packages/curl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!337 [sync] PR-335: fix CVE-2024-9681

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
This commit is contained in:
openeuler-ci-bot 2024-11-14 06:24:50 +00:00 committed by Gitee
commit 98881b5acc
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
backport-CVE-2024-9681.patch Normal file
View File

@ -0,0 +1,101 @@
From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 9 Oct 2024 10:04:35 +0200
Subject: [PATCH] hsts: improve subdomain handling
- on load, only replace existing HSTS entries if there is a full host
match
- on matching, prefer a full host match and secondary the longest tail
subdomain match
Closes #15210
Conflict:Adaptation of community patches with reference to other vendors' modification
1.Context adaptation
2.strncasecompare(&hostname[offs], sts->host, ntail)=>Curl_strncasecompare(&hostname[offs], sts->host, ntail)
3.Added if((hlen == ntail) && Curl_strncasecompare(hostname, sts->host, hlen)) modification.
Reference:https://github.com/curl/curl/commit/a94973805df96269bf3f3bf0a20ccb9887313316
---
lib/hsts.c | 26 ++++++++++++++++----------
tests/data/test1660 | 2 +-
2 files changed, 17 insertions(+), 11 deletions(-)
diff --git a/lib/hsts.c b/lib/hsts.c
index 6035995..32151bd 100644
--- a/lib/hsts.c
+++ b/lib/hsts.c
@@ -238,13 +238,16 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
bool subdomain)
{
+ struct stsentry *bestsub = NULL;
if(h) {
time_t now = time(NULL);
size_t hlen = strlen(hostname);
struct Curl_llist_element *e;
struct Curl_llist_element *n;
+ size_t blen = 0;
for(e = h->list.head; e; e = n) {
struct stsentry *sts = e->ptr;
+ size_t ntail;
n = e->next;
if(sts->expires <= now) {
/* remove expired entries */
@@ -252,20 +255,23 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
hsts_free(sts);
continue;
}
- if(subdomain && sts->includeSubDomains) {
- size_t ntail = strlen(sts->host);
- if(ntail < hlen) {
- size_t offs = hlen - ntail;
- if((hostname[offs-1] == '.') &&
- Curl_strncasecompare(&hostname[offs], sts->host, ntail))
- return sts;
+ ntail = strlen(sts->host);
+ if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+ size_t offs = hlen - ntail;
+ if((hostname[offs-1] == '.') &&
+ Curl_strncasecompare(&hostname[offs], sts->host, ntail) &&
+ (ntail > blen)) {
+ /* save the tail match with the longest tail */
+ bestsub = sts;
+ blen = ntail;
}
}
- if(Curl_strcasecompare(hostname, sts->host))
+ /* avoid strcasecompare because the host name is not null terminated */
+ if((hlen == ntail) && Curl_strncasecompare(hostname, sts->host, hlen))
return sts;
}
}
- return NULL; /* no match */
+ return bestsub;
}
/*
@@ -417,7 +423,7 @@ static CURLcode hsts_add(struct hsts *h, char *line)
e = Curl_hsts(h, p, subdomain);
if(!e)
result = hsts_create(h, p, subdomain, expires);
- else {
+ else if(Curl_strcasecompare(p, e->host)) {
/* the same host name, use the largest expire time */
if(expires > e->expires)
e->expires = expires;
diff --git a/tests/data/test1660 b/tests/data/test1660
index cbbcf75..662026b 100644
--- a/tests/data/test1660
+++ b/tests/data/test1660
@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
Input 12: error 43
Input 13: error 43
Input 14: error 43
-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
3.example.com [example.com]: 1569905261 includeSubDomains
foo.example.com [example.com]: 1569905261 includeSubDomains
'foo.xample.com' is not HSTS
--
2.33.0

9
curl.spec
View File

@ -6,7 +6,7 @@
Name: curl Name: curl
Version: 7.79.1 Version: 7.79.1
Release: 32 Release: 33
Summary: Curl is used in command lines or scripts to transfer data Summary: Curl is used in command lines or scripts to transfer data
License: MIT License: MIT
URL: https://curl.haxx.se/ URL: https://curl.haxx.se/
@ -107,6 +107,7 @@ Patch93: backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
Patch94: backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch Patch94: backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
Patch95: backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch Patch95: backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
Patch96: backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch Patch96: backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
Patch97: backport-CVE-2024-9681.patch
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
@ -275,6 +276,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Mon Nov 11 2024 yanglu <yanglu72@h-partners.com> - 7.79.1-33
- Type:CVE
- CVE:CVE-2024-9681
- SUG:NA
- DESC:fix CVE-2024-9681
* Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-32 * Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-32
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA