curl is vulnerable to CVE-2021-22890 and CVE-2021-22876

DoneSubmitted by Léo Le Bouter.
Details
2 participants
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 2 Apr 2021 16:04
(address . bug-guix@gnu.org)
3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net
CVE-2021-22890 01.04.21 20:15
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows
a malicious HTTPS proxy to MITM a connection due to bad handling of TLS
1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can
confuse session tickets arriving from the HTTPS proxy but work as if
they arrived from the remote server and then wrongly "short-cut" the
host handshake. When confusing the tickets, a HTTPS proxy can trick
libcurl to use the wrong session ticket resume for the host and thereby
circumvent the server TLS certificate check and make a MITM attack to
be possible to perform unnoticed. Note that such a malicious HTTPS
proxy needs to provide a certificate that curl will accept for the
MITMed server for an attack to work - unless curl has been told to
ignore the server certificate check.

CVE-2021-22876 01.04.21 20:15
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of
Private Personal Information to an Unauthorized Actor" by leaking
credentials in the HTTP Referer: header. libcurl does not strip off
user credentials from the URL when automatically populating the
Referer: HTTP request header field in outgoing HTTP requests, and
therefore risks leaking sensitive data to the server that is the target
of the second HTTP request.

A WIP patch will follow, please help finishing it (rebase curl-CVE-
2021-22890.patch on 7.74.0).
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnJG8ACgkQRaix6GvN
EKav4w/+PCzpWxHBBYPmiJMIFWyKXCYkd9Bt+gEOmrqIDhugxWhOOnHMjLhQieHt
675f4YwieeObGpDBmFyzCzFqshquZle5/Um7ECmvo8wQlRJiEiwYzQFrnt2NLCTo
PLc0yQAUCkGv/X9XS2DROhwtibqJUmCXurQlxbnDiLQqcFruI1DedYHYVjRcUsOd
EBqzJT8WNmiklE1psVQDuc28Ui05eElhW9ZNLLZFVDyAnad1iWU+FoAfojTz/TDX
UavvHZ7ylvc800f1KJV97QSSBCLmqMER/3AktfKB3WiFDZT1BeL0fI1IlJLIcStk
eKW3nWqfs2RV6k/iwK3Cyzj+DUHfQtj3YV6vLAKiHWljhyGqQjsEyXcKor6K3oz0
G2dxru+tmyCDJ9Qxo1GmQpVbppmjgA+bTIK22D84f9/j1aicfRR81eSXG3fshUSV
7W7LK76kG/jW6UBx3RBW+GVRwnj/kfwGaP3MhpXzWqrFgkFYXzWgFt8qZi+sU5tC
JUODKSvFu30RlI7EOfiBI9KxA6Xv3dWrKV5S60xaLyRDd4EKUzz1MFLOk+NNKZSm
e3kQD7e60G0d68LqVKtUC3HHiY+cDdZFZbGrPeCRwcAntiNU2QLS667dQ62B7Yjl
atBEUgmU2pkfjJT+CnaM6q1PzWqB7NEsqlvoEnefYxfmS5/TcR4=
=5xPw
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 2 Apr 2021 16:05
(address . control@debbugs.gnu.org)
e31a401d6c6bb891a337b8b5116b7e088c9910b0.camel@zaclys.net
tags 47563 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnJKMACgkQRaix6GvN
EKbZJw/+IGXuMV/sWrmsSYyrD7ChObvqxsL+4ppWLW0I9sG1W1UrxhoxipR3B30n
VTQS3xHCRURxQq8ikT3eql4JppA+2dYb0u4KUE1+At+6StMuTeER2rGMWGx/Uo0q
EqmXO9v+il4JHkd1/K6jr5wHocJLJVNgypk0VCQIOGV6EJ/RcRIstx7/GEUZTktl
mcjfscYjXlGYtEMhZMIJ2BXRUSvWoFUc8t71yiBG2eh/Epbt5ExrVRLWZQ/4nHxD
W3XHI2dT9Ot080YO6mVLo/QXEFlILTBCxQmk+WA9UmTRKM4Y+6zahXDyWjCpT2Sv
grXcZ6rzHYUwOCmF8lMP3UsTwYDAKZjDoe/zvHyJh16cmCHQYcCjwwO+Xpm96qDm
T+yRZMnquwhesWPgeVCHDDK/0MUzS8JSZTBX2sYEt1lHMPNcsdRcaBrCTlmrKHHv
ROHDjKUY50RzEzNIes3F+NSGKywIsbYkcHt/s3EQaTTTWXSGudP69xlyyuMa8qpn
XbqQ3X1VTXIjVe5jbfZVLLs3gXslUtYHznVvD8/E1urFxSeMZS496nqbpsJa6KjV
MXq1bSWf5m4O7SBSojRATGV/+U2p0vWnKzrRKR7s6xgBRz/xIm79XBKZugj0AG7j
C9vPxXd1x757TMgopBXym+n2szjZCZw+2w+wGwb67TlhOFt76Jc=
=dkTp
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 2 Apr 2021 16:09
(address . 47563@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210402140940.28300-1-lle-bout@zaclys.net
curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch
does not apply and please I need help rebasing it, it looks quite complex.

I pushed an upgrade of curl to 7.76.0 which has been much much easier to
core-updates already as
but unfortunately since curl requires so many rebuilds it seems we can't use
such commit on master for now.

Léo Le Bouter (1):
gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.

gnu/local.mk | 2 +
gnu/packages/curl.scm | 4 +-
.../patches/curl-CVE-2021-22876.patch | 147 ++++++
.../patches/curl-CVE-2021-22890.patch | 499 ++++++++++++++++++
4 files changed, 651 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch
create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch

--
2.31.1
L
L
Léo Le Bouter wrote on 2 Apr 2021 16:09
[PATCH 1/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
(address . 47563@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210402140940.28300-2-lle-bout@zaclys.net
* gnu/packages/patches/curl-CVE-2021-22876.patch,
gnu/packages/patches/curl-CVE-2021-22890.patch: New patches.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/curl.scm (curl): Apply patches.
---
gnu/local.mk | 2 +
gnu/packages/curl.scm | 4 +-
.../patches/curl-CVE-2021-22876.patch | 147 ++++++
.../patches/curl-CVE-2021-22890.patch | 499 ++++++++++++++++++
4 files changed, 651 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch
create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch

Toggle diff (688 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index f2d595f2cc..cf6f35363f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -919,6 +919,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/crda-optional-gcrypt.patch		\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
+  %D%/packages/patches/curl-CVE-2021-22890.patch		\
+  %D%/packages/patches/curl-CVE-2021-22876.patch		\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..fa02f281cf 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -61,7 +61,9 @@
              (sha256
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
-             (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+             (patches (search-patches "curl-use-ssl-cert-env.patch"
+                                      "curl-CVE-2021-22876.patch"
+                                      "curl-CVE-2021-22890.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
diff --git a/gnu/packages/patches/curl-CVE-2021-22876.patch b/gnu/packages/patches/curl-CVE-2021-22876.patch
new file mode 100644
index 0000000000..b67a1be16a
--- /dev/null
+++ b/gnu/packages/patches/curl-CVE-2021-22876.patch
@@ -0,0 +1,147 @@
+From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Tue, 23 Feb 2021 14:54:46 +0100
+Subject: [PATCH] transfer: strip credentials from the auto-referer header
+ field
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+---
+ lib/transfer.c          | 25 ++++++++++++++--
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test2081     | 66 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 90 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test2081
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 1976bc0338bc..a68c021c84d6 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       data->state.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
++        CURLU *u;
++        char *referer;
++
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
++        /* Make a copy of the URL without crenditals and fragment */
++        u = curl_url();
++        if(!u)
++          return CURLE_OUT_OF_MEMORY;
++
++        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++        if(!uc)
++          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++        curl_url_cleanup(u);
++
++        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
++
++        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 2c7a0ca89fd8..ea52683d2254 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
+ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
+          test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
+ test2078 \
+-test2080 \
++test2080 test2081 \
+ test2100 \
+ \
+ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
+diff --git a/tests/data/test2081 b/tests/data/test2081
+new file mode 100644
+index 000000000000..a6733e737beb
+--- /dev/null
++++ b/tests/data/test2081
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++referer
++followlocation
++--write-out
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++This server reply is for testing a simple Location: following
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Automatic referrer credential and anchor stripping check
++ </name>
++ <command>
++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++52
++</errorcode>
++<protocol>
++GET /we/want/our/%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++
++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++
++</protocol>
++<stdout>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++</stdout>
++</verify>
++</testcase>
diff --git a/gnu/packages/patches/curl-CVE-2021-22890.patch b/gnu/packages/patches/curl-CVE-2021-22890.patch
new file mode 100644
index 0000000000..f01bc20530
--- /dev/null
+++ b/gnu/packages/patches/curl-CVE-2021-22890.patch
@@ -0,0 +1,499 @@
+From b09c8ee15771c614c4bf3ddac893cdb12187c844 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Mar 2021 12:38:49 +0100
+Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+
+CVE-2021-22890
+---
+ lib/vtls/bearssl.c   |  8 +++++--
+ lib/vtls/gtls.c      | 12 ++++++----
+ lib/vtls/mbedtls.c   | 12 ++++++----
+ lib/vtls/mesalink.c  | 14 ++++++++----
+ lib/vtls/openssl.c   | 54 +++++++++++++++++++++++++++++++++-----------
+ lib/vtls/schannel.c  | 10 ++++----
+ lib/vtls/sectransp.c | 10 ++++----
+ lib/vtls/vtls.c      | 12 +++++++---
+ lib/vtls/vtls.h      |  2 ++
+ lib/vtls/wolfssl.c   | 13 +++++++----
+ 10 files changed, 103 insertions(+), 44 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 36c32d8d55be..39fc1a29209c 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
+     void *session;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &session, NULL, sockindex)) {
+       br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
+       infof(data, "BearSSL: re-using session ID\n");
+     }
+@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data,
+     br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
+     Curl_ssl_sessionid_lock(data);
+     incache = !(Curl_ssl_getsessionid(data, conn,
++                                      SSL_IS_PROXY() ? TRUE : FALSE,
+                                       &oldsession, NULL, sockindex));
+     if(incache)
+       Curl_ssl_delsessionid(data, oldsession);
+-    ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
++    ret = Curl_ssl_addsessionid(data, conn,
++                                SSL_IS_PROXY() ? TRUE : FALSE,
++                                session, 0, sockindex);
+     Curl_ssl_sessionid_unlock(data);
+     if(ret) {
+       free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index a75937b4646c..3b0d940a60e1 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -727,6 +727,7 @@ gtls_connect_step1(struct Curl_easy *data,
+ 
+     Curl_ssl_sessionid_lock(data);
+     if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
+                               &ssl_sessionid, &ssl_idsize, sockindex)) {
+       /* we got a session id, use it! */
+       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+@@ -1286,8 +1287,9 @@ gtls_connect_step3(struct Curl_easy *data,
+       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+ 
+       Curl_ssl_sessionid_lock(data);
+-      incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
+-                                        sockindex));
++      incache = !(Curl_ssl_getsessionid(data, conn,
++                                        SSL_IS_PROXY() ? TRUE : FALSE,
++                                        &ssl_sessionid, NULL, sockindex));
+       if(incache) {
+         /* there was one before in the cache, so instead of risking that the
+            previous one was rejected, we just kill that and store the new */
+@@ -1295,8 +1297,10 @@ gtls_connect_step3(struct Curl_easy *data,
+       }
+ 
+       /* store this session id */
+-      result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
+-                                     connect_idsize, sockindex);
++      result = Curl_ssl_addsessionid(data, conn,
++                                     SSL_IS_PROXY() ? TRUE : FALSE,
++                                     connect_sessionid, connect_idsize,
++                                     sockindex);
+       Curl_ssl_sessionid_unlock(data);
+       if(result) {
+         free(connect_sessionid);
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 95cd4d99b665..93a7ac1fd87d 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
++                              &old_session, NULL, sockindex)) {
+       ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
+       if(ret) {
+         Curl_ssl_sessionid_unlock(data);
+@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+     if(!our_ssl_sessionid)
+@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ 
+     /* If there's already a matching session in the cache, delete it */
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
++    if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++                              sockindex))
+       Curl_ssl_delsessionid(data, old_ssl_sessionid);
+ 
+-    retcode = Curl_ssl_addsessionid(data, conn,
+-                                    our_ssl_sessionid, 0, sockindex);
++    retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++                                    0, sockindex);
+     Curl_ssl_sessionid_unlock(data);
+     if(retcode) {
+       mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index 4f1ab8627f49..5d6a1495d790 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(data);
+@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+ 
+     Curl_ssl_sessionid_lock(data);
+     incache =
+-      !(Curl_ssl_getsessionid(data, conn,
+-                              &old_ssl_sessionid, NULL, sockindex));
++      !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL,
++                              sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     }
+ 
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(
+-        data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++      result =
++        Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0,
++                              sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(data);
+         failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 498f8b9d1d08..68b98984b460 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -393,12 +393,23 @@ static int ossl_get_ssl_conn_index(void)
+  */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+-  static int ssl_ex_data_sockindex_index = -1;
+-  if(ssl_ex_data_sockindex_index < 0) {
+-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+-        NULL);
++  static int sockindex_index = -1;
++  if(sockindex_index < 0) {
++    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+   }
+-  return ssl_ex_data_sockindex_index;
++  return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++  static int proxy_index = -1;
++  if(proxy_index < 0) {
++    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++  }
++  return proxy_index;
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1174,7 +1185,7 @@ static int ossl_init(void)
+ 
+   /* Initialize the extra data indexes */
+   if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
+-     ossl_get_ssl_sockindex_index() < 0)
++     ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
+     return 0;
+ 
+   return 1;
+@@ -2432,8 +2443,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   int data_idx = ossl_get_ssl_data_index();
+   int connectdata_idx = ossl_get_ssl_conn_index();
+   int sockindex_idx = ossl_get_ssl_sockindex_index();
++  int proxy_idx = ossl_get_proxy_index();
++  bool isproxy;
+ 
+-  if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
++  if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+     return 0;
+ 
+   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2446,13 +2459,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+   sockindex = (int)(sockindex_ptr - conn->sock);
+ 
++  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+-                                      sockindex));
++    if(isproxy)
++      incache = FALSE;
++    else
++      incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -2462,8 +2480,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+     }
+ 
+     if(!incache) {
+-      if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
+-                                      0 /* unknown size */, sockindex)) {
++      if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
++                                0 /* unknown size */, sockindex)) {
+         /* the session has been put into the session cache */
+         res = 1;
+       }
+@@ -3193,17 +3211,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
+     int data_idx = ossl_get_ssl_data_index();
+     int connectdata_idx = ossl_get_ssl_conn_index();
+     int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
+ 
+-    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
++    if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
++       proxy_idx >= 0) {
+       /* Store the data needed for the "new session" callback.
+        * The sockindex is stored as a pointer to an array element. */
+       SSL_set_ex_data(backend->handle, data_idx, data);
+       SSL_set_ex_data(backend->handle, connectdata_idx, conn);
+       SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++                      NULL);
++#else
++      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
++#endif
++
+     }
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(data);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index d7b89d43f892..931bd853eb8e 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(data);
+     if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
+                               (void **)&old_cred, NULL, sockindex)) {
+       BACKEND->cred = old_cred;
+       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   SECURITY_STATUS sspi_status = SEC_E_OK;
+   CERT_CONTEXT *ccert_context = NULL;
++  bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+     struct Curl_schannel_cred *old_cred = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
+-                                      sockindex));
++    incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred,
++                                      NULL, sockindex));
+     if(incache) {
+       if(old_cred != BACKEND->cred) {
+         DEBUGF(infof(data,
+@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+       }
+     }
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
++      result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred,
+                                      sizeof(struct Curl_schannel_cred),
+                                      sockindex);
+       if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 05b57dfaad91..e69b99b72cd6 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+ #ifndef CURL_DISABLE_PROXY
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  bool isproxy = SSL_IS_PROXY();
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #else
++  const isproxy = FALSE;
+   const char * const hostname = conn->host.name;
+   const long int port = conn->remote_port;
+ #endif
+@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ #ifdef USE_NGHTTP2
+       if(data->state.httpversion >= CURL_HTTP_VERSION_2
