curl security update for Wheezy LTS

To: Debian LTS <debian-lts@lists.debian.org>
Subject: curl security update for Wheezy LTS
From: Bálint Réczey <balint@balintreczey.hu>
Date: Wed, 7 Sep 2016 23:07:41 +0200
Message-id: <[🔎] baee98fe-e217-778c-86ff-8336a05b8daa@balintreczey.hu>
Reply-to: balint@balintreczey.hu

Hi,

I have prepared an update for curl in Wheezy.

Please see the diff to previous version attached.

Changes:
 curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2016-7141: Incorrect reuse of client certificates

The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

The build-time tests did not show any regression and the fix is very
simple thus I believe it can be used without reproducing the actual
issue. I'm not aware of any available exploit.

Cheers,
Balint

diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog	2016-08-04 13:40:13.000000000 +0200
+++ curl-7.26.0/debian/changelog	2016-09-07 20:31:51.000000000 +0200
@@ -1,3 +1,10 @@
+curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-7141: Incorrect reuse of client certificates
+
+ -- Balint Reczey <balint@balintreczey.hu>  Wed, 07 Sep 2016 20:28:07 +0200
+
 curl (7.26.0-1+wheezy14) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru curl-7.26.0/debian/patches/CVE-2016-7141.patch curl-7.26.0/debian/patches/CVE-2016-7141.patch
--- curl-7.26.0/debian/patches/CVE-2016-7141.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.26.0/debian/patches/CVE-2016-7141.patch	2016-09-07 20:27:28.000000000 +0200
@@ -0,0 +1,37 @@
+From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 22 Aug 2016 10:24:35 +0200
+Subject: [PATCH] nss: refuse previously loaded certificate from file
+
+... when we are not asked to use a certificate from file
+
+Origin: upstream
+Reviewed-by: Balint Reczey <balint@balintreczey.hu>
+
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -779,10 +779,10 @@
+   struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
+   struct SessionHandle *data = connssl->data;
+   const char *nickname = connssl->client_nickname;
++  static const char pem_slotname[] = "PEM Token #1";
+ 
+   if(connssl->obj_clicert) {
+     /* use the cert/key provided by PEM reader */
+-    static const char pem_slotname[] = "PEM Token #1";
+     SECItem cert_der = { 0, NULL, 0 };
+     void *proto_win = SSL_RevealPinArg(sock);
+ 
+@@ -839,6 +839,12 @@
+   if(NULL == nickname)
+     nickname = "[unknown]";
+ 
++  if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
++    failf(data, "NSS: refusing previously loaded certificate from file: %s",
++          nickname);
++    return SECFailure;
++  }
++
+   if(NULL == *pRetKey) {
+     failf(data, "NSS: private key not found for certificate: %s", nickname);
+     return SECFailure;
diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series
--- curl-7.26.0/debian/patches/series	2016-08-04 13:40:13.000000000 +0200
+++ curl-7.26.0/debian/patches/series	2016-09-07 20:22:24.000000000 +0200
@@ -22,6 +22,7 @@
 22_CVE-2015-3148-2.patch
 CVE-2016-5419.patch
 CVE-2016-5420.patch
+CVE-2016-7141.patch
 # Add new patches before the ones below this line
 
 90_gnutls.patch

Reply to:

Prev by Date: Re: Wheezy update of icu?
Next by Date: Re: Wheezy update of chicken?
Previous by thread: Wheezy update for qemu ?
Next by thread: Re: Wheezy update of chicken?
Index(es):
- Date
- Thread