microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

curl: address CVE-2024-8096 (#10731) 

Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
This commit is contained in:
Muhammad Falak R Wani 2024-10-23 11:40:11 +05:30 коммит произвёл GitHub
Родитель 60d78f8b22
Коммит b958bee0c4
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
6 изменённых файлов: 219 добавлений и 15 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

200
SPECS/curl/CVE-2024-8096.patch Normal file
Просмотреть файл

@ -0,0 +1,200 @@
From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 20 Aug 2024 16:14:39 +0200
Subject: [PATCH] gtls: fix OCSP stapling management
Reported-by: Hiroki Kurosawa
Closes #14642
---
lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
1 file changed, 73 insertions(+), 73 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 03d6fcc038aac3..c7589d9d39bc81 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
init_flags |= GNUTLS_NO_TICKETS;
#endif
+#if defined(GNUTLS_NO_STATUS_REQUEST)
+ if(!config->verifystatus)
+ /* Disable the "status_request" TLS extension, enabled by default since
+ GnuTLS 3.8.0. */
+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
+#endif
+
rc = gnutls_init(&gtls->session, init_flags);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_init() failed: %d", rc);
@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
infof(data, " server certificate verification SKIPPED");
if(config->verifystatus) {
- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
- gnutls_datum_t status_request;
- gnutls_ocsp_resp_t ocsp_resp;
+ gnutls_datum_t status_request;
+ gnutls_ocsp_resp_t ocsp_resp;
+ gnutls_ocsp_cert_status_t status;
+ gnutls_x509_crl_reason_t reason;
- gnutls_ocsp_cert_status_t status;
- gnutls_x509_crl_reason_t reason;
+ rc = gnutls_ocsp_status_request_get(session, &status_request);
- rc = gnutls_ocsp_status_request_get(session, &status_request);
+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ failf(data, "No OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- infof(data, " server certificate status verification FAILED");
+ if(rc < 0) {
+ failf(data, "Invalid OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
- failf(data, "No OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ gnutls_ocsp_resp_init(&ocsp_resp);
- if(rc < 0) {
- failf(data, "Invalid OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+ if(rc < 0) {
+ failf(data, "Invalid OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- gnutls_ocsp_resp_init(&ocsp_resp);
+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+ &status, NULL, NULL, NULL, &reason);
- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
- if(rc < 0) {
- failf(data, "Invalid OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ switch(status) {
+ case GNUTLS_OCSP_CERT_GOOD:
+ break;
- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
- &status, NULL, NULL, NULL, &reason);
+ case GNUTLS_OCSP_CERT_REVOKED: {
+ const char *crl_reason;
- switch(status) {
- case GNUTLS_OCSP_CERT_GOOD:
+ switch(reason) {
+ default:
+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+ crl_reason = "unspecified reason";
break;
- case GNUTLS_OCSP_CERT_REVOKED: {
- const char *crl_reason;
-
- switch(reason) {
- default:
- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
- crl_reason = "unspecified reason";
- break;
-
- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
- crl_reason = "private key compromised";
- break;
-
- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
- crl_reason = "CA compromised";
- break;
-
- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
- crl_reason = "affiliation has changed";
- break;
+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+ crl_reason = "private key compromised";
+ break;
- case GNUTLS_X509_CRLREASON_SUPERSEDED:
- crl_reason = "certificate superseded";
- break;
+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+ crl_reason = "CA compromised";
+ break;
- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
- crl_reason = "operation has ceased";
- break;
+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+ crl_reason = "affiliation has changed";
+ break;
- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
- crl_reason = "certificate is on hold";
- break;
+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
+ crl_reason = "certificate superseded";
+ break;
- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
- crl_reason = "will be removed from delta CRL";
- break;
+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+ crl_reason = "operation has ceased";
+ break;
- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
- crl_reason = "privilege withdrawn";
- break;
+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+ crl_reason = "certificate is on hold";
+ break;
- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
- crl_reason = "AA compromised";
- break;
- }
+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+ crl_reason = "will be removed from delta CRL";
+ break;
- failf(data, "Server certificate was revoked: %s", crl_reason);
+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+ crl_reason = "privilege withdrawn";
break;
- }
- default:
- case GNUTLS_OCSP_CERT_UNKNOWN:
- failf(data, "Server certificate status is unknown");
+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+ crl_reason = "AA compromised";
break;
}
- gnutls_ocsp_resp_deinit(ocsp_resp);
+ failf(data, "Server certificate was revoked: %s", crl_reason);
+ break;
+ }
- return CURLE_SSL_INVALIDCERTSTATUS;
+ default:
+ case GNUTLS_OCSP_CERT_UNKNOWN:
+ failf(data, "Server certificate status is unknown");
+ break;
}
- else
- infof(data, " server certificate status verification OK");
+
+ gnutls_ocsp_resp_deinit(ocsp_resp);
+ if(status != GNUTLS_OCSP_CERT_GOOD)
+ return CURLE_SSL_INVALIDCERTSTATUS;
}
else
infof(data, " server certificate status verification SKIPPED");

6
SPECS/curl/curl.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: An URL retrieval utility and library
Name: curl
Version: 8.8.0
Release: 2%{?dist}
Release: 3%{?dist}
License: curl
Vendor: Microsoft Corporation
Distribution: Mariner
@ -9,6 +9,7 @@ Group: System Environment/NetworkingLibraries
URL: https://curl.haxx.se
Source0: https://curl.haxx.se/download/%{name}-%{version}.tar.gz
Patch0: CVE-2024-6197.patch
Patch1: CVE-2024-8096.patch
BuildRequires: krb5-devel
BuildRequires: libssh2-devel
BuildRequires: nghttp2-devel
@ -86,6 +87,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_libdir}/libcurl.so.*
%changelog
* Tue Oct 15 2024 Muhammad Falak <mwani@microsoft.com> - 8.8.0-3
- Address CVE-2024-8096
* Wed Sep 4 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 8.8.0-2
- Patch CVE-2024-6197

6
toolkit/resources/manifests/package/pkggen_core_aarch64.txt
Просмотреть файл

@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm
libssh2-devel-1.9.0-4.cm2.aarch64.rpm
krb5-1.19.4-3.cm2.aarch64.rpm
nghttp2-1.57.0-2.cm2.aarch64.rpm
curl-8.8.0-2.cm2.aarch64.rpm
curl-devel-8.8.0-2.cm2.aarch64.rpm
curl-libs-8.8.0-2.cm2.aarch64.rpm
curl-8.8.0-3.cm2.aarch64.rpm
curl-devel-8.8.0-3.cm2.aarch64.rpm
curl-libs-8.8.0-3.cm2.aarch64.rpm
createrepo_c-0.17.5-1.cm2.aarch64.rpm
libxml2-2.10.4-4.cm2.aarch64.rpm
libxml2-devel-2.10.4-4.cm2.aarch64.rpm

6
toolkit/resources/manifests/package/pkggen_core_x86_64.txt
Просмотреть файл

@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm
libssh2-devel-1.9.0-4.cm2.x86_64.rpm
krb5-1.19.4-3.cm2.x86_64.rpm
nghttp2-1.57.0-2.cm2.x86_64.rpm
curl-8.8.0-2.cm2.x86_64.rpm
curl-devel-8.8.0-2.cm2.x86_64.rpm
curl-libs-8.8.0-2.cm2.x86_64.rpm
curl-8.8.0-3.cm2.x86_64.rpm
curl-devel-8.8.0-3.cm2.x86_64.rpm
curl-libs-8.8.0-3.cm2.x86_64.rpm
createrepo_c-0.17.5-1.cm2.x86_64.rpm
libxml2-2.10.4-4.cm2.x86_64.rpm
libxml2-devel-2.10.4-4.cm2.x86_64.rpm

8
toolkit/resources/manifests/package/toolchain_aarch64.txt
Просмотреть файл

@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
createrepo_c-0.17.5-1.cm2.aarch64.rpm
createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
curl-8.8.0-2.cm2.aarch64.rpm
curl-debuginfo-8.8.0-2.cm2.aarch64.rpm
curl-devel-8.8.0-2.cm2.aarch64.rpm
curl-libs-8.8.0-2.cm2.aarch64.rpm
curl-8.8.0-3.cm2.aarch64.rpm
curl-debuginfo-8.8.0-3.cm2.aarch64.rpm
curl-devel-8.8.0-3.cm2.aarch64.rpm
curl-libs-8.8.0-3.cm2.aarch64.rpm
Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm
debugedit-5.0-2.cm2.aarch64.rpm
debugedit-debuginfo-5.0-2.cm2.aarch64.rpm

8
toolkit/resources/manifests/package/toolchain_x86_64.txt
Просмотреть файл

@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
cross-binutils-common-2.37-8.cm2.noarch.rpm
cross-gcc-common-11.2.0-8.cm2.noarch.rpm
curl-8.8.0-2.cm2.x86_64.rpm
curl-debuginfo-8.8.0-2.cm2.x86_64.rpm
curl-devel-8.8.0-2.cm2.x86_64.rpm
curl-libs-8.8.0-2.cm2.x86_64.rpm
curl-8.8.0-3.cm2.x86_64.rpm
curl-debuginfo-8.8.0-3.cm2.x86_64.rpm
curl-devel-8.8.0-3.cm2.x86_64.rpm
curl-libs-8.8.0-3.cm2.x86_64.rpm
Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm
debugedit-5.0-2.cm2.x86_64.rpm
debugedit-debuginfo-5.0-2.cm2.x86_64.rpm