[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1019052: bullseye-pu: package curl/7.74.0-1.3+deb11u3

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org,curl@packages.debian.org

Hi SRM,

[ Reason ]

curl is affected by another CVE which does not warrant a DSA,
CVE-2022-35252.

[ Impact ]

Will have the CVE open until it will be included in a future update.
Severity is low that said.

[ Tests ]

Have run the testsuite without the fix, confirming the 0008 test will
fail and is succeding after the fix.

[ Risks ]

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Code rejects now cookies with "control bytes".

[ Other info ]

None

Regards,
Salvatore

diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog	2022-07-23 17:47:52.000000000 +0200
+++ curl-7.74.0/debian/changelog	2022-09-03 12:26:12.000000000 +0200
@@ -1,3 +1,11 @@
+curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium
+
+  * cookie: reject cookies with "control bytes" (CVE-2022-35252)
+    (Closes: #1018831)
+  * test8: verify that "ctrl-byte cookies" are ignored
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 03 Sep 2022 12:26:12 +0200
+
 curl (7.74.0-1.3+deb11u2) bullseye-security; urgency=high
 
   * Non-maintainer upload.
diff -Nru curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch
--- curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch	2022-09-03 12:26:12.000000000 +0200
@@ -0,0 +1,65 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: cookie: reject cookies with "control bytes"
+Origin: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Bug-Debian: https://bugs.debian.org/1018831
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-35252
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -375,6 +375,30 @@ static void strstore(char **str, const c
+ }
+ 
+ /*
++  RFC 6265 section 4.1.1 says a server should accept this range:
++
++  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++  fine. The prime reason for filtering out control bytes is that some HTTP
++  servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++  static const char badoctets[] = {
++    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++  };
++  size_t vlen, len;
++  /* scan for all the octets that are *not* in cookie-octet */
++  len = strcspn(p, badoctets);
++  vlen = strlen(p);
++  return (len != vlen);
++}
++
++/*
+  * remove_expired() removes expired cookies.
+  */
+ static void remove_expired(struct CookieInfo *cookies)
+@@ -562,6 +586,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
++          if(invalid_octets(whatptr) || invalid_octets(name)) {
++            infof(data, "invalid octets in name/value, cookie dropped");
++            badcookie = TRUE;
++            break;
++          }
+         }
+         else if(!len) {
+           /* this was a "<name>=" with no content, and we must allow
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series	2022-07-23 17:47:52.000000000 +0200
+++ curl-7.74.0/debian/patches/series	2022-09-03 12:26:12.000000000 +0200
@@ -24,6 +24,8 @@
 CVE-2022-32207.patch
 CVE-2022-32208.patch
 CVE-2022-27774.patch
+cookie-reject-cookies-with-control-bytes.patch
+test8-verify-that-ctrl-byte-cookies-are-ignored.patch
 
 # Always add CVE patches before these two patches
 90_gnutls.patch
diff -Nru curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch
--- curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch	2022-09-03 12:26:12.000000000 +0200
@@ -0,0 +1,62 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: test8: verify that "ctrl-byte cookies" are ignored
+Origin: https://github.com/curl/curl/commit/2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6c2ea5..858761159aa0 100644
+--- a/tests/data/test8
++++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
++Set-Cookie: cookie1=%hex[%01-junk]hex%
++Set-Cookie: cookie2=%hex[%02-junk]hex%
++Set-Cookie: cookie3=%hex[%03-junk]hex%
++Set-Cookie: cookie4=%hex[%04-junk]hex%
++Set-Cookie: cookie5=%hex[%05-junk]hex%
++Set-Cookie: cookie6=%hex[%06-junk]hex%
++Set-Cookie: cookie7=%hex[%07-junk]hex%
++Set-Cookie: cookie8=%hex[%08-junk]hex%
++Set-Cookie: cookie9=%hex[junk-%09-]hex%
++Set-Cookie: cookie11=%hex[%0b-junk]hex%
++Set-Cookie: cookie12=%hex[%0c-junk]hex%
++Set-Cookie: cookie14=%hex[%0e-junk]hex%
++Set-Cookie: cookie15=%hex[%0f-junk]hex%
++Set-Cookie: cookie16=%hex[%10-junk]hex%
++Set-Cookie: cookie17=%hex[%11-junk]hex%
++Set-Cookie: cookie18=%hex[%12-junk]hex%
++Set-Cookie: cookie19=%hex[%13-junk]hex%
++Set-Cookie: cookie20=%hex[%14-junk]hex%
++Set-Cookie: cookie21=%hex[%15-junk]hex%
++Set-Cookie: cookie22=%hex[%16-junk]hex%
++Set-Cookie: cookie23=%hex[%17-junk]hex%
++Set-Cookie: cookie24=%hex[%18-junk]hex%
++Set-Cookie: cookie25=%hex[%19-junk]hex%
++Set-Cookie: cookie26=%hex[%1a-junk]hex%
++Set-Cookie: cookie27=%hex[%1b-junk]hex%
++Set-Cookie: cookie28=%hex[%1c-junk]hex%
++Set-Cookie: cookie29=%hex[%1d-junk]hex%
++Set-Cookie: cookie30=%hex[%1e-junk]hex%
++Set-Cookie: cookie31=%hex[%1f-junk]hex%
++Set-Cookie: cookie31=%hex[%7f-junk]hex%
+ 
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.30.2
+
Reply to: