CVE-2021-22890 01.04.21 20:15curl 7.63.0 to and including 7.75.0 includes vulnerability that allowsa malicious HTTPS proxy to MITM a connection due to bad handling of TLS1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl canconfuse session tickets arriving from the HTTPS proxy but work as ifthey arrived from the remote server and then wrongly "short-cut" thehost handshake. When confusing the tickets, a HTTPS proxy can tricklibcurl to use the wrong session ticket resume for the host and therebycircumvent the server TLS certificate check and make a MITM attack tobe possible to perform unnoticed. Note that such a malicious HTTPSproxy needs to provide a certificate that curl will accept for theMITMed server for an attack to work - unless curl has been told toignore the server certificate check. CVE-2021-22876 01.04.21 20:15curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure ofPrivate Personal Information to an Unauthorized Actor" by leakingcredentials in the HTTP Referer: header. libcurl does not strip offuser credentials from the URL when automatically populating theReferer: HTTP request header field in outgoing HTTP requests, andtherefore risks leaking sensitive data to the server that is the targetof the second HTTP request. A WIP patch will follow, please help finishing it (rebase curl-CVE-2021-22890.patch on 7.74.0).
(address . email@example.com)(name . Léo Le Bouter)(address . firstname.lastname@example.org)
curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patchdoes not apply and please I need help rebasing it, it looks quite complex. I pushed an upgrade of curl to 7.76.0 which has been much much easier tocore-updates already ashttps://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edfbut unfortunately since curl requires so many rebuilds it seems we can't usesuch commit on master for now. Léo Le Bouter (1): gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. gnu/local.mk | 2 + gnu/packages/curl.scm | 4 +- .../patches/curl-CVE-2021-22876.patch | 147 ++++++ .../patches/curl-CVE-2021-22890.patch | 499 ++++++++++++++++++ 4 files changed, 651 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch -- 2.31.1
Re: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . email@example.com)
On Fri, Apr 02, 2021 at 04:09:39PM +0200, Lï¿½o Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (9 lines)> curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch> does not apply and please I need help rebasing it, it looks quite complex.> > I pushed an upgrade of curl to 7.76.0 which has been much much easier to> core-updates already as> https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf> but unfortunately since curl requires so many rebuilds it seems we can't use> such commit on master for now.
Can we try grafting an "upgrade" to 7.76.0? In my experience, most curlupgrades are graftable. Curl's developers are very careful with their ABI and even maintaintheir own page on the subject: https://curl.se/libcurl/abi.html
On Fri, 2021-04-02 at 14:22 -0400, Leo Famulari wrote:
Toggle quote (8 lines)> > Can we try grafting an "upgrade" to 7.76.0? In my experience, most> curl> upgrades are graftable.> > Curl's developers are very careful with their ABI and even maintain> their own page on the subject: <https://curl.se/libcurl/abi.html>
If you think that's OK, let's do it! I see indeed from that page there should be no problem. Will send a patch shortly.