+ #ifndef CURL_DISABLE_PROXY
+-         && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
++         && (!isproxy || !conn->bits.tunnel_proxy)
+ #endif
+         ) {
+         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+     size_t ssl_sessionid_len;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
++    if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid,
+                               &ssl_sessionid_len, sockindex)) {
+       /* we got a session id, use it! */
+       err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+         return CURLE_SSL_CONNECT_ERROR;
+       }
+ 
+-      result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
++      result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
+                                      ssl_sessionid_len, sockindex);
+       Curl_ssl_sessionid_unlock(data);
+       if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 6a0069237fdb..95fd6356285f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
+  */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+                            struct connectdata *conn,
++                           const bool isProxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex)
+@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+   bool no_match = TRUE;
+ 
+ #ifndef CURL_DISABLE_PROXY
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+   struct ssl_primary_config * const ssl_config = &conn->ssl_config;
+   const char * const name = conn->host.name;
+   int port = conn->remote_port;
+-  (void)sockindex;
+ #endif
++  (void)sockindex;
+   *ssl_sessionid = NULL;
+ 
++#ifdef CURL_DISABLE_PROXY
++  if(isProxy)
++    return TRUE;
++#endif
++
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   if(!SSL_SET_OPTION(primary.sessionid))
+@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
+  */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+                                struct connectdata *conn,
++                               bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex)
+@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+   int conn_to_port;
+   long *general_age;
+ #ifndef CURL_DISABLE_PROXY
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+   const char *hostname = conn->host.name;
+   (void)sockindex;
+ #endif
++  (void)sockindex;
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   clone_host = strdup(hostname);
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index 273184f1894a..2b43e7744b19 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -235,6 +235,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
+  */
+ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+                            struct connectdata *conn,
++                           const bool isproxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex);
+@@ -245,6 +246,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data,
+  */
+ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+                                struct connectdata *conn,
++                               const bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 7159ac9d5e64..8fb2ea7acf31 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(data);
+-    if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(data, conn,
++                              SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
+         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -772,11 +774,12 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+     SSL_SESSION *our_ssl_sessionid = SSL_get_session(backend->handle);
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     if(our_ssl_sessionid) {
+       Curl_ssl_sessionid_lock(data);
+-      incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
+-                                        sockindex));
++      incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+       if(incache) {
+         if(old_ssl_sessionid != our_ssl_sessionid) {
+           infof(data, "old SSL session ID is stale, removing\n");
+@@ -786,8 +789,8 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+       }
+ 
+       if(!incache) {
+-        result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
+-                                       0 /* unknown size */, sockindex);
++        result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid,
++                                       0, sockindex);
+         if(result) {
+           Curl_ssl_sessionid_unlock(data);
+           failf(data, "failed to store ssl session");
-- 
2.31.1
L
L
Leo Famulari wrote on 2 Apr 2021 20:22
Re: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
YGdgzne+guUD0JCT@jasmine.lan
On Fri, Apr 02, 2021 at 04:09:39PM +0200, L�o Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (9 lines)
> curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch
> does not apply and please I need help rebasing it, it looks quite complex.
>
> I pushed an upgrade of curl to 7.76.0 which has been much much easier to
> core-updates already as
> https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf
> but unfortunately since curl requires so many rebuilds it seems we can't use
> such commit on master for now.

Can we try grafting an "upgrade" to 7.76.0? In my experience, most curl
upgrades are graftable.

Curl's developers are very careful with their ABI and even maintain
their own page on the subject: https://curl.se/libcurl/abi.html
L
L
Léo Le Bouter wrote on 2 Apr 2021 20:43
(address . 47563@debbugs.gnu.org)
6d54754e99e6dabb669e16b2036485fbaa64b318.camel@zaclys.net
On Fri, 2021-04-02 at 14:22 -0400, Leo Famulari wrote:
Toggle quote (8 lines)
>
> Can we try grafting an "upgrade" to 7.76.0? In my experience, most
> curl
> upgrades are graftable.
>
> Curl's developers are very careful with their ABI and even maintain
> their own page on the subject: <https://curl.se/libcurl/abi.html>

If you think that's OK, let's do it!

I see indeed from that page there should be no problem.

Will send a patch shortly.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnZe8ACgkQRaix6GvN
EKZRpBAAu0jSyDC45KwphQc0YSZ21i6TpT6IbemgusCv2lCyfaf/uXMYzHWqoi2a
D5lh0ll5UnWnRDcElNMjdMpK4dmJ2s88g/7O2XuTiqn+At92u4spmw+KUVsaIngg
582DyP4ebkji47fK2S4BF3vBC73BWrrUPoOizFsZ145hPC1o19+qLm5f82G8bnS1
vPi+alC3Xob62TWZ1PthUX1VJr8rd4SC0mZXNBhM0iTCO2wmUwcJHBCSCnSfohxG
DAlAvBsRe849JDDCiOcYQK1Qx/If9EjIXRtafXgid+CzwgygvjUK343Bys1W1y6p
pebpd5VGRQNvNmqtOiix03Oxkjlt93FvImDsIIkxwjn5+iKLrBgikNAVlGSiDZr1
7wX4CtjfsFJwnOGdCuoL4/O/WWbet6rcJwxl2SvMPf0mKxJhSAhS4PgWVk5Dm4vm
lagmHnw4p7Mb0543VF6Mfc5/WcDg4/P/t0sFBI6CJQ01Kb3JE+9Zo3nnaNcXTXZf
AoMn/M1EnnOx8ZjyIA6HslcZJ51V0AmkfNZXeBvZJ8YXXCM/ORUeiHhwJPl+QQo4
qFg53Bsks8DR5ZBRN6OQmW6qHqzVh+0BvrwKOHG3gaOgt0dJ8oXI+6dwOxns7ye6
kiJNWZzo6Vtqup6w3xShmEuZVLHoqoURop6MLIJ//YoYIvVIAuo=
=akFM
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 2 Apr 2021 21:24
[PATCH] gnu: curl: Update to 7.76.0 [security fixes].
(address . 47563@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210402192409.22018-1-lle-bout@zaclys.net
Fixes CVE-2021-22876 and CVE-2021-22890.

* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
(curl)[replacement]: Graft.
---
gnu/local.mk | 1 +
gnu/packages/curl.scm | 14 ++++
.../patches/curl-7.76-use-ssl-cert-env.patch | 64 +++++++++++++++++++
3 files changed, 79 insertions(+)
create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch

Toggle diff (116 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 1a767a6c89..0d472072ae 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
+  %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
   %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..5608d556e7 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
              (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+   (replacement curl/fixed)
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -151,6 +152,19 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+(define-public curl/fixed
+  (package
+    (inherit curl)
+    (version "7.76.0")
+    (source
+     (origin
+       (inherit (package-source curl))
+       (uri (string-append "https://curl.haxx.se/download/curl-"
+                           version ".tar.xz"))
+       (sha256
+        (base32
+         "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..24be6e31d9
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.31.1
L
L
Léo Le Bouter wrote on 2 Apr 2021 21:33
[PATCH v2] gnu: curl: Update to 7.76.0 [security fixes].
(address . 47563@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210402193302.23602-1-lle-bout@zaclys.net
Fixes CVE-2021-22876 and CVE-2021-22890.

* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
(curl)[replacement]: Graft.
---
gnu/local.mk | 1 +
gnu/packages/curl.scm | 15 +++++
.../patches/curl-7.76-use-ssl-cert-env.patch | 64 +++++++++++++++++++
3 files changed, 80 insertions(+)
create mode 100644 gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch

Toggle diff (117 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 1a767a6c89..0d472072ae 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -920,6 +920,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
+  %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
   %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..94dc51cfc5 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
              (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+   (replacement curl/fixed)
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -151,6 +152,20 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+(define-public curl/fixed
+  (package
+    (inherit curl)
+    (version "7.76.0")
+    (source
+     (origin
+       (inherit (package-source curl))
+       (uri (string-append "https://curl.haxx.se/download/curl-"
+                           version ".tar.xz"))
+       (patches (search-patches "curl-7.76-use-ssl-cert-env.patch"))
+       (sha256
+        (base32
+         "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..24be6e31d9
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.31.1
L
L
Léo Le Bouter wrote on 2 Apr 2021 21:34
(address . 47563@debbugs.gnu.org)
71da0b112604e124d8227287345f519ca31850d6.camel@zaclys.net
To me, that last patch is ready to merge.

Please push if you feel that's OK too, don't wait for me!

Thanks!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBncccACgkQRaix6GvN
EKZ/thAAlgYzzj5As+dTync+rqInsGTSIc/0xxVA7Zf7poX6cUb5j3BnrcLtbwgW
vvuNGfW0t3I6WN3wzVi8lzRfBHJN+80TuaX5nDAy0ep4yEsPOsSMz76LiM8qxPOT
B7c3VsBJRcZ5XcDhat7SAbnWcxZO2C/V5ET6UCwrcv1wjj/MYw6jv95ExHd5uLgy
DqTUlNr+4wGPyaODtbnBUwQ0pMZADWhEgK8fAPmr9pyk2mSJQ/XbMOeve95dSHg4
USxGwt8Y+7J6mOUGXSXxqTaRc3I4h/AUcKmVNqr9oqvzYfJbD0e7EIBxYt9vYIAL
IK6UXJKAtXfPY0H36XVbtNiqw8iDHN3oL8CDkLC/LSZB1ej3NriubQHuIc9xvNRJ
4Suabynx9cvuxoIO082RpXC/LEgmqotV8u/qCQ3rL9GatkyR7du0OQMUFE+iIRE8
vkG8MRPl8DK9/M//uxIBKPI0ywB0y2ijzSjmFZ6X3C+6Ja4okXawq23eE/aLHrVT
XdFFhYuFc3JQHLmGw9OUGhR5o7hOan0YqjX1///x/nR/Jqh6AB6gWtDaTu2wpzvV
voNR0DYyTlhzCUFZ01GZ9rrWYb0i1J+xIcYAPXCAR7Wik/eXpYGp6Aj/5m6JPCUi
RcF7SMOerxvkrNfUwV8uvuDwpH15M8Yl5qTKrRsrCPeBFMawNTY=
=lOck
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 2 Apr 2021 22:36
Re: bug#47563: [PATCH v2] gnu: curl: Update to 7.76.0 [security fixes].
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47563@debbugs.gnu.org)
YGeANoLM0VKd+uJU@jasmine.lan
On Fri, Apr 02, 2021 at 09:34:31PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (4 lines)
> To me, that last patch is ready to merge.
>
> Please push if you feel that's OK too, don't wait for me!

Building now to test...
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBngCwACgkQJkb6MLrK
fwhv0hAAu4Lqux+wt6iVWQcIQj+v4ZwXbebbR7tAMja0QisAJmuPSWLDNQRs2p4S
4C7a0Vezgu5EIfL80AwQikvuTGzYyjePS83WIM7jEk4FE48p5Gi/YkV8/WPu+8Oc
LByb/jIeUR3U1iNHscpICSMsOV5lbjILxP8GRpXc6IGdJONc6mXZmix9o2/Gg53V
e50U7xZLcRiixaCXN3Of5/C0535BDQLJ50gm5Iyyi56MMOq1i8vVAYpUqydCF20L
m2ClhX+jVOgb0d8BYlt3+iECOJfzqO7BgLPX8y6V6DrKzwls0hGRbL3DUso55U5q
eLV4WynS1BDDlGJVqH9V2DXmHB/pfD+nOt/hxDehsWq1h5Ue/mdfuw/fHKbMNV0g
JGIs3NH2r2tK4u25k5xc7ycyMA6pyt5OD1YmE6kjyU2HHrLKpcrM4HOM1dukWr5m
3fn6TMfCENk/yvZpr4dinCNCdvKWr3IVz0u55hR+XVW+iOrXdthagztciplcF9+q
qVOS0wIc3P/JCD/Rh4n7um3VU8TtMY+jUIspRNkTeJ70yqBf63qwDY81PXFYVAwq
H6IkrNE0YQF+fU6jr1yxAI3AXPC1p6o9Mo28U545DsdzYe0EIR++X+w5z3ZewAUp
OJr37Eabx8axnZ8IAAgho91Wf6NumGX6h5X00cyLqqIEN/G7mRc=
=0huP
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 2 Apr 2021 22:46
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
YGeCm2KXl4mgQdt4@jasmine.lan
On Fri, Apr 02, 2021 at 09:33:02PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (7 lines)
> Fixes CVE-2021-22876 and CVE-2021-22890.
>
> * gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New patch.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/curl.scm (curl/fixed): New variable. Apply patch.
> (curl)[replacement]: Graft.

I tweaked the commit message — committer's preference ;) — and pushed
as f4dc8ac6dfa036d98aa0990ae22268a9650899d0.

Thanks!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBngpsACgkQJkb6MLrK
fwi3lg//Ri3IqNBCTb3S4L1t8RUW/glmXCUiYhb1TdlYPg5Em5U8M9JiWUFi76ZS
fBTVhgcx7pPZdi6OEMsn0GWcxVnXLz6sP1XGSROpWtU2up9JCVqVAk/VFa0g6Ftk
mxjWJuuRwNk/iuxYi5NNoNGDW0/AWxHqUl6cJjLbQUCJ/d5vyjB9adQNClR+ce6q
HjYA+eLCj4iC5dZE2nIRH+HrcKedWQXby5+S2eTcmp5fqeU9FCDxfr3lmAgwyJqC
I+otdlDBloGkybl5eqQypYKRNIkvUfKMys+NDTecElj4YS0+9LDk1HZitKOxbyMo
F62mo7Zhg/xRtCSM/p43AnQFSZGepyHhcyvzH7iNusxLwugeoynGVDkvviUot/ap
hC9sNvQCZIXqXGE2dUNGt0ufopmUA20RhWyDKvFdQTFIjrHLHhnevOjQmK1QGZ7x
gCp93/KH29SZ0pKzIrTfFPsmEfidKLD0piDDyBxowHXwoBOdGVaF2fVYvPv7tcJ9
YvxAY2pHfOaCWyeuR9f/vC09Pd92fKtxWwve9QqKUfF5QVBkXPEUNbQ6qGSselar
hgjE3uI86zkhUffxpbJbbrrN8ybEAelvWu+HswdOE0UV+yjsiP217Z127FfZlzno
FmfvBt+XA754fmeCZ6oCLCDr01y0jId34Iex/aE3RyRjfo6AP6Y=
=OS1S
-----END PGP SIGNATURE-----


?
Your comment

This issue is archived.

To comment on this conversation send email to 47563@debbugs.gnu.org