[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861446: marked as done (unblock: curl/7.52.1-5)

Your message dated Sat, 29 Apr 2017 13:49:46 +0000
with message-id <E1d4Sks-0003ko-PD@respighi.debian.org>
and subject line unblock curl
has caused the Debian Bug report #861446,
regarding unblock: curl/7.52.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861446: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861446
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package curl

The upload fixes a security issue, which regressed (is identical to
CVE-2016-5419 fixed earlier, but reintroduced in 7.52.0) and know as
CVE-2017-7468.

https://curl.haxx.se/docs/adv_20170419.html

The changelog reads as:

>curl (7.52.1-5) unstable; urgency=high
>
>  * Fix TLS session resumption client cert bypass as per CVE-2017-7468
>    https://curl.haxx.se/docs/adv_20170419.html
>
> -- Alessandro Ghedini <ghedo@debian.org>  Wed, 19 Apr 2017 11:19:50 +0100

and attching the full debdiff.

unblock curl/7.52.1-5

Regards,
Salvatore

diff -Nru curl-7.52.1/debian/changelog curl-7.52.1/debian/changelog
--- curl-7.52.1/debian/changelog	2017-04-08 22:55:27.000000000 +0200
+++ curl-7.52.1/debian/changelog	2017-04-19 12:19:50.000000000 +0200
@@ -1,3 +1,10 @@
+curl (7.52.1-5) unstable; urgency=high
+
+  * Fix TLS session resumption client cert bypass as per CVE-2017-7468
+    https://curl.haxx.se/docs/adv_20170419.html
+
+ -- Alessandro Ghedini <ghedo@debian.org>  Wed, 19 Apr 2017 11:19:50 +0100
+
 curl (7.52.1-4) unstable; urgency=medium
 
   * Fix regression in CONNECT response handling (Closes: #857613)
diff -Nru curl-7.52.1/debian/patches/16_CVE-2017-7468.patch curl-7.52.1/debian/patches/16_CVE-2017-7468.patch
--- curl-7.52.1/debian/patches/16_CVE-2017-7468.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.52.1/debian/patches/16_CVE-2017-7468.patch	2017-04-19 12:19:50.000000000 +0200
@@ -0,0 +1,264 @@
+From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 22 Mar 2017 01:59:49 -0400
+Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
+ used
+
+- Move the sessionid flag to ssl_primary_config so that ssl and
+  proxy_ssl will each have their own sessionid flag.
+
+Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
+this issue had been fixed in 247d890, CVE-2016-5419.
+
+Bug: https://github.com/curl/curl/issues/1341
+Reported-by: lijian996@users.noreply.github.com
+---
+ lib/url.c            | 5 +++--
+ lib/urldata.h        | 2 +-
+ lib/vtls/axtls.c     | 4 ++--
+ lib/vtls/cyassl.c    | 4 ++--
+ lib/vtls/darwinssl.c | 2 +-
+ lib/vtls/gtls.c      | 4 ++--
+ lib/vtls/mbedtls.c   | 4 ++--
+ lib/vtls/nss.c       | 2 +-
+ lib/vtls/openssl.c   | 4 ++--
+ lib/vtls/polarssl.c  | 4 ++--
+ lib/vtls/schannel.c  | 4 ++--
+ lib/vtls/vtls.c      | 9 ++++++---
+ 12 files changed, 26 insertions(+), 22 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -548,7 +548,7 @@
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+-  set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
++  set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
+                                         default */
+   set->proxy_ssl = set->ssl;
+ 
+@@ -2470,8 +2470,9 @@
+     break;
+ 
+   case CURLOPT_SSL_SESSIONID_CACHE:
+-    data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
++    data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
+                                       TRUE : FALSE;
++    data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
+     break;
+ 
+ #ifdef USE_LIBSSH2
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -354,6 +354,7 @@
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
++  bool sessionid;        /* cache session IDs or not */
+ };
+ 
+ struct ssl_config_data {
+@@ -383,7 +384,6 @@
+ };
+ 
+ struct ssl_general_config {
+-  bool sessionid; /* cache session IDs or not */
+   size_t max_ssl_sessions; /* SSL session id cache size */
+ };
+ 
+--- a/lib/vtls/axtls.c
++++ b/lib/vtls/axtls.c
+@@ -256,7 +256,7 @@
+    * 2) setting up callbacks.  these seem gnutls specific
+    */
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid;
+     size_t ssl_idsize;
+ 
+@@ -386,7 +386,7 @@
+   conn->send[sockindex] = axtls_send;
+ 
+   /* Put our freshly minted SSL session in cache */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl);
+     size_t ssl_idsize = ssl_get_session_id(ssl);
+     Curl_ssl_sessionid_lock(conn);
+--- a/lib/vtls/cyassl.c
++++ b/lib/vtls/cyassl.c
+@@ -383,7 +383,7 @@
+ #endif /* HAVE_ALPN */
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -597,7 +597,7 @@
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/darwinssl.c
++++ b/lib/vtls/darwinssl.c
+@@ -1541,7 +1541,7 @@
+ #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     char *ssl_sessionid;
+     size_t ssl_sessionid_len;
+ 
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -782,7 +782,7 @@
+ 
+   /* This might be a reconnect, so we check for a session ID in the cache
+      to speed up things */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid;
+     size_t ssl_idsize;
+ 
+@@ -1311,7 +1311,7 @@
+   conn->recv[sockindex] = gtls_recv;
+   conn->send[sockindex] = gtls_send;
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     /* we always unconditionally get the session id here, as even if we
+        already got it from the cache and asked to use it in the connection, it
+        might've been rejected and then a new one is in use now and we need to
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -374,7 +374,7 @@
+                                 mbedtls_ssl_list_ciphersuites());
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -618,7 +618,7 @@
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1696,7 +1696,7 @@
+     goto error;
+ 
+   /* do not use SSL cache if disabled or we are not going to verify peer */
+-  ssl_no_cache = (data->set.general_ssl.sessionid
++  ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
+                   && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
+   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
+     goto error;
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2161,7 +2161,7 @@
+ #endif
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -2915,7 +2915,7 @@
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/polarssl.c
++++ b/lib/vtls/polarssl.c
+@@ -327,7 +327,7 @@
+   ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -555,7 +555,7 @@
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -145,7 +145,7 @@
+   connssl->cred = NULL;
+ 
+   /* check for an existing re-usable credential handle */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+     if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+       connssl->cred = old_cred;
+@@ -714,7 +714,7 @@
+ #endif
+ 
+   /* save the current session data for possible re-use */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     struct curl_schannel_cred *old_cred = NULL;
+ 
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -120,6 +120,9 @@
+   CLONE_STRING(egdsocket);
+   CLONE_STRING(random_file);
+   CLONE_STRING(clientcert);
++
++  /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
++  dest->sessionid = (dest->clientcert ? false : source->sessionid);
+   return TRUE;
+ }
+ 
+@@ -293,9 +296,9 @@
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+ 
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
++  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+-  if(!data->set.general_ssl.sessionid)
++  if(!SSL_SET_OPTION(primary.sessionid))
+     /* session ID re-use is disabled */
+     return TRUE;
+ 
+@@ -397,7 +400,7 @@
+                                            &conn->proxy_ssl_config :
+                                            &conn->ssl_config;
+ 
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
++  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
+   if(!clone_host)
diff -Nru curl-7.52.1/debian/patches/series curl-7.52.1/debian/patches/series
--- curl-7.52.1/debian/patches/series	2017-04-08 22:55:27.000000000 +0200
+++ curl-7.52.1/debian/patches/series	2017-04-19 12:19:50.000000000 +0200
@@ -10,6 +10,7 @@
 13_CVE-2017-2629.patch
 14_fix-connect-regression.patch
 15_CVE-2017-7407.patch
+16_CVE-2017-7468.patch
 
 # do not add patches below
 90_gnutls.patch

--- End Message ---
--- Begin Message --- 
Unblocked curl.

--- End Message ---
Reply to: