[curl/f21] Resolves: CVE-2014-3613 - use only full matches for hosts used as IP address in cookies
Kamil Dudka
kdudka at fedoraproject.org
Wed Sep 10 14:50:56 UTC 2014
commit 1b9436a9b0ddfad131fdfb1af6432b97cf666294
Author: Kamil Dudka <kdudka at redhat.com>
Date: Wed Sep 10 16:42:44 2014 +0200
Resolves: CVE-2014-3613 - use only full matches for hosts used as IP address in cookies
0003-curl-7.37.0-CVE-2014-3613.patch | 235 ++++++++++++++++++++++++++++++++++
curl.spec | 11 ++-
2 files changed, 244 insertions(+), 2 deletions(-)
---
diff --git a/0003-curl-7.37.0-CVE-2014-3613.patch b/0003-curl-7.37.0-CVE-2014-3613.patch
new file mode 100644
index 0000000..28fd2e7
--- /dev/null
+++ b/0003-curl-7.37.0-CVE-2014-3613.patch
@@ -0,0 +1,235 @@
+From a4557ae3b4bc25c6317de9e21942ade67519c1e4 Mon Sep 17 00:00:00 2001
+From: Tim Ruehsen <tim.ruehsen at gmx.de>
+Date: Tue, 19 Aug 2014 21:01:28 +0200
+Subject: [PATCH 1/2] cookies: only use full host matches for hosts used as IP
+ address
+
+By not detecting and rejecting domain names for partial literal IP
+addresses properly when parsing received HTTP cookies, libcurl can be
+fooled to both send cookies to wrong sites and to allow arbitrary sites
+to set cookies for others.
+
+CVE-2014-3613
+
+Bug: http://curl.haxx.se/docs/adv_20140910A.html
+Upstream-commit: 8a75dbeb2305297640453029b7905ef51b87e8dd
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/cookie.c | 50 ++++++++++++++++++++++++++++++++++++++----------
+ tests/data/test1105 | 3 +--
+ tests/data/test31 | 55 +++++++++++++++++++++++++++--------------------------
+ tests/data/test8 | 3 ++-
+ 4 files changed, 71 insertions(+), 40 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0590643..46904ac 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -95,6 +95,7 @@ Example set of cookies:
+ #include "strtoofft.h"
+ #include "rawstr.h"
+ #include "curl_memrchr.h"
++#include "inet_pton.h"
+
+ /* The last #include file should be: */
+ #include "memdebug.h"
+@@ -319,6 +320,28 @@ static void remove_expired(struct CookieInfo *cookies)
+ }
+ }
+
++/*
++ * Return true if the given string is an IP(v4|v6) address.
++ */
++static bool isip(const char *domain)
++{
++ struct in_addr addr;
++#ifdef ENABLE_IPV6
++ struct in6_addr addr6;
++#endif
++
++ if(Curl_inet_pton(AF_INET, domain, &addr)
++#ifdef ENABLE_IPV6
++ || Curl_inet_pton(AF_INET6, domain, &addr6)
++#endif
++ ) {
++ /* domain name given as IP address */
++ return TRUE;
++ }
++
++ return FALSE;
++}
++
+ /****************************************************************************
+ *
+ * Curl_cookie_add()
+@@ -439,24 +462,27 @@ Curl_cookie_add(struct SessionHandle *data,
+ }
+ }
+ else if(Curl_raw_equal("domain", name)) {
++ bool is_ip;
++
+ /* Now, we make sure that our host is within the given domain,
+ or the given domain is not valid and thus cannot be set. */
+
+ if('.' == whatptr[0])
+ whatptr++; /* ignore preceding dot */
+
+- if(!domain || tailmatch(whatptr, domain)) {
+- const char *tailptr=whatptr;
+- if(tailptr[0] == '.')
+- tailptr++;
+- strstore(&co->domain, tailptr); /* don't prefix w/dots
+- internally */
++ is_ip = isip(domain ? domain : whatptr);
++
++ if(!domain
++ || (is_ip && !strcmp(whatptr, domain))
++ || (!is_ip && tailmatch(whatptr, domain))) {
++ strstore(&co->domain, whatptr);
+ if(!co->domain) {
+ badcookie = TRUE;
+ break;
+ }
+- co->tailmatch=TRUE; /* we always do that if the domain name was
+- given */
++ if(!is_ip)
++ co->tailmatch=TRUE; /* we always do that if the domain name was
++ given */
+ }
+ else {
+ /* we did not get a tailmatch and then the attempted set domain
+@@ -968,6 +994,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+ time_t now = time(NULL);
+ struct Cookie *mainco=NULL;
+ size_t matches = 0;
++ bool is_ip;
+
+ if(!c || !c->cookies)
+ return NULL; /* no cookie struct or no cookies in the struct */
+@@ -975,6 +1002,9 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+ /* at first, remove expired cookies */
+ remove_expired(c);
+
++ /* check if host is an IP(v4|v6) address */
++ is_ip = isip(host);
++
+ co = c->cookies;
+
+ while(co) {
+@@ -986,8 +1016,8 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+
+ /* now check if the domain is correct */
+ if(!co->domain ||
+- (co->tailmatch && tailmatch(co->domain, host)) ||
+- (!co->tailmatch && Curl_raw_equal(host, co->domain)) ) {
++ (co->tailmatch && !is_ip && tailmatch(co->domain, host)) ||
++ ((!co->tailmatch || is_ip) && Curl_raw_equal(host, co->domain)) ) {
+ /* the right part of the host matches the domain stuff in the
+ cookie data */
+
+diff --git a/tests/data/test1105 b/tests/data/test1105
+index 25f194c..9564775 100644
+--- a/tests/data/test1105
++++ b/tests/data/test1105
+@@ -59,8 +59,7 @@ userid=myname&password=mypassword
+ # This file was generated by libcurl! Edit at your own risk.
+
+ 127.0.0.1 FALSE /we/want/ FALSE 0 foobar name
+-.127.0.0.1 TRUE "/silly/" FALSE 0 mismatch this
+-.0.0.1 TRUE / FALSE 0 partmatch present
++127.0.0.1 FALSE "/silly/" FALSE 0 mismatch this
+ </file>
+ </verify>
+ </testcase>
+diff --git a/tests/data/test31 b/tests/data/test31
+index 38af83b..dfcac04 100644
+--- a/tests/data/test31
++++ b/tests/data/test31
+@@ -51,7 +51,8 @@ Set-Cookie: novalue; domain=reallysilly
+ Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
+ Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
+ Set-Cookie: magic=yessir; path=/silly/; HttpOnly
+-Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;
++Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad;
++Set-Cookie: partialip=nono; domain=.0.0.1;
+
+ boo
+ </data>
+@@ -95,34 +96,34 @@ Accept: */*
+ # http://curl.haxx.se/docs/http-cookies.html
+ # This file was generated by libcurl! Edit at your own risk.
+
+-.127.0.0.1 TRUE /silly/ FALSE 0 ismatch this
+-.127.0.0.1 TRUE /overwrite FALSE 0 overwrite this2
+-.127.0.0.1 TRUE /secure1/ TRUE 0 sec1value secure1
+-.127.0.0.1 TRUE /secure2/ TRUE 0 sec2value secure2
+-.127.0.0.1 TRUE /secure3/ TRUE 0 sec3value secure3
+-.127.0.0.1 TRUE /secure4/ TRUE 0 sec4value secure4
+-.127.0.0.1 TRUE /secure5/ TRUE 0 sec5value secure5
+-.127.0.0.1 TRUE /secure6/ TRUE 0 sec6value secure6
+-.127.0.0.1 TRUE /secure7/ TRUE 0 sec7value secure7
+-.127.0.0.1 TRUE /secure8/ TRUE 0 sec8value secure8
+-.127.0.0.1 TRUE /secure9/ TRUE 0 secure very1
+-#HttpOnly_.127.0.0.1 TRUE /p1/ FALSE 0 httpo1 value1
+-#HttpOnly_.127.0.0.1 TRUE /p2/ FALSE 0 httpo2 value2
+-#HttpOnly_.127.0.0.1 TRUE /p3/ FALSE 0 httpo3 value3
+-#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httpo4 value4
+-#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httponly myvalue1
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec myvalue2
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec2 myvalue3
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec3 myvalue4
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec4 myvalue5
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec5 myvalue6
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec6 myvalue7
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec7 myvalue8
+-#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec8 myvalue9
+-.127.0.0.1 TRUE / FALSE 0 partmatch present
++127.0.0.1 FALSE /silly/ FALSE 0 ismatch this
++127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2
++127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1
++127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2
++127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3
++127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4
++127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5
++127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6
++127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7
++127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8
++127.0.0.1 FALSE /secure9/ TRUE 0 secure very1
++#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1
++#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2
++#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3
++#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4
++#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8
++#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9
++127.0.0.1 FALSE / FALSE 0 partmatch present
+ 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value
+ #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir
+-.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes
++127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes
+ </file>
+ </verify>
+ </testcase>
+diff --git a/tests/data/test8 b/tests/data/test8
+index 4d54541..030fd55 100644
+--- a/tests/data/test8
++++ b/tests/data/test8
+@@ -42,7 +42,8 @@ Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey;
+ Set-Cookie: cookie=yes; path=/we;
+ Set-Cookie: cookie=perhaps; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+-Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;
++Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
++Set-Cookie: partialip=nono; domain=.0.0.1;
+
+ </file>
+ <precheck>
+--
+2.1.0
+
diff --git a/curl.spec b/curl.spec
index 962474c..eda9205 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.37.0
-Release: 6%{?dist}
+Release: 7%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -11,7 +11,10 @@ Source2: curlbuild.h
Patch1: 0001-curl-7.37.0-7c215585.patch
# fix endless loop with GSSAPI proxy auth (patches by David Woodhouse, #1118751)
-Patch2: 0002-curl-7.37.0-gssapi.patch
+Patch2: 0002-curl-7.37.0-gssapi.patch
+
+# use only full matches for hosts used as IP address in cookies (CVE-2014-3613)
+Patch3: 0003-curl-7.37.0-CVE-2014-3613.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -127,6 +130,7 @@ documentation of the library, too.
# upstream patches
%patch1 -p1
%patch2 -p1
+%patch3 -p1
# Fedora patches
%patch101 -p1
@@ -250,6 +254,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Wed Sep 10 2014 Kamil Dudka <kdudka at redhat.com> 7.37.0-7
+- use only full matches for hosts used as IP address in cookies (CVE-2014-3613)
+
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 7.37.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
More information about the scm-commits
mailing list