Bug#861446: unblock: curl/7.52.1-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Please unblock package curl
The upload fixes a security issue, which regressed (is identical to
CVE-2016-5419 fixed earlier, but reintroduced in 7.52.0) and know as
CVE-2017-7468.
https://curl.haxx.se/docs/adv_20170419.html
The changelog reads as:
>curl (7.52.1-5) unstable; urgency=high
>
> * Fix TLS session resumption client cert bypass as per CVE-2017-7468
> https://curl.haxx.se/docs/adv_20170419.html
>
> -- Alessandro Ghedini <ghedo@debian.org> Wed, 19 Apr 2017 11:19:50 +0100
and attching the full debdiff.
unblock curl/7.52.1-5
Regards,
Salvatore
diff -Nru curl-7.52.1/debian/changelog curl-7.52.1/debian/changelog
--- curl-7.52.1/debian/changelog 2017-04-08 22:55:27.000000000 +0200
+++ curl-7.52.1/debian/changelog 2017-04-19 12:19:50.000000000 +0200
@@ -1,3 +1,10 @@
+curl (7.52.1-5) unstable; urgency=high
+
+ * Fix TLS session resumption client cert bypass as per CVE-2017-7468
+ https://curl.haxx.se/docs/adv_20170419.html
+
+ -- Alessandro Ghedini <ghedo@debian.org> Wed, 19 Apr 2017 11:19:50 +0100
+
curl (7.52.1-4) unstable; urgency=medium
* Fix regression in CONNECT response handling (Closes: #857613)
diff -Nru curl-7.52.1/debian/patches/16_CVE-2017-7468.patch curl-7.52.1/debian/patches/16_CVE-2017-7468.patch
--- curl-7.52.1/debian/patches/16_CVE-2017-7468.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.52.1/debian/patches/16_CVE-2017-7468.patch 2017-04-19 12:19:50.000000000 +0200
@@ -0,0 +1,264 @@
+From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 22 Mar 2017 01:59:49 -0400
+Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
+ used
+
+- Move the sessionid flag to ssl_primary_config so that ssl and
+ proxy_ssl will each have their own sessionid flag.
+
+Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
+this issue had been fixed in 247d890, CVE-2016-5419.
+
+Bug: https://github.com/curl/curl/issues/1341
+Reported-by: lijian996@users.noreply.github.com
+---
+ lib/url.c | 5 +++--
+ lib/urldata.h | 2 +-
+ lib/vtls/axtls.c | 4 ++--
+ lib/vtls/cyassl.c | 4 ++--
+ lib/vtls/darwinssl.c | 2 +-
+ lib/vtls/gtls.c | 4 ++--
+ lib/vtls/mbedtls.c | 4 ++--
+ lib/vtls/nss.c | 2 +-
+ lib/vtls/openssl.c | 4 ++--
+ lib/vtls/polarssl.c | 4 ++--
+ lib/vtls/schannel.c | 4 ++--
+ lib/vtls/vtls.c | 9 ++++++---
+ 12 files changed, 26 insertions(+), 22 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -548,7 +548,7 @@
+ #endif
+ set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+ type */
+- set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
++ set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
+ default */
+ set->proxy_ssl = set->ssl;
+
+@@ -2470,8 +2470,9 @@
+ break;
+
+ case CURLOPT_SSL_SESSIONID_CACHE:
+- data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
++ data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
+ TRUE : FALSE;
++ data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
+ break;
+
+ #ifdef USE_LIBSSH2
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -354,6 +354,7 @@
+ char *random_file; /* path to file containing "random" data */
+ char *egdsocket; /* path to file containing the EGD daemon socket */
+ char *cipher_list; /* list of ciphers to use */
++ bool sessionid; /* cache session IDs or not */
+ };
+
+ struct ssl_config_data {
+@@ -383,7 +384,6 @@
+ };
+
+ struct ssl_general_config {
+- bool sessionid; /* cache session IDs or not */
+ size_t max_ssl_sessions; /* SSL session id cache size */
+ };
+
+--- a/lib/vtls/axtls.c
++++ b/lib/vtls/axtls.c
+@@ -256,7 +256,7 @@
+ * 2) setting up callbacks. these seem gnutls specific
+ */
+
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ const uint8_t *ssl_sessionid;
+ size_t ssl_idsize;
+
+@@ -386,7 +386,7 @@
+ conn->send[sockindex] = axtls_send;
+
+ /* Put our freshly minted SSL session in cache */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl);
+ size_t ssl_idsize = ssl_get_session_id(ssl);
+ Curl_ssl_sessionid_lock(conn);
+--- a/lib/vtls/cyassl.c
++++ b/lib/vtls/cyassl.c
+@@ -383,7 +383,7 @@
+ #endif /* HAVE_ALPN */
+
+ /* Check if there's a cached ID we can/should use here! */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+@@ -597,7 +597,7 @@
+
+ DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ SSL_SESSION *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/darwinssl.c
++++ b/lib/vtls/darwinssl.c
+@@ -1541,7 +1541,7 @@
+ #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
+
+ /* Check if there's a cached ID we can/should use here! */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ char *ssl_sessionid;
+ size_t ssl_sessionid_len;
+
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -782,7 +782,7 @@
+
+ /* This might be a reconnect, so we check for a session ID in the cache
+ to speed up things */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ void *ssl_sessionid;
+ size_t ssl_idsize;
+
+@@ -1311,7 +1311,7 @@
+ conn->recv[sockindex] = gtls_recv;
+ conn->send[sockindex] = gtls_send;
+
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ /* we always unconditionally get the session id here, as even if we
+ already got it from the cache and asked to use it in the connection, it
+ might've been rejected and then a new one is in use now and we need to
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -374,7 +374,7 @@
+ mbedtls_ssl_list_ciphersuites());
+
+ /* Check if there's a cached ID we can/should use here! */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+@@ -618,7 +618,7 @@
+
+ DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ int ret;
+ mbedtls_ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1696,7 +1696,7 @@
+ goto error;
+
+ /* do not use SSL cache if disabled or we are not going to verify peer */
+- ssl_no_cache = (data->set.general_ssl.sessionid
++ ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
+ && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
+ if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
+ goto error;
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2161,7 +2161,7 @@
+ #endif
+
+ /* Check if there's a cached ID we can/should use here! */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+@@ -2915,7 +2915,7 @@
+
+ DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ SSL_SESSION *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/polarssl.c
++++ b/lib/vtls/polarssl.c
+@@ -327,7 +327,7 @@
+ ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+
+ /* Check if there's a cached ID we can/should use here! */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+@@ -555,7 +555,7 @@
+
+ DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ int ret;
+ ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -145,7 +145,7 @@
+ connssl->cred = NULL;
+
+ /* check for an existing re-usable credential handle */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ Curl_ssl_sessionid_lock(conn);
+ if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+ connssl->cred = old_cred;
+@@ -714,7 +714,7 @@
+ #endif
+
+ /* save the current session data for possible re-use */
+- if(data->set.general_ssl.sessionid) {
++ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ struct curl_schannel_cred *old_cred = NULL;
+
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -120,6 +120,9 @@
+ CLONE_STRING(egdsocket);
+ CLONE_STRING(random_file);
+ CLONE_STRING(clientcert);
++
++ /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
++ dest->sessionid = (dest->clientcert ? false : source->sessionid);
+ return TRUE;
+ }
+
+@@ -293,9 +296,9 @@
+ int port = isProxy ? (int)conn->port : conn->remote_port;
+ *ssl_sessionid = NULL;
+
+- DEBUGASSERT(data->set.general_ssl.sessionid);
++ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+- if(!data->set.general_ssl.sessionid)
++ if(!SSL_SET_OPTION(primary.sessionid))
+ /* session ID re-use is disabled */
+ return TRUE;
+
+@@ -397,7 +400,7 @@
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+
+- DEBUGASSERT(data->set.general_ssl.sessionid);
++ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
+ if(!clone_host)
diff -Nru curl-7.52.1/debian/patches/series curl-7.52.1/debian/patches/series
--- curl-7.52.1/debian/patches/series 2017-04-08 22:55:27.000000000 +0200
+++ curl-7.52.1/debian/patches/series 2017-04-19 12:19:50.000000000 +0200
@@ -10,6 +10,7 @@
13_CVE-2017-2629.patch
14_fix-connect-regression.patch
15_CVE-2017-7407.patch
+16_CVE-2017-7468.patch
# do not add patches below
90_gnutls.patch
Reply to: