curl security update for Wheezy LTS
Hi,
I have prepared an update for curl in Wheezy.
Please see the diff to previous version attached.
Changes:
curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2016-7141: Incorrect reuse of client certificates
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
The build-time tests did not show any regression and the fix is very
simple thus I believe it can be used without reproducing the actual
issue. I'm not aware of any available exploit.
Cheers,
Balint
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog 2016-08-04 13:40:13.000000000 +0200
+++ curl-7.26.0/debian/changelog 2016-09-07 20:31:51.000000000 +0200
@@ -1,3 +1,10 @@
+curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2016-7141: Incorrect reuse of client certificates
+
+ -- Balint Reczey <balint@balintreczey.hu> Wed, 07 Sep 2016 20:28:07 +0200
+
curl (7.26.0-1+wheezy14) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru curl-7.26.0/debian/patches/CVE-2016-7141.patch curl-7.26.0/debian/patches/CVE-2016-7141.patch
--- curl-7.26.0/debian/patches/CVE-2016-7141.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.26.0/debian/patches/CVE-2016-7141.patch 2016-09-07 20:27:28.000000000 +0200
@@ -0,0 +1,37 @@
+From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 22 Aug 2016 10:24:35 +0200
+Subject: [PATCH] nss: refuse previously loaded certificate from file
+
+... when we are not asked to use a certificate from file
+
+Origin: upstream
+Reviewed-by: Balint Reczey <balint@balintreczey.hu>
+
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -779,10 +779,10 @@
+ struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
+ struct SessionHandle *data = connssl->data;
+ const char *nickname = connssl->client_nickname;
++ static const char pem_slotname[] = "PEM Token #1";
+
+ if(connssl->obj_clicert) {
+ /* use the cert/key provided by PEM reader */
+- static const char pem_slotname[] = "PEM Token #1";
+ SECItem cert_der = { 0, NULL, 0 };
+ void *proto_win = SSL_RevealPinArg(sock);
+
+@@ -839,6 +839,12 @@
+ if(NULL == nickname)
+ nickname = "[unknown]";
+
++ if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
++ failf(data, "NSS: refusing previously loaded certificate from file: %s",
++ nickname);
++ return SECFailure;
++ }
++
+ if(NULL == *pRetKey) {
+ failf(data, "NSS: private key not found for certificate: %s", nickname);
+ return SECFailure;
diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series
--- curl-7.26.0/debian/patches/series 2016-08-04 13:40:13.000000000 +0200
+++ curl-7.26.0/debian/patches/series 2016-09-07 20:22:24.000000000 +0200
@@ -22,6 +22,7 @@
22_CVE-2015-3148-2.patch
CVE-2016-5419.patch
CVE-2016-5420.patch
+CVE-2016-7141.patch
# Add new patches before the ones below this line
90_gnutls.patch
Reply to: