mon Nov 11 2024 yanglu <yanglu72@h-partners.com> - 7.79.1-33
+- Type:CVE
+- CVE:CVE-2024-9681
+- SUG:NA
+- DESC:fix CVE-2024-9681
+
 * Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-32
 - Type:bugfix
 - CVE:NA