[curl/f21] Resolves: CVE-2014-3620 - reject incoming cookies set for top level domains
Kamil Dudka
kdudka at fedoraproject.org
Wed Sep 10 14:51:01 UTC 2014
commit 1f1f2968804934bb2abf11e02f714ce5d18194a9
Author: Kamil Dudka <kdudka at redhat.com>
Date: Wed Sep 10 16:46:36 2014 +0200
Resolves: CVE-2014-3620 - reject incoming cookies set for top level domains
0004-curl-7.37.0-CVE-2014-3620.patch | 57 ++++++++++++++++++++++++++++++++++
curl.spec | 5 +++
2 files changed, 62 insertions(+), 0 deletions(-)
---
diff --git a/0004-curl-7.37.0-CVE-2014-3620.patch b/0004-curl-7.37.0-CVE-2014-3620.patch
new file mode 100644
index 0000000..472cb0a
--- /dev/null
+++ b/0004-curl-7.37.0-CVE-2014-3620.patch
@@ -0,0 +1,57 @@
+From 9448ce9fd474d68bea96ac54c86255ebaebe7dfc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Tue, 19 Aug 2014 21:11:20 +0200
+Subject: [PATCH 2/2] cookies: reject incoming cookies set for TLDs
+
+Test 61 was modified to verify this.
+
+CVE-2014-3620
+
+Reported-by: Tim Ruehsen
+URL: http://curl.haxx.se/docs/adv_20140910B.html
+Upstream-commit: a76825a5efa6b41d3a1d4f275dada2f017f6f566
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/cookie.c | 6 ++++++
+ tests/data/test61 | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 46904ac..375485f 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -463,6 +463,7 @@ Curl_cookie_add(struct SessionHandle *data,
+ }
+ else if(Curl_raw_equal("domain", name)) {
+ bool is_ip;
++ const char *dotp;
+
+ /* Now, we make sure that our host is within the given domain,
+ or the given domain is not valid and thus cannot be set. */
+@@ -472,6 +473,11 @@ Curl_cookie_add(struct SessionHandle *data,
+
+ is_ip = isip(domain ? domain : whatptr);
+
++ /* check for more dots */
++ dotp = strchr(whatptr, '.');
++ if(!dotp)
++ domain=":";
++
+ if(!domain
+ || (is_ip && !strcmp(whatptr, domain))
+ || (!is_ip && tailmatch(whatptr, domain))) {
+diff --git a/tests/data/test61 b/tests/data/test61
+index d2de279..e6dbbb9 100644
+--- a/tests/data/test61
++++ b/tests/data/test61
+@@ -23,6 +23,7 @@ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
+ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
+ Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
+ Set-Cookie: fake=fooledyou; domain=..com; path=/;
++Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
+ Content-Length: 4
+
+ boo
+--
+2.1.0
+
diff --git a/curl.spec b/curl.spec
index eda9205..e949f7a 100644
--- a/curl.spec
+++ b/curl.spec
@@ -16,6 +16,9 @@ Patch2: 0002-curl-7.37.0-gssapi.patch
# use only full matches for hosts used as IP address in cookies (CVE-2014-3613)
Patch3: 0003-curl-7.37.0-CVE-2014-3613.patch
+# reject incoming cookies set for top level domains (CVE-2014-3620)
+Patch4: 0004-curl-7.37.0-CVE-2014-3620.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -131,6 +134,7 @@ documentation of the library, too.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
# Fedora patches
%patch101 -p1
@@ -256,6 +260,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Wed Sep 10 2014 Kamil Dudka <kdudka at redhat.com> 7.37.0-7
- use only full matches for hosts used as IP address in cookies (CVE-2014-3613)
+- reject incoming cookies set for top level domains (CVE-2014-3620)
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 7.37.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
More information about the scm-commits
mailing list