[v2] curl: Fix CVE-2023-38545
Commit Message
https://curl.se/docs/CVE-2023-38545.html
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
lfs/curl | 1 +
...15d8aee6c1045be932a34fe6107c2f5ed147.patch | 38 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
Comments
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
On 11/10/2023 09:48, Michael Tremer wrote:
> https://curl.se/docs/CVE-2023-38545.html
>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
> lfs/curl | 1 +
> ...15d8aee6c1045be932a34fe6107c2f5ed147.patch | 38 +++++++++++++++++++
> 2 files changed, 39 insertions(+)
> create mode 100644 src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
>
> diff --git a/lfs/curl b/lfs/curl
> index fb98b21af..a4fa21b1c 100644
> --- a/lfs/curl
> +++ b/lfs/curl
> @@ -70,6 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xf $(DIR_DL)/$(DL_FILE)
> + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
> cd $(DIR_APP) && ./configure \
> --prefix=/usr \
> --disable-ipv6 \
> diff --git a/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch b/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
> new file mode 100644
> index 000000000..0de35055f
> --- /dev/null
> +++ b/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
> @@ -0,0 +1,38 @@
> +From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
> +From: Jay Satiro <raysatiro@yahoo.com>
> +Date: Wed, 11 Oct 2023 07:34:19 +0200
> +Subject: [PATCH] socks: return error if hostname too long for remote resolve
> +
> +Prior to this change the state machine attempted to change the remote
> +resolve to a local resolve if the hostname was longer than 255
> +characters. Unfortunately that did not work as intended and caused a
> +security issue.
> +
> +Bug: https://curl.se/docs/CVE-2023-38545.html
> +
> +diff --git a/lib/socks.c b/lib/socks.c
> +index c492d663c4738..a7b5ab07e47d0 100644
> +--- a/lib/socks.c
> ++++ b/lib/socks.c
> +@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
> +
> + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
> + if(!socks5_resolve_local && hostname_len > 255) {
> +- infof(data, "SOCKS5: server resolving disabled for hostnames of "
> +- "length > 255 [actual len=%zu]", hostname_len);
> +- socks5_resolve_local = TRUE;
> ++ failf(data, "SOCKS5: the destination hostname is too long to be "
> ++ "resolved remotely by the proxy.");
> ++ return CURLPX_LONG_HOSTNAME;
> + }
> +
> + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
> +@@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
> + }
> + else {
> + socksreq[len++] = 3;
> +- socksreq[len++] = (char) hostname_len; /* one byte address length */
> ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
> + memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
> + len += hostname_len;
> + }
@@ -70,6 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--disable-ipv6 \
new file mode 100644
@@ -0,0 +1,38 @@
+From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+
+diff --git a/lib/socks.c b/lib/socks.c
+index c492d663c4738..a7b5ab07e47d0 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+
+ /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+ if(!socks5_resolve_local && hostname_len > 255) {
+- infof(data, "SOCKS5: server resolving disabled for hostnames of "
+- "length > 255 [actual len=%zu]", hostname_len);
+- socks5_resolve_local = TRUE;
++ failf(data, "SOCKS5: the destination hostname is too long to be "
++ "resolved remotely by the proxy.");
++ return CURLPX_LONG_HOSTNAME;
+ }
+
+ if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+ }
+ else {
+ socksreq[len++] = 3;
+- socksreq[len++] = (char) hostname_len; /* one byte address length */
++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+ memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
+ len += hostname_len;
+ }