rpms / curl

Clone
Source Code
GIT

Blame SOURCES/0041-curl-7.61.1-CVE-2022-32206.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   0041-curl-7.61.1-CVE-2022-32206.patch
Blob History Raw
0fa833 
From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
0fa833 
From: Daniel Stenberg <daniel@haxx.se>
0fa833 
Date: Mon, 16 May 2022 16:28:13 +0200
0fa833 
Subject: [PATCH 1/2] content_encoding: return error on too many compression
0fa833 
 steps
0fa833
0fa833 
The max allowed steps is arbitrarily set to 5.
0fa833
0fa833 
Bug: https://curl.se/docs/CVE-2022-32206.html
0fa833 
CVE-2022-32206
0fa833 
Reported-by: Harry Sintonen
0fa833 
Closes #9049
0fa833
0fa833 
Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
0fa833 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
0fa833 
---
0fa833 
 lib/content_encoding.c | 9 +++++++++
0fa833 
 1 file changed, 9 insertions(+)
0fa833
0fa833 
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
0fa833 
index c03637a..6f994b3 100644
0fa833 
--- a/lib/content_encoding.c
0fa833 
+++ b/lib/content_encoding.c
0fa833 
@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
0fa833 
   return NULL;
0fa833 
 }
0fa833
0fa833 
+/* allow no more than 5 "chained" compression steps */
0fa833 
+#define MAX_ENCODE_STACK 5
0fa833 
+
0fa833 
 /* Set-up the unencoding stack from the Content-Encoding header value.
0fa833 
  * See RFC 7231 section 3.1.2.2. */
0fa833 
 CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
0fa833 
@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
0fa833 
 {
0fa833 
   struct Curl_easy *data = conn->data;
0fa833 
   struct SingleRequest *k = &data->req;
0fa833 
+  int counter = 0;
0fa833
0fa833 
   do {
0fa833 
     const char *name;
0fa833 
@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
0fa833 
       if(!encoding)
0fa833 
         encoding = &error_encoding;  /* Defer error at stack use. */
0fa833
0fa833 
+      if(++counter >= MAX_ENCODE_STACK) {
0fa833 
+        failf(data, "Reject response due to %u content encodings",
0fa833 
+              counter);
0fa833 
+        return CURLE_BAD_CONTENT_ENCODING;
0fa833 
+      }
0fa833 
       /* Stack the unencoding stage. */
0fa833 
       writer = new_unencoding_writer(conn, encoding, k->writer_stack);
0fa833 
       if(!writer)
0fa833 
--
0fa833 
2.35.3
0fa833
0fa833
0fa833 
From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
0fa833 
From: Daniel Stenberg <daniel@haxx.se>
0fa833 
Date: Mon, 16 May 2022 16:29:07 +0200
0fa833 
Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
0fa833
0fa833 
Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
0fa833 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
0fa833 
---
0fa833 
 tests/data/Makefile.inc |  1 +
0fa833 
 tests/data/test387      | 53 +++++++++++++++++++++++++++++++++++++++++
0fa833 
 2 files changed, 54 insertions(+)
0fa833 
 create mode 100644 tests/data/test387
0fa833
0fa833 
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
0fa833 
index 98d5516..9b5f4fb 100644
0fa833 
--- a/tests/data/Makefile.inc
0fa833 
+++ b/tests/data/Makefile.inc
0fa833 
@@ -61,6 +61,7 @@ test325 test326 test330 \
0fa833 
 test340 \
0fa833 
 \
0fa833 
 test350 test351 test352 test353 test354 \
0fa833 
+test387 \
0fa833 
 test393 test394 test395 \
0fa833 
 \
0fa833 
 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
0fa833 
diff --git a/tests/data/test387 b/tests/data/test387
0fa833 
new file mode 100644
0fa833 
index 0000000..015ec25
0fa833 
--- /dev/null
0fa833 
+++ b/tests/data/test387
0fa833 
@@ -0,0 +1,53 @@
0fa833 
+<testcase>
0fa833 
+<info>
0fa833 
+<keywords>
0fa833 
+HTTP
0fa833 
+gzip
0fa833 
+</keywords>
0fa833 
+</info>
0fa833 
+
0fa833 
+#
0fa833 
+# Server-side
0fa833 
+<reply>
0fa833 
+<data nocheck="yes">
0fa833 
+HTTP/1.1 200 OK
0fa833 
+Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
0fa833 
+
0fa833 
+-foo-
0fa833 
+</data>
0fa833 
+</reply>
0fa833 
+
0fa833 
+#
0fa833 
+# Client-side
0fa833 
+<client>
0fa833 
+<server>
0fa833 
+http
0fa833 
+</server>
0fa833 
+ <name>
0fa833 
+Response with overly long compression chain
0fa833 
+ </name>
0fa833 
+ <command>
0fa833 
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
0fa833 
+</command>
0fa833 
+</client>
0fa833 
+
0fa833 
+#
0fa833 
+# Verify data after the test has been "shot"
0fa833 
+<verify>
0fa833 
+<protocol>
0fa833 
+GET /%TESTNUMBER HTTP/1.1
0fa833 
+Host: %HOSTIP:%HTTPPORT
0fa833 
+User-Agent: curl/7.61.1
0fa833 
+Accept: */*
0fa833 
+
0fa833 
+</protocol>
0fa833 
+
0fa833 
+# CURLE_BAD_CONTENT_ENCODING is 61
0fa833 
+<errorcode>
0fa833 
+61
0fa833 
+</errorcode>
0fa833 
+<stderr mode="text">
0fa833 
+curl: (61) Reject response due to 5 content encodings
0fa833 
+</stderr>
0fa833 
+</verify>
0fa833 
+</testcase>
0fa833 
--
0fa833 
2.35.3
0fa833

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation