Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
aports
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Monitor
Service Desk
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
alpine
aports
Commits
36e1df2d
Verified
Commit
36e1df2d
authored
2 years ago
by
alice
Browse files
Options
Downloads
Patches
Plain Diff
main/curl: patch CVE-2022-32252
parent
c6d78227
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
main/curl/APKBUILD
+5
-1
5 additions, 1 deletion
main/curl/APKBUILD
main/curl/CVE-2022-35252.patch
+66
-0
66 additions, 0 deletions
main/curl/CVE-2022-35252.patch
with
71 additions
and
1 deletion
main/curl/APKBUILD
+
5
−
1
View file @
36e1df2d
...
...
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname
=
curl
pkgver
=
7.79.1
pkgrel
=
2
pkgrel
=
3
pkgdesc
=
"URL retrival utility and library"
url
=
"https://curl.se/"
arch
=
"all"
...
...
@@ -28,10 +28,13 @@ source="https://curl.se/download/curl-$pkgver.tar.xz
CVE-2022-32206.patch
CVE-2022-32207.patch
CVE-2022-32208.patch
CVE-2022-35252.patch
"
options
=
"net"
# Required for running tests
# secfixes:
# 7.79.1-r3:
# - CVE-2022-32252
# 7.79.1-r2:
# - CVE-2022-27781
# - CVE-2022-27782
...
...
@@ -196,4 +199,5 @@ a8571c6b34eaa635fb333949cfde0a5c6ddb9f02ed3ece91501e43a3d1536969f47cfb8b3044c9ff
81e28def4632cb542b0268889e6fb7f9b0c2950564cdeab39e582a22ab2b1e5a9c3e11865afe5833b8e892c501ba1aed609b4abf3131ec8668f70fcea8375e7c CVE-2022-32206.patch
1eb22a9ec7dad02927a53b2c81b9288ed52a8f4f76db66958622de6bcbb8024eb034e83b70cd1e20ed265e9f5f1c453d1ee37b6bfe54c4aa18b6f4c6bccd5a5f CVE-2022-32207.patch
f8eedaaa7a994ff763ce96f7e7e74b36eb1ce49ee8809cfe25e1562276702f70f064ee2b858ef2f07157a502ba71fb4b39b395fc53c2f47e2547597cb11a6bfa CVE-2022-32208.patch
1a8b058a8738f2d3558aecfc45eec67218c0c38c560916400a6e9eec64c44ae9beae05e48c20441579027427f0ff9c943c5c2aff35de3e66083205e92bf1e0e7 CVE-2022-35252.patch
"
This diff is collapsed.
Click to expand it.
main/curl/CVE-2022-35252.patch
0 → 100644
+
66
−
0
View file @
36e1df2d
Patch-Source: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb
From 8dfc93e573ca740544a2d79ebb0ed786592c65c3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Aug 2022 00:09:17 +0200
Subject: [PATCH] cookie: reject cookies with "control bytes"
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-35252.html
CVE-2022-35252
Closes #9381
---
lib/cookie.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/lib/cookie.c b/lib/cookie.c
index 5a4d9e9725f62..ab790a1cdb0ce 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -441,6 +441,30 @@
static bool bad_domain(const char *domain)
return TRUE;
}
+/*
+ RFC 6265 section 4.1.1 says a server should accept this range:
+
+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+
+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
+ fine. The prime reason for filtering out control bytes is that some HTTP
+ servers return 400 for requests that contain such.
+*/
+static int invalid_octets(const char *p)
+{
+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
+ static const char badoctets[] = {
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
+ };
+ size_t vlen, len;
+ /* scan for all the octets that are *not* in cookie-octet */
+ len = strcspn(p, badoctets);
+ vlen = strlen(p);
+ return (len != vlen);
+}
+
/*
* Curl_cookie_add
*
@@ -595,6 +619,11 @@
Curl_cookie_add(struct Curl_easy *data,
badcookie = TRUE;
break;
}
+ if(invalid_octets(whatptr) || invalid_octets(name)) {
+ infof(data, "invalid octets in name/value, cookie dropped");
+ badcookie = TRUE;
+ break;
+ }
}
else if(!len) {
/*
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment