From 773b3cce8cf0ef9f65aa00ac6985aaba3f582b2c Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Fri, 12 Aug 2016 09:56:17 +0000
Subject: [PATCH] main/curl: security fixes (CVE-2016-5419, CVE-2016-5420,
CVE-2016-5421)
Fixes #6005
---
main/curl/APKBUILD | 29 +++++++++---
main/curl/CVE-2016-5419.patch | 85 +++++++++++++++++++++++++++++++++++
main/curl/CVE-2016-5420.patch | 30 +++++++++++++
main/curl/CVE-2016-5421.patch | 35 +++++++++++++++
4 files changed, 174 insertions(+), 5 deletions(-)
create mode 100644 main/curl/CVE-2016-5419.patch
create mode 100644 main/curl/CVE-2016-5420.patch
create mode 100644 main/curl/CVE-2016-5421.patch
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 95c68b6f0a65..9435802dcb71 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.49.1
-pkgrel=0
+pkgrel=1
pkgdesc="An URL retrival utility and library"
url="http://curl.haxx.se"
arch="all"
@@ -10,11 +10,21 @@ license="MIT"
depends="ca-certificates"
depends_dev="zlib-dev openssl-dev libssh2-dev"
makedepends="groff $depends_dev perl"
-source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2"
subpackages="$pkgname-doc $pkgname-dev"
+source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2
+ CVE-2016-5419.patch
+ CVE-2016-5420.patch
+ CVE-2016-5421.patch
+ "
_builddir="$srcdir/$pkgname-$pkgver"
+# security fixes:
+# 7.49.1-r1:
+# - CVE-2016-5419
+# - CVE-2016-5420
+# - CVE-2016-5421
+
prepare() {
local i
cd "$_builddir"
@@ -44,6 +54,15 @@ package() {
make DESTDIR="$pkgdir" install || return 1
}
-md5sums="6bb1f7af5b58b30e4e6414b8c1abccab curl-7.49.1.tar.bz2"
-sha256sums="eb63cec4bef692eab9db459033f409533e6d10e20942f4b060b32819e81885f1 curl-7.49.1.tar.bz2"
-sha512sums="665ef178c282c14f429498547b3711ef79faf85f6db7f4ec24259e2c6247f6ee234dda158ebc207d03f08b5198c5844480e054f24f054b2de6c6a15d4f1ce6e6 curl-7.49.1.tar.bz2"
+md5sums="6bb1f7af5b58b30e4e6414b8c1abccab curl-7.49.1.tar.bz2
+290f6b37d95c9731849fc805a2ece53b CVE-2016-5419.patch
+150e3c110d6eb85187e109d04317b9e3 CVE-2016-5420.patch
+0524664bc926374f6a7b057046924bd2 CVE-2016-5421.patch"
+sha256sums="eb63cec4bef692eab9db459033f409533e6d10e20942f4b060b32819e81885f1 curl-7.49.1.tar.bz2
+d3499aaf331fca2303749bdffbedf5677a555a37ada187c1a734926c7cb718e5 CVE-2016-5419.patch
+23e1fbd27860c6f46bec094c06b5618da2ab71b091945f587c0d7e8d143472f7 CVE-2016-5420.patch
+bca78667ac9110920c5ce31c8d82a784fe327eb184460c1b87fab4de004e6692 CVE-2016-5421.patch"
+sha512sums="665ef178c282c14f429498547b3711ef79faf85f6db7f4ec24259e2c6247f6ee234dda158ebc207d03f08b5198c5844480e054f24f054b2de6c6a15d4f1ce6e6 curl-7.49.1.tar.bz2
+a596e489b0b566d9dcc8292ccec4d90dfbeae7cb11e250871217ff90d1c9525d602f40e112eb0d47a0a597e5768c105423d1cb0cb2825c39a319ea9d582269d0 CVE-2016-5419.patch
+9578f13c5d8e5a5d184b5b08dd7d59de596644084f2de04c025ad8cd78e11dadcff45bf4fab02b8942d7ed19977dec4d220893f675d64ed13b27284d63dfa5f1 CVE-2016-5420.patch
+2b5e77dda11dbb77cbfe760da5377c94a1664b04f254c9fa642f49da119d93123ef6ee27e4c08d0ba9094240791ac09273c8be23fa8ca5982f8ed14d6b29ad7e CVE-2016-5421.patch"
diff --git a/main/curl/CVE-2016-5419.patch b/main/curl/CVE-2016-5419.patch
new file mode 100644
index 000000000000..4eb74dde138a
--- /dev/null
+++ b/main/curl/CVE-2016-5419.patch
@@ -0,0 +1,85 @@
+From 416ad90afc50d9cbcb50ba4ab28f88d260774f6d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 1 Jul 2016 13:32:31 +0200
+Subject: [PATCH] TLS: switch off SSL session id when client cert is used
+
+CVE-2016-5419
+Bug: https://curl.haxx.se/docs/adv_20160803A.html
+Reported-by: Bru Rom
+Contributions-by: Eric Rescorla and Ray Satiro
+---
+ lib/url.c | 1 +
+ lib/urldata.h | 1 +
+ lib/vtls/vtls.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 258a286..e547e5c 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -6121,10 +6121,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+ data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+ data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+ data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
++ data->set.ssl.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #endif
+
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 611c5a7..3cf7ed9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -349,10 +349,11 @@ struct ssl_config_data {
+ bool verifystatus; /* set TRUE if certificate status must be checked */
+ char *CApath; /* certificate dir (doesn't work on windows) */
+ char *CAfile; /* certificate to verify peer against */
+ const char *CRLfile; /* CRL to check certificate revocation */
+ const char *issuercert;/* optional issuer certificate filename */
++ char *clientcert;
+ char *random_file; /* path to file containing "random" data */
+ char *egdsocket; /* path to file containing the EGD daemon socket */
+ char *cipher_list; /* list of ciphers to use */
+ size_t max_ssl_sessions; /* SSL session id cache size */
+ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index d3e41cd..33e209d 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -154,20 +154,30 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
+ return FALSE;
+ }
+ else
+ dest->random_file = NULL;
+
++ if(source->clientcert) {
++ dest->clientcert = strdup(source->clientcert);
++ if(!dest->clientcert)
++ return FALSE;
++ dest->sessionid = FALSE;
++ }
++ else
++ dest->clientcert = NULL;
++
+ return TRUE;
+ }
+
+ void Curl_free_ssl_config(struct ssl_config_data* sslc)
+ {
+ Curl_safefree(sslc->CAfile);
+ Curl_safefree(sslc->CApath);
+ Curl_safefree(sslc->cipher_list);
+ Curl_safefree(sslc->egdsocket);
+ Curl_safefree(sslc->random_file);
++ Curl_safefree(sslc->clientcert);
+ }
+
+
+ /*
+ * Curl_rand() returns a random unsigned integer, 32bit.
+--
+2.8.1
+
diff --git a/main/curl/CVE-2016-5420.patch b/main/curl/CVE-2016-5420.patch
new file mode 100644
index 000000000000..e91b9c708fe4
--- /dev/null
+++ b/main/curl/CVE-2016-5420.patch
@@ -0,0 +1,30 @@
+From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 Jul 2016 00:51:48 +0200
+Subject: [PATCH] TLS: only reuse connections with the same client cert
+
+CVE-2016-5420
+Bug: https://curl.haxx.se/docs/adv_20160803B.html
+---
+ lib/vtls/vtls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 33e209d..3863777 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -97,10 +97,11 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
+ if((data->version == needle->version) &&
+ (data->verifypeer == needle->verifypeer) &&
+ (data->verifyhost == needle->verifyhost) &&
+ safe_strequal(data->CApath, needle->CApath) &&
+ safe_strequal(data->CAfile, needle->CAfile) &&
++ safe_strequal(data->clientcert, needle->clientcert) &&
+ safe_strequal(data->random_file, needle->random_file) &&
+ safe_strequal(data->egdsocket, needle->egdsocket) &&
+ safe_strequal(data->cipher_list, needle->cipher_list))
+ return TRUE;
+
+--
+2.8.1
+
diff --git a/main/curl/CVE-2016-5421.patch b/main/curl/CVE-2016-5421.patch
new file mode 100644
index 000000000000..4f59495f73c9
--- /dev/null
+++ b/main/curl/CVE-2016-5421.patch
@@ -0,0 +1,35 @@
+From ccb7d79b62c8b15a6be446f9c9fd3767c01eb5b6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-5421
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 9ee3523..8bb9366 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2155,10 +2155,12 @@ static void close_all_connections(struct Curl_multi *multi)
+ while(conn) {
+ SIGPIPE_VARIABLE(pipe_st);
+ conn->data = multi->closure_handle;
+
+ sigpipe_ignore(conn->data, &pipe_st);
++ conn->data->easy_conn = NULL; /* clear the easy handle's connection
++ pointer */
+ /* This will remove the connection from the cache */
+ (void)Curl_disconnect(conn, FALSE);
+ sigpipe_restore(&pipe_st);
+
+ conn = Curl_conncache_find_first_connection(&multi->conn_cache);
+--
+2.8.1
+
--
GitLab